CVE-2026-31591

Vulnerability

CVE-2026-31591 describes a race condition in the Linux kernel's KVM subsystem, specifically during the Secure Encrypted Virtualization (SEV) Secure Nested Paging (SNP) launch finish process. The vulnerability occurs because the kernel did not lock all vCPUs when synchronizing and encrypting Virtual Machine Save Areas (VMSAs) for SNP guests. Without proper locking, userspace could manipulate or run a vCPU while its state was being synchronized, leading to corruption of vCPU state or a host kernel crash [1][2].

Exploitation

An attacker with sufficient privileges to interact with the KVM device (e.g., root or a user with KVM permissions) could exploit this race condition by concurrently accessing a vCPU during the VMSA synchronization phase. The attack requires local access to the host and the ability to launch or manage SNP guests. No network-based exploitation is described; the prerequisite is control over a vCPU's lifecycle during the launch finish operation [3].

Impact

Successful exploitation could at best corrupt the vCPU state, leading to unpredictable guest behavior. At worst, it could crash the host kernel, resulting in a denial of service for all virtual machines on the host. The description explicitly states that allowing userspace to manipulate a vCPU during synchronization "would at best corrupt vCPU state, and at worst crash the host kernel" [4].

Mitigation

The fix, committed to the Linux kernel stable tree, ensures that all vCPUs are locked before synchronizing and encrypting VMSAs for SNP guests. Additionally, an assertion was added to verify that vcpu->mutex is held during VMSA synchronization. Users should apply the latest stable kernel updates to remediate this vulnerability [1][2][3][4].