VYPR
← All advisories
High severity7.1NVD Advisory· Published May 1, 2026· Updated May 6, 2026

CVE-2026-31698

CVE-2026-31698

Description

In the Linux kernel, the following vulnerability has been resolved:

crypto: ccp: Don't attempt to copy PDH cert to userspace if PSP command failed

When retrieving the PDH cert, don't attempt to copy the blobs to userspace if the firmware command failed. If the failure was due to an invalid length, i.e. the userspace buffer+length was too small, copying the number of bytes _firmware_ requires will overflow the kernel-allocated buffer and leak data to userspace.

BUG: KASAN: slab-out-of-bounds in instrument_copy_to_user ../include/linux/instrumented.h:129 [inline] BUG: KASAN: slab-out-of-bounds in _inline_copy_to_user ../include/linux/uaccess.h:205 [inline] BUG: KASAN: slab-out-of-bounds in _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26 Read of size 2084 at addr ffff8885c4ab8aa0 by task syz.0.186/21033

CPU: 51 UID: 0 PID: 21033 Comm: syz.0.186 Tainted: G U O 7.0.0-smp-DEV #28 PREEMPTLAZY Tainted: [U]=USER, [O]=OOT_MODULE Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 34.84.12-0 11/17/2025 Call Trace: <TASK> dump_stack_lvl+0xc5/0x110 ../lib/dump_stack.c:120 print_address_description ../mm/kasan/report.c:378 [inline] print_report+0xbc/0x260 ../mm/kasan/report.c:482 kasan_report+0xa2/0xe0 ../mm/kasan/report.c:595 check_region_inline ../mm/kasan/generic.c:-1 [inline] kasan_check_range+0x264/0x2c0 ../mm/kasan/generic.c:200 instrument_copy_to_user ../include/linux/instrumented.h:129 [inline] _inline_copy_to_user ../include/linux/uaccess.h:205 [inline] _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26 copy_to_user ../include/linux/uaccess.h:236 [inline] sev_ioctl_do_pdh_export+0x3d3/0x7c0 ../drivers/crypto/ccp/sev-dev.c:2347 sev_ioctl+0x2a2/0x490 ../drivers/crypto/ccp/sev-dev.c:2568 vfs_ioctl ../fs/ioctl.c:51 [inline] __do_sys_ioctl ../fs/ioctl.c:597 [inline] __se_sys_ioctl+0x11d/0x1b0 ../fs/ioctl.c:583 do_syscall_x64 ../arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xe0/0x800 ../arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x76/0x7e </TASK>

WARN if the driver says the command succeeded, but the firmware error code says otherwise, as __sev_do_cmd_locked() is expected to return -EIO on any firwmware error.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A missing error check in the Linux kernel's CCP driver can cause a slab-out-of-bounds read when copying PDH certificate data to userspace after a PSP firmware command fails.

Vulnerability

Analysis

CVE-2026-31698 is a vulnerability in the Linux kernel's cryptographic coprocessor (CCP) driver within the Linux kernel. The root cause is a missing error check in the sev_ioctl_do_pdh_export function. When the Platform Security Processor (PSP) firmware command to retrieve the PDH certificate fails, the driver still attempts to copy the certificate data to userspace. If the failure is due to an invalid length (e.g., the userspace buffer is userspace buffer is too small), the driver copies the number of bytes reported by the firmware, which can exceed the kernel-allocated buffer size, leading to a slab-out-of-bounds read [1][2][3][4].

Exploitation

An attacker with local access and the ability to issue SEV ioctl calls to the /dev/sev device can trigger this vulnerability. The attack surface is the SEV_PDH_CERT_EXPORT ioctl command. No special. No special privileges beyond the ability to open the device file are required, as the driver does not properly validate the return status of the PSP firmware command before performing the copy to userspace [1][2][3][4].

Impact

A successful exploit can lead to a kernel slab-out-of-bounds read, which may allow an attacker to leak sensitive kernel memory to userspace. The KASAN report in the description confirms a read of 2084 bytes beyond the allocated buffer. This information disclosure could be used to bypass kernel protections like KASLR or to gather data for further exploitation [1][2][3][4].

Mitigation

The fix has been applied to the Linux kernel stable tree in commits [1], [2], [3], and [4]. Users [4]. Users should update to a kernel version containing these patches. The fix ensures that the copy to userspace is only performed if the PSP firmware command succeeds, preventing command succeeds, preventing the out-of-bounds read.

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!
  3. Making sure you're not a bot!
  4. Making sure you're not a bot!

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

5
  • Linux/Kernelinferred4 versions
    (expand)+ 3 more
    • (no CPE)
    • cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=4.16,<6.6.136
    • cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.1:rc2:*:*:*:*:*:*
  • Linux/Linux Kernel Rtllm-fuzzy

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

News mentions

1