CVE-2026-31699
- Source
- https://cve.org/CVERecord?id=CVE-2026-31699
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31699.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2026-31699
- Downstream
- Related
- Published
- 2026-05-01T13:55:59.520Z
- Modified
- 2026-05-18T05:59:53.883323408Z
- Severity
-
- 7.1 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H CVSS Calculator
- Summary
- crypto: ccp: Don't attempt to copy CSR to userspace if PSP command failed
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
crypto: ccp: Don't attempt to copy CSR to userspace if PSP command failed
When retrieving the PEK CSR, don't attempt to copy the blob to userspace if the firmware command failed. If the failure was due to an invalid length, i.e. the userspace buffer+length was too small, copying the number of bytes firmware requires will overflow the kernel-allocated buffer and leak data to userspace.
BUG: KASAN: slab-out-of-bounds in instrumentcopytouser ../include/linux/instrumented.h:129 [inline] BUG: KASAN: slab-out-of-bounds in inlinecopytouser ../include/linux/uaccess.h:205 [inline] BUG: KASAN: slab-out-of-bounds in copytouser+0x66/0xa0 ../lib/usercopy.c:26 Read of size 2084 at addr ffff898144612e20 by task syz.9.219/21405
CPU: 14 UID: 0 PID: 21405 Comm: syz.9.219 Tainted: G U O 7.0.0-smp-DEV #28 PREEMPTLAZY Tainted: [U]=USER, [O]=OOTMODULE Hardware name: Google, Inc. ArcadiaIT80/ArcadiaIT80, BIOS 12.62.0-0 11/19/2025 Call Trace: <TASK> dumpstacklvl+0xc5/0x110 ../lib/dumpstack.c:120 printaddressdescription ../mm/kasan/report.c:378 [inline] printreport+0xbc/0x260 ../mm/kasan/report.c:482 kasanreport+0xa2/0xe0 ../mm/kasan/report.c:595 checkregioninline ../mm/kasan/generic.c:-1 [inline] kasancheckrange+0x264/0x2c0 ../mm/kasan/generic.c:200 instrumentcopytouser ../include/linux/instrumented.h:129 [inline] inlinecopytouser ../include/linux/uaccess.h:205 [inline] copytouser+0x66/0xa0 ../lib/usercopy.c:26 copytouser ../include/linux/uaccess.h:236 [inline] sevioctldopekcsr+0x31f/0x590 ../drivers/crypto/ccp/sev-dev.c:1872 sevioctl+0x3a4/0x490 ../drivers/crypto/ccp/sev-dev.c:2562 vfsioctl ../fs/ioctl.c:51 [inline] __dosysioctl ../fs/ioctl.c:597 [inline] __sesysioctl+0x11d/0x1b0 ../fs/ioctl.c:583 dosyscallx64 ../arch/x86/entry/syscall64.c:63 [inline] dosyscall64+0xe0/0x800 ../arch/x86/entry/syscall64.c:94 entrySYSCALL64afterhwframe+0x76/0x7e </TASK>
WARN if the driver says the command succeeded, but the firmware error code says otherwise, as _sevdocmdlocked() is expected to return -EIO on any firwmware error.
- Database specific
{ "cna_assigner": "Linux", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31699.json" }- References
-
- https://git.kernel.org/stable/c/111dcc6d0f016076745824a787d25609d0022f4c
- https://git.kernel.org/stable/c/3b4fd8f15765d9a3105b834dba8a05d025e5e16e
- https://git.kernel.org/stable/c/59e9ae81f8670ccc780bc75f45a355736f640ec9
- https://git.kernel.org/stable/c/607ba280f2adb5092cf5386c3935afac2ca0031a
- https://git.kernel.org/stable/c/abe4a6d6f606113251868c2c4a06ba904bb41eed
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31699.json
- https://nvd.nist.gov/vuln/detail/CVE-2026-31699
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducede799035609e1526761aa2f896a974b233d04d36dFixed607ba280f2adb5092cf5386c3935afac2ca0031aFixed59e9ae81f8670ccc780bc75f45a355736f640ec9Fixed111dcc6d0f016076745824a787d25609d0022f4cFixed3b4fd8f15765d9a3105b834dba8a05d025e5e16eFixedabe4a6d6f606113251868c2c4a06ba904bb41eed