CVE-2026-31698
Published: 01 May 2026
Summary
CVE-2026-31698 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 2.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-11 (Error Handling) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the specific flaw in the Linux kernel CCP/SEV driver by applying patches that prevent copy_to_user after PSP firmware failure, stopping out-of-bounds access and data leakage.
Requires kernel drivers to implement proper error handling, such as skipping copy_to_user operations when firmware commands fail due to invalid lengths, preventing slab-out-of-bounds reads and kernel memory leaks.
Enforces validation of userspace ioctl inputs like buffer lengths before processing in the SEV driver, reducing the risk of firmware command failures that lead to improper data copies.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local low-priv ioctl exploitation of kernel OOB read directly enables kernel memory disclosure (T1005), facilitates privilege escalation chains via info leak (T1068), and allows system crash/DoS via crafted firmware command failure (T1499.004).
NVD Description
In the Linux kernel, the following vulnerability has been resolved: crypto: ccp: Don't attempt to copy PDH cert to userspace if PSP command failed When retrieving the PDH cert, don't attempt to copy the blobs to userspace if the firmware…
more
command failed. If the failure was due to an invalid length, i.e. the userspace buffer+length was too small, copying the number of bytes _firmware_ requires will overflow the kernel-allocated buffer and leak data to userspace. BUG: KASAN: slab-out-of-bounds in instrument_copy_to_user ../include/linux/instrumented.h:129 [inline] BUG: KASAN: slab-out-of-bounds in _inline_copy_to_user ../include/linux/uaccess.h:205 [inline] BUG: KASAN: slab-out-of-bounds in _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26 Read of size 2084 at addr ffff8885c4ab8aa0 by task syz.0.186/21033 CPU: 51 UID: 0 PID: 21033 Comm: syz.0.186 Tainted: G U O 7.0.0-smp-DEV #28 PREEMPTLAZY Tainted: [U]=USER, [O]=OOT_MODULE Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 34.84.12-0 11/17/2025 Call Trace: <TASK> dump_stack_lvl+0xc5/0x110 ../lib/dump_stack.c:120 print_address_description ../mm/kasan/report.c:378 [inline] print_report+0xbc/0x260 ../mm/kasan/report.c:482 kasan_report+0xa2/0xe0 ../mm/kasan/report.c:595 check_region_inline ../mm/kasan/generic.c:-1 [inline] kasan_check_range+0x264/0x2c0 ../mm/kasan/generic.c:200 instrument_copy_to_user ../include/linux/instrumented.h:129 [inline] _inline_copy_to_user ../include/linux/uaccess.h:205 [inline] _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26 copy_to_user ../include/linux/uaccess.h:236 [inline] sev_ioctl_do_pdh_export+0x3d3/0x7c0 ../drivers/crypto/ccp/sev-dev.c:2347 sev_ioctl+0x2a2/0x490 ../drivers/crypto/ccp/sev-dev.c:2568 vfs_ioctl ../fs/ioctl.c:51 [inline] __do_sys_ioctl ../fs/ioctl.c:597 [inline] __se_sys_ioctl+0x11d/0x1b0 ../fs/ioctl.c:583 do_syscall_x64 ../arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xe0/0x800 ../arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x76/0x7e </TASK> WARN if the driver says the command succeeded, but the firmware error code says otherwise, as __sev_do_cmd_locked() is expected to return -EIO on any firwmware error.
Deeper analysisAI
CVE-2026-31698 is a vulnerability in the Linux kernel's crypto CCP (Counter Crypto Processor) driver, specifically in the AMD SEV (Secure Encrypted Virtualization) device handling code located in drivers/crypto/ccp/sev-dev.c. The issue arises during the retrieval of the PDH (Platform Diffie-Hellman) certificate via the sev_ioctl_do_pdh_export ioctl. If the PSP (Platform Security Processor) firmware command fails—such as due to an invalid length where the userspace buffer is too small—the driver still attempts to copy firmware-required data blobs to userspace. This results in a slab-out-of-bounds access, as detected by KASAN, leading to kernel data leakage.
A local attacker with low privileges (PR:L) can exploit this vulnerability with low attack complexity (AC:L) and no user interaction (UI:N) by issuing a specially crafted ioctl call to the SEV device. Successful exploitation triggers an out-of-bounds copy_to_user operation, leaking sensitive kernel memory (C:H) and potentially causing a denial of service via kernel crash or instability (A:H), as evidenced by the KASAN report showing a read of 2084 bytes beyond buffer bounds.
Mitigation involves applying upstream kernel patches from the provided stable commit references, such as 051e51aa55fd4cdc3e8283cf4476aeeb5f563274, which prevent the copy_to_user operation if the firmware command fails and add warnings for firmware error discrepancies. Systems running affected Linux kernel versions, including those with out-of-tree modules as noted in the taint flags, should update to incorporate these fixes.
Details
- CWE(s)