CVE-2026-31697
- Source
- https://cve.org/CVERecord?id=CVE-2026-31697
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31697.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2026-31697
- Downstream
- Related
- Published
- 2026-05-01T13:55:58.184Z
- Modified
- 2026-05-18T05:59:54.025201858Z
- Severity
-
- 7.1 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H CVSS Calculator
- Summary
- crypto: ccp: Don't attempt to copy ID to userspace if PSP command failed
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
crypto: ccp: Don't attempt to copy ID to userspace if PSP command failed
When retrieving the ID for the CPU, don't attempt to copy the ID blob to userspace if the firmware command failed. If the failure was due to an invalid length, i.e. the userspace buffer+length was too small, copying the number of bytes firmware requires will overflow the kernel-allocated buffer and leak data to userspace.
BUG: KASAN: slab-out-of-bounds in instrumentcopytouser ../include/linux/instrumented.h:129 [inline] BUG: KASAN: slab-out-of-bounds in inlinecopytouser ../include/linux/uaccess.h:205 [inline] BUG: KASAN: slab-out-of-bounds in copytouser+0x66/0xa0 ../lib/usercopy.c:26 Read of size 64 at addr ffff8881867f5960 by task syz.0.906/24388
CPU: 130 UID: 0 PID: 24388 Comm: syz.0.906 Tainted: G U O 7.0.0-smp-DEV #28 PREEMPTLAZY Tainted: [U]=USER, [O]=OOTMODULE Hardware name: Google, Inc. ArcadiaIT80/ArcadiaIT80, BIOS 12.62.0-0 11/19/2025 Call Trace: <TASK> dumpstacklvl+0xc5/0x110 ../lib/dumpstack.c:120 printaddressdescription ../mm/kasan/report.c:378 [inline] printreport+0xbc/0x260 ../mm/kasan/report.c:482 kasanreport+0xa2/0xe0 ../mm/kasan/report.c:595 checkregioninline ../mm/kasan/generic.c:-1 [inline] kasancheckrange+0x264/0x2c0 ../mm/kasan/generic.c:200 instrumentcopytouser ../include/linux/instrumented.h:129 [inline] inlinecopytouser ../include/linux/uaccess.h:205 [inline] copytouser+0x66/0xa0 ../lib/usercopy.c:26 copytouser ../include/linux/uaccess.h:236 [inline] sevioctldogetid2+0x361/0x490 ../drivers/crypto/ccp/sev-dev.c:2222 sevioctl+0x25f/0x490 ../drivers/crypto/ccp/sev-dev.c:2575 vfsioctl ../fs/ioctl.c:51 [inline] __dosysioctl ../fs/ioctl.c:597 [inline] __sesysioctl+0x11d/0x1b0 ../fs/ioctl.c:583 dosyscallx64 ../arch/x86/entry/syscall64.c:63 [inline] dosyscall64+0xe0/0x800 ../arch/x86/entry/syscall64.c:94 entrySYSCALL64afterhwframe+0x76/0x7e </TASK>
WARN if the driver says the command succeeded, but the firmware error code says otherwise, as _sevdocmdlocked() is expected to return -EIO on any firwmware error.
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31697.json", "cna_assigner": "Linux" }- References
-
- https://git.kernel.org/stable/c/06f06d88c05ce176c61fff8c72c372847b0dd2b5
- https://git.kernel.org/stable/c/09427bcb1715fb20a80b6acd5156dbf15ab5c363
- https://git.kernel.org/stable/c/1fbac0429a42adec830491757a2b53956dd797ea
- https://git.kernel.org/stable/c/2937f17bbeefb8e7608ff1f78cffbeb3d0281e5e
- https://git.kernel.org/stable/c/4f685dbfa87c546e51d9dc6cab379d20f275e114
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31697.json
- https://nvd.nist.gov/vuln/detail/CVE-2026-31697
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedd6112ea0cb344d6f5ed519991e24f69ba4b43d0eFixed09427bcb1715fb20a80b6acd5156dbf15ab5c363Fixed1fbac0429a42adec830491757a2b53956dd797eaFixed2937f17bbeefb8e7608ff1f78cffbeb3d0281e5eFixed06f06d88c05ce176c61fff8c72c372847b0dd2b5Fixed4f685dbfa87c546e51d9dc6cab379d20f275e114