CVE-2026-31593
Description
In the Linux kernel, the following vulnerability has been resolved:
KVM: SEV: Reject attempts to sync VMSA of an already-launched/encrypted vCPU
Reject synchronizing vCPU state to its associated VMSA if the vCPU has already been launched, i.e. if the VMSA has already been encrypted. On a host with SNP enabled, accessing guest-private memory generates an RMP #PF and panics the host.
BUG: unable to handle page fault for address: ff1276cbfdf36000 #PF: supervisor write access in kernel mode #PF: error_code(0x80000003) - RMP violation PGD 5a31801067 P4D 5a31802067 PUD 40ccfb5063 PMD 40e5954063 PTE 80000040fdf36163 SEV-SNP: PFN 0x40fdf36, RMP entry: [0x6010fffffffff001 - 0x000000000000001f] Oops: Oops: 0003 [#1] SMP NOPTI CPU: 33 UID: 0 PID: 996180 Comm: qemu-system-x86 Tainted: G OE Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE Hardware name: Dell Inc. PowerEdge R7625/0H1TJT, BIOS 1.5.8 07/21/2023 RIP: 0010:sev_es_sync_vmsa+0x54/0x4c0 [kvm_amd] Call Trace:
snp_launch_update_vmsa+0x19d/0x290 [kvm_amd] snp_launch_finish+0xb6/0x380 [kvm_amd] sev_mem_enc_ioctl+0x14e/0x720 [kvm_amd] kvm_arch_vm_ioctl+0x837/0xcf0 [kvm] kvm_vm_ioctl+0x3fd/0xcc0 [kvm] __x64_sys_ioctl+0xa3/0x100 x64_sys_call+0xfe0/0x2350 do_syscall_64+0x81/0x10f0 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7ffff673287d
Note, the KVM flaw has been present since commit ad73109ae7ec ("KVM: SVM: Provide support to launch and run an SEV-ES guest"), but has only been actively dangerous for the host since SNP support was added. With SEV-ES, KVM would "just" clobber guest state, which is totally fine from a host kernel perspective since userspace can clobber guest state any time before sev_launch_update_vmsa().
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A missing check in KVM SEV allows synchronizing VMSA state after launch, causing an RMP violation panic on SNP hosts.
Vulnerability
CVE-2026-31593 is a flaw in the Linux kernel's KVM subsystem for AMD SEV-ES/SNP guests. The root cause is that the sev_es_sync_vmsa() function does not verify whether the vCPU has already been launched (i.e., its VMSA encrypted) before synchronizing state. On hosts with SNP enabled, writing to guest-private memory triggers an RMP violation, leading to a kernel panic with an Oops trace [1].
Exploitation
An attacker with sufficient privileges to issue KVM ioctls (e.g., a QEMU process) can trigger the bug by calling snp_launch_update_vmsa() or snp_launch_finish() after the vCPU has been launched. The attack requires local access to the hypervisor and the ability to control guest launch sequences. No special authentication beyond the usual KVM access is needed [1].
Impact
Successful exploitation causes a host kernel panic (denial of service). The crash trace shows a supervisor write access RMP violation at sev_es_sync_vmsa+0x54. While the bug has existed since SEV-ES support was added (commit ad73109ae7ec), it only became dangerous with SNP, where accessing guest-private memory panics the host rather than merely corrupting guest state [1].
Mitigation
The fix is included in Linux kernel stable updates. Patches are available at the referenced kernel.org commits [1][2][3][4]. Administrators should apply the latest kernel updates for their distribution. No workaround is documented; the vulnerability is patched by rejecting VMSA sync on already-launched vCPUs.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- git.kernel.org/stable/c/692fdf05e55fa03960a1278afdc2478c12daea13nvdPatch
- git.kernel.org/stable/c/6ef109e01e1d35199e1a97ea68bdfd3cf3fbf9abnvdPatch
- git.kernel.org/stable/c/8f85a4885eee8cb495961ffa371a91828afb9445nvdPatch
- git.kernel.org/stable/c/9b9f7962e3e879d12da2bf47e02a24ec51690e3dnvdPatch
- git.kernel.org/stable/c/c9609847ae65ca36233077c2b6cb2bc0fb37c77anvdPatch
News mentions
0No linked articles in our index yet.