Skip to main content

Linux Kernel CVE-2026-52959

| EUVDEUVD-2026-38827 HIGH
2026-06-24 Linux GHSA-rj55-92m8-99mg
7.8
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
6.5 MEDIUM

Local guest trigger (PR:L) but corruption needs a malicious host to return a crafted mismatched length (AC:H); page-allocator corruption gives high integrity/availability impact, limited confidentiality.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:H
4.0 AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 08:37 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
7.8 (HIGH)
Patch available
Jun 24, 2026 - 18:02 EUVD
CVE Published
Jun 24, 2026 - 16:28 cve.org
HIGH 7.8
CVE Published
Jun 24, 2026 - 16:28 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

virt: sev-guest: Do not use host-controlled page order in cleanup path

When issuing an extended guest request (SVM_VMGEXIT_EXT_GUEST_REQUEST), get_ext_report() allocates a buffer to retrieve a certificate blob from the host, keeping track of its size in report_req->certs_len.

However, the host may return SNP_GUEST_VMM_ERR_INVALID_LEN, indicating an invalid buffer size, as well as the expected length of such buffer. get_ext_report() subsequently updates report_req->certs_len with the host-controlled value, and cleans up the buffer by computing a page order from such value. This is incorrect, as the host-provided length may not match the page order of the original allocation, potentially resulting in corruption in the page allocator.

Fix this by using alloc_pages_exact() instead, and reusing @npages to compute the size passed to free_pages_exact(). For consistency, also use @npages to compute the size when allocating the pages, even though this last change has no functional effect.

AnalysisAI

Page allocator corruption in the Linux kernel's AMD SEV-SNP guest driver (virt/sev-guest) affects confidential-computing guests running kernels from 6.14 onward. When a guest issues an extended guest request (SVM_VMGEXIT_EXT_GUEST_REQUEST), an untrusted host can return SNP_GUEST_VMM_ERR_INVALID_LEN with a length that does not match the original allocation; the cleanup path then frees pages using a host-controlled page order, corrupting the guest's page allocator. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Operate as untrusted/compromised hypervisor
Delivery
Guest issues extended guest request
Exploit
Host returns INVALID_LEN with mismatched length
Execution
Driver computes wrong page order in cleanup
Persist
free_pages mismatch corrupts page allocator
Impact
Guest kernel memory corruption / instability

Vulnerability AssessmentAI

Exploitation Requires the affected system to be running as an AMD SEV-SNP confidential guest whose kernel includes the sev-guest driver, and requires in-guest code to issue an extended guest request (SVM_VMGEXIT_EXT_GUEST_REQUEST, the certificate-fetch path). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are largely consistent and point to low real-world urgency despite the High CVSS. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An organization runs an AMD SEV-SNP confidential VM on a hypervisor that is malicious or has been compromised. When in-guest software issues an extended guest request, the host replies with SNP_GUEST_VMM_ERR_INVALID_LEN and a mismatched length, causing the guest kernel to free its certificate buffer at the wrong page order and corrupt the page allocator, leading to guest kernel instability or potential memory-corruption-based escalation. …
Remediation Vendor-released patch: upgrade to a fixed stable kernel - 6.18.33, 7.0.10, or 7.1 (or your distribution's backported equivalent) - which replaces the host-controlled page-order free with alloc_pages_exact()/free_pages_exact() so allocation and free sizes always match. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Audit infrastructure to identify systems running Linux kernels 6.14+ with AMD SEV-SNP guests. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-52959 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy