CVE-2026-31590
Description
In the Linux kernel, the following vulnerability has been resolved:
KVM: SEV: Drop WARN on large size for KVM_MEMORY_ENCRYPT_REG_REGION
Drop the WARN in sev_pin_memory() on npages overflowing an int, as the WARN is comically trivially to trigger from userspace, e.g. by doing:
struct kvm_enc_region range = { .addr = 0, .size = -1ul, };
__vm_ioctl(vm, KVM_MEMORY_ENCRYPT_REG_REGION, &range);
Note, the checks in sev_mem_enc_register_region() that presumably exist to verify the incoming address+size are completely worthless, as both "addr" and "size" are u64s and SEV is 64-bit only, i.e. they _can't_ be greater than ULONG_MAX. That wart will be cleaned up in the near future.
if (range->addr > ULONG_MAX || range->size > ULONG_MAX) return -EINVAL;
Opportunistically add a comment to explain why the code calculates the number of pages the "hard" way, e.g. instead of just shifting @ulen.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A WARN_ON in KVM SEV's sev_pin_memory() is trivially triggerable by userspace via a large size argument, causing a KVM_MEMORY_ENCRYPT_REG_REGION ioctl, causing a kernel warning.
Vulnerability
Analysis
CVE-2026-31590 is a vulnerability in the Linux kernel's KVM subsystem for AMD SEV (Secure Encrypted Virtualization). The issue lies in the sev_pin_memory() function, which contains a WARN_ON that checks if the number of pages (npages) overflows an int. This warning is trivially triggerable from userspace by passing a very large size value (e.g., -1ul) to the KVM_MEMORY_ENCRYPT_REG_REGION ioctl [1][2]. The existing input validation in sev_mem_enc_register_region() is ineffective because both addr and size are u64 and SEV is 64-bit only, so the checks against ULONG_MAX are always false [1].
ExploitationAn attacker with access to the KVM device (e.g., a user with permission to create and manage VMs) can trigger the warning by issuing a crafted KVM_MEMORY_ENCRYPT_REG_REGION ioctl with a size field set to a value that causes npages to overflow. No special privileges beyond the ability to interact with KVM are required, and no authentication is needed beyond standard VM management permissions [1]. The attack surface is local, as the ioctl is only accessible from within the host system.
ImpactTriggering the
WARN_ON causes a kernel warning message to be printed to the console and potentially a kernel panic if panic_on_warn is set. While the warning itself does not directly corrupt memory or allow code execution, it can be used as a denial-of-service vector, especially in production environments where warnings may be treated as critical events. The vulnerability has a CVSS v3 score of 5.5 (Medium), reflecting its local nature and limited impact [1].
MitigationThe fix removes the problematic
WARN_ON and adds a comment explaining the page calculation. The patch has been applied to the stable kernel tree [1][2][3][4]. Users should update to a kernel version containing the commit 28cc13ca2043 or later. No workaround is available other than applying the patch.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- git.kernel.org/stable/c/1cba4dcd795daf6d257122779fb6a349edf03914nvdPatch
- git.kernel.org/stable/c/28cc13ca20431b127d42d84ba10898d03e2c8267nvdPatch
- git.kernel.org/stable/c/8acffeef5ef720c35e513e322ab08e32683f32f2nvdPatch
- git.kernel.org/stable/c/ab423e5892826202a660b5ac85d1125b0e8301a5nvdPatch
- git.kernel.org/stable/c/b670833749ffd8681361db2bb047c6f2e3075f3anvdPatch
- git.kernel.org/stable/c/c29ff288a2d97a6f4640a498a367cf0eb91312ebnvdPatch
News mentions
0No linked articles in our index yet.