VYPR
← All advisories
High severity7.1NVD Advisory· Published May 1, 2026· Updated May 6, 2026

CVE-2026-31699

CVE-2026-31699

Description

In the Linux kernel, the following vulnerability has been resolved:

crypto: ccp: Don't attempt to copy CSR to userspace if PSP command failed

When retrieving the PEK CSR, don't attempt to copy the blob to userspace if the firmware command failed. If the failure was due to an invalid length, i.e. the userspace buffer+length was too small, copying the number of bytes _firmware_ requires will overflow the kernel-allocated buffer and leak data to userspace.

BUG: KASAN: slab-out-of-bounds in instrument_copy_to_user ../include/linux/instrumented.h:129 [inline] BUG: KASAN: slab-out-of-bounds in _inline_copy_to_user ../include/linux/uaccess.h:205 [inline] BUG: KASAN: slab-out-of-bounds in _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26 Read of size 2084 at addr ffff898144612e20 by task syz.9.219/21405

CPU: 14 UID: 0 PID: 21405 Comm: syz.9.219 Tainted: G U O 7.0.0-smp-DEV #28 PREEMPTLAZY Tainted: [U]=USER, [O]=OOT_MODULE Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 12.62.0-0 11/19/2025 Call Trace: <TASK> dump_stack_lvl+0xc5/0x110 ../lib/dump_stack.c:120 print_address_description ../mm/kasan/report.c:378 [inline] print_report+0xbc/0x260 ../mm/kasan/report.c:482 kasan_report+0xa2/0xe0 ../mm/kasan/report.c:595 check_region_inline ../mm/kasan/generic.c:-1 [inline] kasan_check_range+0x264/0x2c0 ../mm/kasan/generic.c:200 instrument_copy_to_user ../include/linux/instrumented.h:129 [inline] _inline_copy_to_user ../include/linux/uaccess.h:205 [inline] _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26 copy_to_user ../include/linux/uaccess.h:236 [inline] sev_ioctl_do_pek_csr+0x31f/0x590 ../drivers/crypto/ccp/sev-dev.c:1872 sev_ioctl+0x3a4/0x490 ../drivers/crypto/ccp/sev-dev.c:2562 vfs_ioctl ../fs/ioctl.c:51 [inline] __do_sys_ioctl ../fs/ioctl.c:597 [inline] __se_sys_ioctl+0x11d/0x1b0 ../fs/ioctl.c:583 do_syscall_x64 ../arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xe0/0x800 ../arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x76/0x7e </TASK>

WARN if the driver says the command succeeded, but the firmware error code says otherwise, as __sev_do_cmd_locked() is expected to return -EIO on any firwmware error.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

In the Linux kernel's CCP driver, a missing error check after a PSP firmware command failure can cause a slab-out-of-bounds read and data leak when copying a CSR to userspace.

Vulnerability

In the Linux kernel's crypto/ccp/sev-dev.c, the function sev_ioctl_do_pek_csr retrieves a PEK CSR blob from the PSP firmware and copies it to a userspace buffer. The vulnerability arises because the code does not check the return value of the firmware command before performing the command before copying the resulting data to userspace. If the firmware command fails (e.g., due to an invalid length), the kernel proceeds to copy the number of bytes the firmware *requires* (which may be larger than the originally allocated kernel buffer) to userspace, causing a slab-out-of-bounds read and leaking kernel memory [1][2].

Exploitation

An attacker with local access and the ability to issue the SEV_PEK_CSR IOCTL call to the /dev/sev device. By providing a small userspace buffer and length, the firmware command will fail with an invalid length error. However, the driver still copies the firmware-required length (which exceeds the kernel buffer) to userspace, leading to a KASAN-detected out-of-bounds read [1][2]. The attack requires the ability to open the SEV device and issue IOCTLs, which typically requires root or CAP_SYS_ADMIN privileges.

Impact

Successful exploitation allows an attacker to read beyond the bounds of a kernel-allocated slab buffer, potentially leaking sensitive kernel memory contents to userspace. This can include cryptographic keys, process credentials, or other confidential data. The KASAN report shows a read of size 2084 bytes from an out-of-bounds address [1].

Mitigation

The fix is to check the return value of the PSP firmware command and only copy the CSR to userspace if the command succeeded. This patch has been applied to the Linux kernel stable branches [1][2][3][4]. Users should update their kernels to include the fix. No workaround is available other than restricting access to the /dev/sev device.

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!
  3. Making sure you're not a bot!
  4. Making sure you're not a bot!

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

4
  • Linux/Kernelinferred4 versions
    (expand)+ 3 more
    • (no CPE)
    • cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=4.16,<6.6.136
    • cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.1:rc2:*:*:*:*:*:*

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

News mentions

1