Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Local guest trigger (PR:L) but corruption needs a malicious host to return a crafted mismatched length (AC:H); page-allocator corruption gives high integrity/availability impact, limited confidentiality.
Primary rating from Vendor (Linux).
CVSS VectorVendor: Linux
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
virt: sev-guest: Do not use host-controlled page order in cleanup path
When issuing an extended guest request (SVM_VMGEXIT_EXT_GUEST_REQUEST), get_ext_report() allocates a buffer to retrieve a certificate blob from the host, keeping track of its size in report_req->certs_len.
However, the host may return SNP_GUEST_VMM_ERR_INVALID_LEN, indicating an invalid buffer size, as well as the expected length of such buffer. get_ext_report() subsequently updates report_req->certs_len with the host-controlled value, and cleans up the buffer by computing a page order from such value. This is incorrect, as the host-provided length may not match the page order of the original allocation, potentially resulting in corruption in the page allocator.
Fix this by using alloc_pages_exact() instead, and reusing @npages to compute the size passed to free_pages_exact(). For consistency, also use @npages to compute the size when allocating the pages, even though this last change has no functional effect.
AnalysisAI
Page allocator corruption in the Linux kernel's AMD SEV-SNP guest driver (virt/sev-guest) affects confidential-computing guests running kernels from 6.14 onward. When a guest issues an extended guest request (SVM_VMGEXIT_EXT_GUEST_REQUEST), an untrusted host can return SNP_GUEST_VMM_ERR_INVALID_LEN with a length that does not match the original allocation; the cleanup path then frees pages using a host-controlled page order, corrupting the guest's page allocator. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires the affected system to be running as an AMD SEV-SNP confidential guest whose kernel includes the sev-guest driver, and requires in-guest code to issue an extended guest request (SVM_VMGEXIT_EXT_GUEST_REQUEST, the certificate-fetch path). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are largely consistent and point to low real-world urgency despite the High CVSS. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An organization runs an AMD SEV-SNP confidential VM on a hypervisor that is malicious or has been compromised. When in-guest software issues an extended guest request, the host replies with SNP_GUEST_VMM_ERR_INVALID_LEN and a mismatched length, causing the guest kernel to free its certificate buffer at the wrong page order and corrupt the page allocator, leading to guest kernel instability or potential memory-corruption-based escalation. … |
| Remediation | Vendor-released patch: upgrade to a fixed stable kernel - 6.18.33, 7.0.10, or 7.1 (or your distribution's backported equivalent) - which replaces the host-controlled page-order free with alloc_pages_exact()/free_pages_exact() so allocation and free sizes always match. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Audit infrastructure to identify systems running Linux kernels 6.14+ with AMD SEV-SNP guests. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38827
GHSA-rj55-92m8-99mg