Skip to main content

Linux Kernel CCP CVE-2026-31699

| EUVDEUVD-2026-26508 HIGH
Out-of-bounds Write (CWE-787)
2026-05-01 416baaa9-dc9f-4396-8d5f-8c081fb06d67
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

7
Analysis Generated
May 03, 2026 - 07:23 vuln.today
CVSS changed
May 03, 2026 - 07:22 NVD
7.1 (HIGH)
Patch released
May 03, 2026 - 07:16 nvd
Patch available
Patch available
May 01, 2026 - 15:02 EUVD
EUVD ID Assigned
May 01, 2026 - 14:22 euvd
EUVD-2026-26508
Analysis Generated
May 01, 2026 - 14:22 vuln.today
CVE Published
May 01, 2026 - 14:16 nvd
HIGH 7.1

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

crypto: ccp: Don't attempt to copy CSR to userspace if PSP command failed

When retrieving the PEK CSR, don't attempt to copy the blob to userspace if the firmware command failed. If the failure was due to an invalid length, i.e. the userspace buffer+length was too small, copying the number of bytes _firmware_ requires will overflow the kernel-allocated buffer and leak data to userspace.

BUG: KASAN: slab-out-of-bounds in instrument_copy_to_user ../include/linux/instrumented.h:129 [inline] BUG: KASAN: slab-out-of-bounds in _inline_copy_to_user ../include/linux/uaccess.h:205 [inline] BUG: KASAN: slab-out-of-bounds in _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26 Read of size 2084 at addr ffff898144612e20 by task syz.9.219/21405

CPU: 14 UID: 0 PID: 21405 Comm: syz.9.219 Tainted: G U O 7.0.0-smp-DEV #28 PREEMPTLAZY Tainted: [U]=USER, [O]=OOT_MODULE Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 12.62.0-0 11/19/2025 Call Trace: <TASK> dump_stack_lvl+0xc5/0x110 ../lib/dump_stack.c:120 print_address_description ../mm/kasan/report.c:378 [inline] print_report+0xbc/0x260 ../mm/kasan/report.c:482 kasan_report+0xa2/0xe0 ../mm/kasan/report.c:595 check_region_inline ../mm/kasan/generic.c:-1 [inline] kasan_check_range+0x264/0x2c0 ../mm/kasan/generic.c:200 instrument_copy_to_user ../include/linux/instrumented.h:129 [inline] _inline_copy_to_user ../include/linux/uaccess.h:205 [inline] _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26 copy_to_user ../include/linux/uaccess.h:236 [inline] sev_ioctl_do_pek_csr+0x31f/0x590 ../drivers/crypto/ccp/sev-dev.c:1872 sev_ioctl+0x3a4/0x490 ../drivers/crypto/ccp/sev-dev.c:2562 vfs_ioctl ../fs/ioctl.c:51 [inline] __do_sys_ioctl ../fs/ioctl.c:597 [inline] __se_sys_ioctl+0x11d/0x1b0 ../fs/ioctl.c:583 do_syscall_x64 ../arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xe0/0x800 ../arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x76/0x7e </TASK>

WARN if the driver says the command succeeded, but the firmware error code says otherwise, as __sev_do_cmd_locked() is expected to return -EIO on any firwmware error.

AnalysisAI

Buffer overflow in Linux kernel's AMD CCP (Cryptographic Coprocessor) driver leaks kernel memory to userspace when retrieving PEK CSR (Platform Endorsement Key Certificate Signing Request). Affecting Linux kernel 4.16+ through 7.0.x, the vulnerability allows local authenticated users to read arbitrary kernel memory due to improper error handling when firmware returns invalid buffer length requirements. Patches available across stable branches (6.6.136, 6.12.84, 6.18.25, 7.0.2, 7.1-rc1). EPSS score of 0.02% indicates minimal observed exploitation probability, though the CVSS 7.1 reflects significant confidentiality impact. No CISA KEV listing or public exploit identified at time of analysis.

Technical ContextAI

The vulnerability resides in the SEV (Secure Encrypted Virtualization) device driver's PEK CSR retrieval function (sev_ioctl_do_pek_csr) within the AMD Cryptographic Coprocessor Platform (CCP) subsystem. When userspace requests the Platform Endorsement Key Certificate Signing Request via ioctl, the driver allocates a kernel buffer based on user-provided length. If the PSP firmware command fails due to insufficient buffer size, the firmware returns the actual required byte count. The flawed code path attempts to copy this firmware-specified length to userspace without first verifying that the firmware command succeeded, resulting in a KASAN-detected slab-out-of-bounds read. This violates safe error handling principles where copy_to_user operations should only execute after successful command completion. The patch adds explicit checks to prevent copy operations when __sev_do_cmd_locked returns firmware error codes, and includes defensive WARN macros to detect future error-handling inconsistencies.

RemediationAI

Upgrade to patched Linux kernel versions: 6.6.136+ for 6.6.x series, 6.12.84+ for 6.12.x series, 6.18.25+ for 6.18.x series, 7.0.2+ for 7.0.x series, or 7.1-rc1+ for development kernels. Vendor patches available at git.kernel.org stable repository (commits 111dcc6d0f01, 3b4fd8f15765, 59e9ae81f867, 607ba280f2ad, abe4a6d6f606). For environments unable to immediately patch, disable the SEV device driver by blacklisting the ccp module (add 'blacklist ccp' to /etc/modprobe.d/disable-ccp.conf and rebuild initramfs), though this mitigation breaks SEV/SNP virtualization functionality and is only suitable for systems not using AMD memory encryption features. Restrict access to /dev/sev device node using udev rules to limit exposure to trusted administrative users only, recognizing this reduces but does not eliminate risk from compromised low-privilege accounts. Verify patches using kernel version strings and inspect loaded modules with 'modinfo ccp' to confirm patched driver versions post-update.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31699 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy