Cyber Resilience

CVE-2026-31699

HighUpdated

Published: 01 May 2026

Published
01 May 2026
Modified
01 June 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
EPSS Score 0.0001 3.6th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-31699 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-11 (Error Handling) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-31699 is a vulnerability in the Linux kernel's crypto CCP (Common Cryptography Processor) module, specifically within the SEV (Secure Encrypted Virtualization) device driver in drivers/crypto/ccp/sev-dev.c. The issue arises when retrieving the PEK (Platform Encryption Key) CSR from the PSP (Platform Security Processor) firmware: the kernel attempts to copy the CSR blob to userspace even if the firmware command fails, such as due to an invalid length provided by userspace. This leads to a slab-out-of-bounds access during copy_to_user, as detected by KASAN, potentially overflowing the kernel-allocated buffer and leaking sensitive kernel data.

A local attacker with low privileges (PR:L) can exploit this vulnerability by issuing an ioctl call, such as SEV_IOCTL_DO_PEK_CSR, with a userspace buffer and length that is too small. If the PSP command fails due to the invalid length, the kernel still copies the full firmware-required size (e.g., 2084 bytes as seen in the KASAN report), resulting in an out-of-bounds read from kernel memory. This achieves high confidentiality impact (C:H) through data leakage to userspace and high availability impact (A:H) via potential kernel crashes, with no integrity impact or scope change (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H).

The referenced kernel stable patches mitigate the issue by preventing the copy_to_user operation if the PSP firmware command fails and adding a WARN_ON for cases where the driver reports success despite a firmware error code, ensuring __sev_do_cmd_locked() properly returns -EIO on firmware errors. Affected systems should apply commits such as 111dcc6d0f01, 3b4fd8f15765, 59e9ae81f867, 607ba280f2ad, and abe4a6d6f606 from the Linux kernel stable tree.

The vulnerability was identified via syzkaller fuzzing (task syz.9.219) on a development kernel (7.0.0-smp-DEV) running on Google Arcadia hardware, with no reports of real-world exploitation.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: crypto: ccp: Don't attempt to copy CSR to userspace if PSP command failed When retrieving the PEK CSR, don't attempt to copy the blob to userspace if the firmware command…

more

failed. If the failure was due to an invalid length, i.e. the userspace buffer+length was too small, copying the number of bytes _firmware_ requires will overflow the kernel-allocated buffer and leak data to userspace. BUG: KASAN: slab-out-of-bounds in instrument_copy_to_user ../include/linux/instrumented.h:129 [inline] BUG: KASAN: slab-out-of-bounds in _inline_copy_to_user ../include/linux/uaccess.h:205 [inline] BUG: KASAN: slab-out-of-bounds in _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26 Read of size 2084 at addr ffff898144612e20 by task syz.9.219/21405 CPU: 14 UID: 0 PID: 21405 Comm: syz.9.219 Tainted: G U O 7.0.0-smp-DEV #28 PREEMPTLAZY Tainted: [U]=USER, [O]=OOT_MODULE Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 12.62.0-0 11/19/2025 Call Trace: <TASK> dump_stack_lvl+0xc5/0x110 ../lib/dump_stack.c:120 print_address_description ../mm/kasan/report.c:378 [inline] print_report+0xbc/0x260 ../mm/kasan/report.c:482 kasan_report+0xa2/0xe0 ../mm/kasan/report.c:595 check_region_inline ../mm/kasan/generic.c:-1 [inline] kasan_check_range+0x264/0x2c0 ../mm/kasan/generic.c:200 instrument_copy_to_user ../include/linux/instrumented.h:129 [inline] _inline_copy_to_user ../include/linux/uaccess.h:205 [inline] _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26 copy_to_user ../include/linux/uaccess.h:236 [inline] sev_ioctl_do_pek_csr+0x31f/0x590 ../drivers/crypto/ccp/sev-dev.c:1872 sev_ioctl+0x3a4/0x490 ../drivers/crypto/ccp/sev-dev.c:2562 vfs_ioctl ../fs/ioctl.c:51 [inline] __do_sys_ioctl ../fs/ioctl.c:597 [inline] __se_sys_ioctl+0x11d/0x1b0 ../fs/ioctl.c:583 do_syscall_x64 ../arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xe0/0x800 ../arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x76/0x7e </TASK> WARN if the driver says the command succeeded, but the firmware error code says otherwise, as __sev_do_cmd_locked() is expected to return -EIO on any firwmware error.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1212 Exploitation for Credential Access Credential Access
Adversaries may exploit software vulnerabilities in an attempt to collect credentials.
Why these techniques?

Local low-priv ioctl exploit in SEV driver enables kernel memory disclosure (C:H) for credential/sensitive data access and kernel crashes (A:H); directly maps to exploitation for privilege escalation via info leaks and exploitation for credential access.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-51729Same product: Linux Linux Kernel
CVE-2026-31407Same product: Linux Linux Kernel
CVE-2025-71137Same product: Linux Linux Kernel
CVE-2026-31772Same product: Linux Linux Kernel
CVE-2026-23378Same product: Linux Linux Kernel
CVE-2026-31494Same product: Linux Linux Kernel
CVE-2025-21735Same product: Linux Linux Kernel
CVE-2025-21650Same product: Linux Linux Kernel
CVE-2024-52319Same product: Linux Linux Kernel
CVE-2024-58003Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
7.1 · 4.16 — 6.6.136 · 6.7 — 6.12.84 · 6.13 — 6.18.25

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the vulnerability by requiring proper error handling after PSP firmware command failures to prevent slab-out-of-bounds copy_to_user operations that leak kernel data.

prevent

Mandates validation of userspace ioctl input lengths to avoid triggering firmware failures that lead to erroneous buffer copy attempts.

prevent

Implements memory safeguards to protect kernel slabs from out-of-bounds reads during oversized copy_to_user calls, mitigating data leakage.

References