CVE-2026-31470
Description
In the Linux kernel, the following vulnerability has been resolved:
virt: tdx-guest: Fix handling of host controlled 'quote' buffer length
Validate host controlled value quote_buf->out_len that determines how many bytes of the quote are copied out to guest userspace. In TDX environments with remote attestation, quotes are not considered private, and can be forwarded to an attestation server.
Catch scenarios where the host specifies a response length larger than the guest's allocation, or otherwise races modifying the response while the guest consumes it.
This prevents contents beyond the pages allocated for quote_buf (up to TSM_REPORT_OUTBLOB_MAX) from being read out to guest userspace, and possibly forwarded in attestation requests.
Recall that some deployments want per-container configs-tsm-report interfaces, so the leak may cross container protection boundaries, not just local root.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A high-severity Linux kernel vulnerability in TDX guest allows a malicious host to leak kernel memory to guest userspace via an unchecked quote buffer length.
Vulnerability
Description
CVE-2026-31470 is a flaw in the Linux kernel's TDX (Trusted Domain Extensions) guest driver for remote attestation. The vulnerability lies in the handling of the quote_buf->out_len field provided by the host. The driver failed to validate that the host-controlled output length does not exceed the actual buffer allocation allocated by the guest. This allows a malicious host to specify a larger length, causing the kernel to copy out-of-bounds memory into the userspace buffer for the quote [1][2][3][4].
Exploitation
Conditions
The attack surface is limited to TDX guest environments where remote attestation is used. The attacker must be in control of the host, which is a privileged position in cloud or virtualized deployments. No authentication is required from the guest side; the host supplies the crafted length value during the attestation quote generation process. The faulty code path is triggered when the guest reads the quote result from the TDX module and passes it to userspace without validating the host-provided size [3][4].
Impact
If exploited, an attacker controlling the host can read kernel memory from the guest, specifically the contents beyond the allocated quote_buf pages (up to TSM_REPORT_OUTBLOB_MAX). This leaked memory could include sensitive data such as encryption keys, secrets, or other guest kernel data. In deployments with per-container configfs-tsm-report interfaces, the leak may cross container boundaries, exposing data from different containers to userspace, potentially compromising isolation between containers [2][4].
Mitigation
The fix has been included in the Linux kernel stable tree. The patches [1][2][3][4] add proper validation of quote_buf->out_len against the actual allocation size before copying the quote to userspace. System administrators should apply the updated kernel version and reboot. No workarounds are available; the vulnerability is resolved by updating to a patched kernel.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
7(expand)+ 6 more
- (no CPE)
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=6.7,<6.12.80
- cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4News mentions
0No linked articles in our index yet.