CVE-2026-31699
Published: 01 May 2026
Summary
CVE-2026-31699 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 2.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-11 (Error Handling) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the vulnerability by requiring proper error handling after PSP firmware command failures to prevent slab-out-of-bounds copy_to_user operations that leak kernel data.
Mandates validation of userspace ioctl input lengths to avoid triggering firmware failures that lead to erroneous buffer copy attempts.
Implements memory safeguards to protect kernel slabs from out-of-bounds reads during oversized copy_to_user calls, mitigating data leakage.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local low-priv ioctl exploit in SEV driver enables kernel memory disclosure (C:H) for credential/sensitive data access and kernel crashes (A:H); directly maps to exploitation for privilege escalation via info leaks and exploitation for credential access.
NVD Description
In the Linux kernel, the following vulnerability has been resolved: crypto: ccp: Don't attempt to copy CSR to userspace if PSP command failed When retrieving the PEK CSR, don't attempt to copy the blob to userspace if the firmware command…
more
failed. If the failure was due to an invalid length, i.e. the userspace buffer+length was too small, copying the number of bytes _firmware_ requires will overflow the kernel-allocated buffer and leak data to userspace. BUG: KASAN: slab-out-of-bounds in instrument_copy_to_user ../include/linux/instrumented.h:129 [inline] BUG: KASAN: slab-out-of-bounds in _inline_copy_to_user ../include/linux/uaccess.h:205 [inline] BUG: KASAN: slab-out-of-bounds in _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26 Read of size 2084 at addr ffff898144612e20 by task syz.9.219/21405 CPU: 14 UID: 0 PID: 21405 Comm: syz.9.219 Tainted: G U O 7.0.0-smp-DEV #28 PREEMPTLAZY Tainted: [U]=USER, [O]=OOT_MODULE Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 12.62.0-0 11/19/2025 Call Trace: <TASK> dump_stack_lvl+0xc5/0x110 ../lib/dump_stack.c:120 print_address_description ../mm/kasan/report.c:378 [inline] print_report+0xbc/0x260 ../mm/kasan/report.c:482 kasan_report+0xa2/0xe0 ../mm/kasan/report.c:595 check_region_inline ../mm/kasan/generic.c:-1 [inline] kasan_check_range+0x264/0x2c0 ../mm/kasan/generic.c:200 instrument_copy_to_user ../include/linux/instrumented.h:129 [inline] _inline_copy_to_user ../include/linux/uaccess.h:205 [inline] _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26 copy_to_user ../include/linux/uaccess.h:236 [inline] sev_ioctl_do_pek_csr+0x31f/0x590 ../drivers/crypto/ccp/sev-dev.c:1872 sev_ioctl+0x3a4/0x490 ../drivers/crypto/ccp/sev-dev.c:2562 vfs_ioctl ../fs/ioctl.c:51 [inline] __do_sys_ioctl ../fs/ioctl.c:597 [inline] __se_sys_ioctl+0x11d/0x1b0 ../fs/ioctl.c:583 do_syscall_x64 ../arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xe0/0x800 ../arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x76/0x7e </TASK> WARN if the driver says the command succeeded, but the firmware error code says otherwise, as __sev_do_cmd_locked() is expected to return -EIO on any firwmware error.
Deeper analysisAI
CVE-2026-31699 is a vulnerability in the Linux kernel's crypto CCP (Common Cryptography Processor) module, specifically within the SEV (Secure Encrypted Virtualization) device driver in drivers/crypto/ccp/sev-dev.c. The issue arises when retrieving the PEK (Platform Encryption Key) CSR from the PSP (Platform Security Processor) firmware: the kernel attempts to copy the CSR blob to userspace even if the firmware command fails, such as due to an invalid length provided by userspace. This leads to a slab-out-of-bounds access during copy_to_user, as detected by KASAN, potentially overflowing the kernel-allocated buffer and leaking sensitive kernel data.
A local attacker with low privileges (PR:L) can exploit this vulnerability by issuing an ioctl call, such as SEV_IOCTL_DO_PEK_CSR, with a userspace buffer and length that is too small. If the PSP command fails due to the invalid length, the kernel still copies the full firmware-required size (e.g., 2084 bytes as seen in the KASAN report), resulting in an out-of-bounds read from kernel memory. This achieves high confidentiality impact (C:H) through data leakage to userspace and high availability impact (A:H) via potential kernel crashes, with no integrity impact or scope change (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H).
The referenced kernel stable patches mitigate the issue by preventing the copy_to_user operation if the PSP firmware command fails and adding a WARN_ON for cases where the driver reports success despite a firmware error code, ensuring __sev_do_cmd_locked() properly returns -EIO on firmware errors. Affected systems should apply commits such as 111dcc6d0f01, 3b4fd8f15765, 59e9ae81f867, 607ba280f2ad, and abe4a6d6f606 from the Linux kernel stable tree.
The vulnerability was identified via syzkaller fuzzing (task syz.9.219) on a development kernel (7.0.0-smp-DEV) running on Google Arcadia hardware, with no reports of real-world exploitation.
Details
- CWE(s)