Skip to main content

Linux CVE-2026-31788

| EUVDEUVD-2026-15401 HIGH
2026-03-25 Linux
8.2
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.2 HIGH
AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
SUSE
5.2 MEDIUM
qualitative
Red Hat
6.7 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Updated
Apr 18, 2026 - 09:38 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 18, 2026 - 09:22 vuln.today
cvss_changed
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 25, 2026 - 10:45 euvd
EUVD-2026-15401
Analysis Generated
Mar 25, 2026 - 10:45 vuln.today
CVE Published
Mar 25, 2026 - 10:25 nvd
HIGH 8.2

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

xen/privcmd: restrict usage in unprivileged domU

The Xen privcmd driver allows to issue arbitrary hypercalls from user space processes. This is normally no problem, as access is usually limited to root and the hypervisor will deny any hypercalls affecting other domains.

In case the guest is booted using secure boot, however, the privcmd driver would be enabling a root user process to modify e.g. kernel memory contents, thus breaking the secure boot feature.

The only known case where an unprivileged domU is really needing to use the privcmd driver is the case when it is acting as the device model for another guest. In this case all hypercalls issued via the privcmd driver will target that other guest.

Fortunately the privcmd driver can already be locked down to allow only hypercalls targeting a specific domain, but this mode can be activated from user land only today.

The target domain can be obtained from Xenstore, so when not running in dom0 restrict the privcmd driver to that target domain from the beginning, resolving the potential problem of breaking secure boot.

This is XSA-482

--- V2:

  • defer reading from Xenstore if Xenstore isn't ready yet (Jan Beulich)
  • wait in open() if target domain isn't known yet
  • issue message in case no target domain found (Jan Beulich)

AnalysisAI

Xen privcmd driver in Linux kernel allows root processes in unprivileged guest VMs to bypass secure boot protections by issuing arbitrary hypercalls that modify kernel memory. This Xen Security Advisory (XSA-482) affects Linux kernels running as Xen domU guests with secure boot enabled. The vulnerability is addressed in kernel patches 6.1.167, 6.6.130, 6.12.78, 6.18.20, and 6.19.10. EPSS score of 0.03% (9th percentile) indicates low probability of widespread exploitation. No active exploitation confirmed at time of analysis; POC status unknown.

Technical ContextAI

The Xen privcmd driver provides a privileged interface allowing userspace processes to issue hypercalls directly to the Xen hypervisor. In standard configurations, this capability is restricted to root processes and the hypervisor enforces domain isolation, preventing cross-domain interference. However, when Linux boots with secure boot enabled as an unprivileged Xen domU (guest domain), the privcmd driver creates a privilege boundary violation: root processes can issue hypercalls that manipulate kernel memory, effectively circumventing secure boot's integrity guarantees. The fix restricts privcmd usage in unprivileged domU contexts to only target specific domains (legitimate when the guest acts as a device model for another VM), implementing this restriction automatically from kernel space rather than relying on userland configuration. The patch retrieves the target domain from Xenstore and enforces hypercall targeting during driver initialization.

RemediationAI

Upgrade to patched Linux kernel stable versions: 6.1.167, 6.6.130, 6.12.78, 6.18.20, 6.19.10 or later from your distribution. Kernel git commits implementing the fix are available at https://git.kernel.org/stable/c/87a803edb2ded911cb587c53bff179d2a2ed2a28 and related stable branch commits. For Debian systems, monitor security tracker for backported patches across 8 tracked releases. If immediate patching is not feasible for Xen domU guests with secure boot, implement these compensating controls: (1) Disable the privcmd driver module (modprobe blacklist xen-privcmd) if the guest does not serve as a device model for other VMs - this breaks device model functionality but eliminates the attack surface; (2) Disable secure boot in the domU guest if its integrity guarantees are not required for your threat model - this removes the vulnerability's impact but sacrifices secure boot protections; (3) Implement mandatory access control policies (SELinux/AppArmor) to restrict which root processes can access /dev/xen/privcmd - reduces but does not eliminate risk since root can modify MAC policies. Consult Xen Security Advisory XSA-482 (http://xenbits.xen.org/xsa/advisory-482.html) for Xen-specific guidance. Each workaround trades functionality or security posture; patching is strongly preferred.

Vendor StatusVendor

Debian

linux
Release Status Fixed Version Urgency
bullseye vulnerable 5.10.223-1 -
bullseye (security) vulnerable 5.10.251-1 -
bookworm vulnerable 6.1.159-1 -
bookworm (security) vulnerable 6.1.164-1 -
trixie vulnerable 6.12.73-1 -
trixie (security) vulnerable 6.12.74-2 -
forky, sid vulnerable 6.19.8-1 -
(unstable) fixed (unfixed) -

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Micro 5.2 Fixed
SUSE Linux Enterprise Micro 5.3 Fixed
SUSE Linux Enterprise Micro 5.4 Fixed

Share

CVE-2026-31788 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy