Skip to main content

Linux Kernel CVE-2026-31558

| EUVDEUVD-2026-25451 HIGH
Out-of-bounds Read (CWE-125)
2026-04-24 Linux GHSA-75vg-fcxx-gf7x
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

8
Re-analysis Queued
Apr 27, 2026 - 20:22 vuln.today
cvss_changed
Patch released
Apr 27, 2026 - 20:13 nvd
Patch available
Analysis Generated
Apr 27, 2026 - 15:29 vuln.today
CVSS changed
Apr 27, 2026 - 15:22 NVD
8.8 (HIGH)
Patch available
Apr 24, 2026 - 16:16 EUVD
EUVD ID Assigned
Apr 24, 2026 - 15:00 euvd
EUVD-2026-25451
Analysis Generated
Apr 24, 2026 - 15:00 vuln.today
CVE Published
Apr 24, 2026 - 14:35 nvd
HIGH 8.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

LoongArch: KVM: Make kvm_get_vcpu_by_cpuid() more robust

kvm_get_vcpu_by_cpuid() takes a cpuid parameter whose type is int, so cpuid can be negative. Let kvm_get_vcpu_by_cpuid() return NULL for this case so as to make it more robust.

This fix an out-of-bounds access to kvm_arch::phyid_map::phys_map[].

AnalysisAI

Out-of-bounds array access in Linux kernel KVM subsystem on LoongArch allows local authenticated attackers with low privileges to execute arbitrary code, escalate privileges, or cause denial of service by passing negative cpuid values to kvm_get_vcpu_by_cpuid(). The function lacks bounds checking before indexing phyid_map::phys_map[], enabling read/write beyond array boundaries with container escape potential (CVSS scope change). Vendor patches available across multiple stable kernel branches (6.12.80, 6.18.21, 6.19.11). EPSS score of 0.02% indicates low automated exploitation likelihood, with no confirmed active exploitation or public POC at time of analysis.

Technical ContextAI

The vulnerability resides in the LoongArch architecture KVM (Kernel-based Virtual Machine) implementation within the Linux kernel. The kvm_get_vcpu_by_cpuid() function accepts an integer cpuid parameter without validating it is non-negative before using it as an array index into kvm_arch::phyid_map::phys_map[]. In C, negative integer indices can wrap around or access memory at offsets before the array base address, creating classic buffer overflow conditions. LoongArch is a RISC instruction set developed by Loongson Technology, primarily used in Chinese domestic processors. The KVM subsystem provides virtualization capabilities, making this a hypervisor-level vulnerability. The affected CPE strings indicate this impacts Linux kernel components, with patches targeting kernel versions 6.10 through 7.0 development trees. The fix enforces NULL return for negative cpuid values, implementing defensive programming to prevent out-of-bounds memory access before the array indexing operation.

RemediationAI

Upgrade to patched Linux kernel versions: 6.12.80, 6.18.21, 6.19.11, or apply vendor-provided patches from upstream Git commits 596c3f8069c4792f22fce8c4452f44410032d910, 878cf6acb4fd8ab4126cf9d369a5bb0e23123418, 47857b05bd50db01e211a1b6f513d57901cd3e6b, or 2db06c15d8c7a0ccb6108524e16cd9163753f354 depending on your kernel branch. Patches available at https://git.kernel.org/stable/c/ URLs listed in references. For systems where immediate patching is not feasible, implement compensating controls: restrict local user access to LoongArch KVM hosts by enforcing mandatory access controls (SELinux/AppArmor) to limit who can invoke KVM ioctls, disable KVM kernel module loading if virtualization is not required (blacklist kvm and kvm_loongson modules in /etc/modprobe.d/), or migrate virtualized workloads to x86_64/ARM hosts temporarily. Note that disabling KVM entirely eliminates virtualization capabilities and may break dependent services; restricting access via MAC policies is preferable but requires careful policy configuration to avoid breaking legitimate virtualization management tools. No workaround fully mitigates the vulnerability without applying the kernel patch.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31558 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy