Skip to main content

Linux Kernel CVE-2026-31470

| EUVDEUVD-2026-24820 HIGH
Out-of-bounds Write (CWE-787)
2026-04-22 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-86qf-jwhq-f4jq
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
SUSE
HIGH
qualitative
Red Hat
6.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

7
Analysis Generated
Apr 27, 2026 - 14:31 vuln.today
CVSS changed
Apr 27, 2026 - 14:22 NVD
7.1 (HIGH)
Patch released
Apr 27, 2026 - 14:16 nvd
Patch available
Patch available
Apr 22, 2026 - 16:33 EUVD
EUVD ID Assigned
Apr 22, 2026 - 14:22 euvd
EUVD-2026-24820
Analysis Generated
Apr 22, 2026 - 14:22 vuln.today
CVE Published
Apr 22, 2026 - 14:16 nvd
HIGH 7.1

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

virt: tdx-guest: Fix handling of host controlled 'quote' buffer length

Validate host controlled value quote_buf->out_len that determines how many bytes of the quote are copied out to guest userspace. In TDX environments with remote attestation, quotes are not considered private, and can be forwarded to an attestation server.

Catch scenarios where the host specifies a response length larger than the guest's allocation, or otherwise races modifying the response while the guest consumes it.

This prevents contents beyond the pages allocated for quote_buf (up to TSM_REPORT_OUTBLOB_MAX) from being read out to guest userspace, and possibly forwarded in attestation requests.

Recall that some deployments want per-container configs-tsm-report interfaces, so the leak may cross container protection boundaries, not just local root.

AnalysisAI

A buffer validation flaw in Linux kernel's TDX guest driver (versions 6.7+) allows local authenticated attackers to leak kernel memory beyond allocated quote buffers into userspace, potentially crossing container isolation boundaries in multi-tenant TDX environments. The vulnerability stems from insufficient validation of host-controlled quote_buf->out_len values during remote attestation operations. Patches available for stable branches 6.12.80, 6.18.21, 6.19.11, and mainline 7.0. EPSS score of 0.02% (5th percentile) indicates low exploitation probability in the wild, with no public exploit code or active exploitation confirmed at time of analysis.

Technical ContextAI

This vulnerability affects the TDX (Trust Domain Extensions) guest virtualization driver in the Linux kernel, specifically the quote buffer handling mechanism used for remote attestation. TDX is Intel's confidential computing technology that creates hardware-isolated virtual machines (Trust Domains). During attestation, the TDX guest generates cryptographic quotes to prove its integrity to remote verifiers. The vulnerable code path fails to validate the host-controlled out_len field before copying quote data to userspace via the configs-tsm-report interface. The host VMM (Virtual Machine Manager) can manipulate this length field to exceed TSM_REPORT_OUTBLOB_MAX or the actual allocated buffer size, causing the kernel to copy unintended memory regions. The vulnerability was introduced in commit f4738f56d1dc and affects kernel versions 6.7 onward where TDX guest support was added. The flaw represents a classic TOCTOU (Time-of-Check-Time-of-Use) race condition where the host can modify out_len between validation and use, combined with insufficient bounds checking.

RemediationAI

Upgrade to patched Linux kernel versions: 6.12.80 or later for 6.12.x branch, 6.18.21 or later for 6.18.x branch, 6.19.11 or later for 6.19.x branch, or 7.0 for mainline kernel. Patches available from kernel.org stable tree at https://git.kernel.org/stable/c/a079a62883e3365de592cea9f7a669d8115433b0 (and related commits for other branches). For systems unable to immediately patch, implement compensating controls: disable or restrict access to /sys/kernel/config/tsm/report interface using filesystem permissions (chmod 000) or AppArmor/SELinux policies to prevent unprivileged container access, though this breaks legitimate attestation workflows and may impact application functionality. In multi-tenant TDX environments, consider namespace isolation to prevent cross-container access to tsm-report interfaces until patching is complete. Note that disabling the configs-tsm-report interface eliminates remote attestation capability, which may violate compliance requirements for confidential computing workloads. No workaround fully mitigates the vulnerability without operational impact; prioritize rapid patching.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31470 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy