CVE-2026-31553

Vulnerability

Description

In the Linux kernel's KVM for arm64, the function __kvm_at_swap_desc() contains a pointer arithmetic bug when computing the address of stage-1 (S1) and stage-2 (S2) page table descriptors. The code uses (u64 __user *)hva + offset, which adds offset multiplied by the size of u64 (8 bytes) due to C pointer arithmetic, instead of the intended byte offset hva + offset. This results in accessing memory at an incorrect location, potentially corrupting page table entries or reading from unintended addresses.

Exploitation

The vulnerability resides in the KVM subsystem, which requires elevated privileges (typically root or CAP_SYS_ADMIN) to create and manage virtual machines. An attacker with such access could trigger the bug during descriptor swapping operations, which occur when the hypervisor updates page table mappings. The exact attack surface depends on the ability to control the offset parameter, which may be influenced by guest-controlled data in certain scenarios.

Impact

Successful exploitation could lead to memory corruption within the host kernel, potentially causing denial of service (system crash) or, in more severe cases, privilege escalation from a guest VM to the host. The CVSS v3 score of 8.8 reflects high impacts on confidentiality, integrity, and availability.

Mitigation

The fix has been applied in the Linux kernel stable branches via commits [1] and [2]. Users should update their kernel to a version containing these patches. Distributions have likely backported the fix; administrators are advised to apply the latest security updates.