CVE-2026-31698
- Source
- https://cve.org/CVERecord?id=CVE-2026-31698
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31698.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2026-31698
- Downstream
- Related
- Published
- 2026-05-01T13:55:58.854Z
- Modified
- 2026-05-18T05:59:54.337051278Z
- Severity
-
- 7.1 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H CVSS Calculator
- Summary
- crypto: ccp: Don't attempt to copy PDH cert to userspace if PSP command failed
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
crypto: ccp: Don't attempt to copy PDH cert to userspace if PSP command failed
When retrieving the PDH cert, don't attempt to copy the blobs to userspace if the firmware command failed. If the failure was due to an invalid length, i.e. the userspace buffer+length was too small, copying the number of bytes firmware requires will overflow the kernel-allocated buffer and leak data to userspace.
BUG: KASAN: slab-out-of-bounds in instrumentcopytouser ../include/linux/instrumented.h:129 [inline] BUG: KASAN: slab-out-of-bounds in inlinecopytouser ../include/linux/uaccess.h:205 [inline] BUG: KASAN: slab-out-of-bounds in copytouser+0x66/0xa0 ../lib/usercopy.c:26 Read of size 2084 at addr ffff8885c4ab8aa0 by task syz.0.186/21033
CPU: 51 UID: 0 PID: 21033 Comm: syz.0.186 Tainted: G U O 7.0.0-smp-DEV #28 PREEMPTLAZY Tainted: [U]=USER, [O]=OOTMODULE Hardware name: Google, Inc. ArcadiaIT80/ArcadiaIT80, BIOS 34.84.12-0 11/17/2025 Call Trace: <TASK> dumpstacklvl+0xc5/0x110 ../lib/dumpstack.c:120 printaddressdescription ../mm/kasan/report.c:378 [inline] printreport+0xbc/0x260 ../mm/kasan/report.c:482 kasanreport+0xa2/0xe0 ../mm/kasan/report.c:595 checkregioninline ../mm/kasan/generic.c:-1 [inline] kasancheckrange+0x264/0x2c0 ../mm/kasan/generic.c:200 instrumentcopytouser ../include/linux/instrumented.h:129 [inline] inlinecopytouser ../include/linux/uaccess.h:205 [inline] copytouser+0x66/0xa0 ../lib/usercopy.c:26 copytouser ../include/linux/uaccess.h:236 [inline] sevioctldopdhexport+0x3d3/0x7c0 ../drivers/crypto/ccp/sev-dev.c:2347 sevioctl+0x2a2/0x490 ../drivers/crypto/ccp/sev-dev.c:2568 vfsioctl ../fs/ioctl.c:51 [inline] __dosysioctl ../fs/ioctl.c:597 [inline] __sesysioctl+0x11d/0x1b0 ../fs/ioctl.c:583 dosyscallx64 ../arch/x86/entry/syscall64.c:63 [inline] dosyscall64+0xe0/0x800 ../arch/x86/entry/syscall64.c:94 entrySYSCALL64afterhwframe+0x76/0x7e </TASK>
WARN if the driver says the command succeeded, but the firmware error code says otherwise, as _sevdocmdlocked() is expected to return -EIO on any firwmware error.
- Database specific
{ "cna_assigner": "Linux", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31698.json" }- References
-
- https://git.kernel.org/stable/c/051e51aa55fd4cdc3e8283cf4476aeeb5f563274
- https://git.kernel.org/stable/c/50808c13452dae43a2c90b1bbbf9daa16501ce70
- https://git.kernel.org/stable/c/78b97e43d0b3e674d9d49ae56937b11e2ba3fcaf
- https://git.kernel.org/stable/c/b5c14bd4da1f376f385722fe1da993f1edab6472
- https://git.kernel.org/stable/c/e76239fed3cffd6d304d8ca3ce23984fd24f57d3
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31698.json
- https://nvd.nist.gov/vuln/detail/CVE-2026-31698
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced76a2b524a4b1d6dc0f2421f9854a01d55d5e5436Fixedb5c14bd4da1f376f385722fe1da993f1edab6472Fixed78b97e43d0b3e674d9d49ae56937b11e2ba3fcafFixed051e51aa55fd4cdc3e8283cf4476aeeb5f563274Fixed50808c13452dae43a2c90b1bbbf9daa16501ce70Fixede76239fed3cffd6d304d8ca3ce23984fd24f57d3