Skip to main content

Linux Kernel CVE-2026-31588

| EUVDEUVD-2026-25481 HIGH
Use After Free (CWE-416)
2026-04-24 Linux GHSA-g8q5-fwjh-4q25
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
6.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

8
Re-analysis Queued
Apr 28, 2026 - 20:53 vuln.today
cvss_changed
Patch released
Apr 28, 2026 - 20:42 nvd
Patch available
Analysis Generated
Apr 27, 2026 - 15:32 vuln.today
CVSS changed
Apr 27, 2026 - 15:22 NVD
8.8 (HIGH)
Patch available
Apr 24, 2026 - 16:16 EUVD
EUVD ID Assigned
Apr 24, 2026 - 15:00 euvd
EUVD-2026-25481
Analysis Generated
Apr 24, 2026 - 15:00 vuln.today
CVE Published
Apr 24, 2026 - 14:42 nvd
HIGH 8.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

KVM: x86: Use scratch field in MMIO fragment to hold small write values

When exiting to userspace to service an emulated MMIO write, copy the to-be-written value to a scratch field in the MMIO fragment if the size of the data payload is 8 bytes or less, i.e. can fit in a single chunk, instead of pointing the fragment directly at the source value.

This fixes a class of use-after-free bugs that occur when the emulator initiates a write using an on-stack, local variable as the source, the write splits a page boundary, *and* both pages are MMIO pages. Because KVM's ABI only allows for physically contiguous MMIO requests, accesses that split MMIO pages are separated into two fragments, and are sent to userspace one at a time. When KVM attempts to complete userspace MMIO in response to KVM_RUN after the first fragment, KVM will detect the second fragment and generate a second userspace exit, and reference the on-stack variable.

The issue is most visible if the second KVM_RUN is performed by a separate task, in which case the stack of the initiating task can show up as truly freed data.

============== BUG: KASAN: use-after-free in complete_emulated_mmio+0x305/0x420 Read of size 1 at addr ffff888009c378d1 by task syz-executor417/984

CPU: 1 PID: 984 Comm: syz-executor417 Not tainted 5.10.0-182.0.0.95.h2627.eulerosv2r13.x86_64 #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014 Call Trace: dump_stack+0xbe/0xfd print_address_description.constprop.0+0x19/0x170 __kasan_report.cold+0x6c/0x84 kasan_report+0x3a/0x50 check_memory_region+0xfd/0x1f0 memcpy+0x20/0x60 complete_emulated_mmio+0x305/0x420 kvm_arch_vcpu_ioctl_run+0x63f/0x6d0 kvm_vcpu_ioctl+0x413/0xb20 __se_sys_ioctl+0x111/0x160 do_syscall_64+0x30/0x40 entry_SYSCALL_64_after_hwframe+0x67/0xd1 RIP: 0033:0x42477d Code: <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007faa8e6890e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00000000004d7338 RCX: 000000000042477d RDX: 0000000000000000 RSI: 000000000000ae80 RDI: 0000000000000005 RBP: 00000000004d7330 R08: 00007fff28d546df R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004d733c R13: 0000000000000000 R14: 000000000040a200 R15: 00007fff28d54720

The buggy address belongs to the page: page:0000000029f6a428 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x9c37 flags: 0xfffffc0000000(node=0|zone=1|lastcpupid=0x1fffff) raw: 000fffffc0000000 0000000000000000 ffffea0000270dc8 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected

Memory state around the buggy address: ffff888009c37780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff888009c37800: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff888009c37880: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff888009c37900: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff888009c37980: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ==============

The bug can also be reproduced with a targeted KVM-Unit-Test by hacking KVM to fill a large on-stack variable in complete_emulated_mmio(), i.e. by overwrite the data value with garbage.

Limit the use of the scratch fields to 8-byte or smaller accesses, and to just writes, as larger accesses and reads are not affected thanks to implementation details in the emulator, but add a sanity check to ensure those details don't change in the future. Specifically, KVM never uses on-stack variables for accesses larger that 8 bytes, e.g. uses an operand in the emulator context, and *al ---truncated---

AnalysisAI

Use-after-free in Linux kernel KVM x86 MMIO emulation allows local authenticated users with low privileges to potentially execute arbitrary code, escalate privileges, or cause denial of service. The flaw occurs when KVM's emulator initiates MMIO writes using on-stack variables that cross page boundaries between two MMIO pages, creating dangling pointers when fragments are processed across separate KVM_RUN calls, especially when different tasks handle subsequent runs. EPSS exploitation probability is very low (0.02%, 5th percentile), and vendor patches are available for kernel versions 6.12.83, 6.18.24, 6.19.14, and 7.0.1. No active exploitation or public POC identified at time of analysis.

Technical ContextAI

This vulnerability affects the Kernel Virtual Machine (KVM) hypervisor's x86 architecture emulation layer, specifically the Memory-Mapped I/O (MMIO) fragment handling code path. KVM emulates MMIO operations by trapping guest memory accesses and forwarding them to userspace (typically QEMU). The Linux kernel's KVM implementation splits MMIO accesses that cross page boundaries into separate fragments because the KVM ABI only supports physically contiguous MMIO requests. The vulnerable code path uses direct pointers to emulator source data (often stack-allocated local variables) when generating these fragments. When an MMIO write operation spans two MMIO pages, KVM creates two fragments and exits to userspace sequentially. If the second KVM_RUN ioctl is executed by a different task than the one that initiated the emulation, or if the original task's stack frame has been unwound, the pointer to the on-stack source data becomes invalid, creating a use-after-free condition. The fix implements a scratch buffer within the MMIO fragment structure itself to copy small (≤8 bytes) write values, eliminating the dangling pointer issue while maintaining performance for common small write operations.

RemediationAI

Update to patched Linux kernel versions: 7.0.1, 6.19.14, 6.18.24, or 6.12.83 depending on your kernel branch. Vendor patches available from kernel.org stable git repository at commit references b5a02d37eb0739f462fa12df449ab9b3480c783b (mainline), 22d2ff69d487a32a8b88f9c970120fc2daa08a77, 2b83d91e9ae92fe1258d7040a32430bbb3bb7d6e, and 3a7b6d75c8f85b09dea893f64a85a356bcf6c3fe for respective stable branches. Distribution-specific updates: check vendor security advisories for backported fixes in RHEL, Ubuntu, Debian, and SUSE kernels. For environments where immediate kernel updates are not feasible, consider these compensating controls with trade-offs: disable nested virtualization if not required (reduces attack surface but eliminates legitimate nested VM use cases), restrict KVM device access permissions to highly trusted users only via /dev/kvm ACLs (limits who can create VMs but may break legitimate multi-user virtualization workflows), or implement kernel page table isolation (KPTI) if not already enabled (adds performance overhead of 2-5% but provides additional memory isolation). Note that workarounds do not fully eliminate the vulnerability and patches remain the primary remediation. Full advisory and patch details at https://nvd.nist.gov/vuln/detail/CVE-2026-31588.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31588 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy