Skip to main content

Linux Kernel CVE-2026-52968

| EUVDEUVD-2026-38836 HIGH
Out-of-bounds Read (CWE-125)
2026-06-24 Linux GHSA-8vvj-3j37-6m3p
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
vuln.today AI
7.8 HIGH

Local, low-priv, no-interaction access to KVM AIF paths on s390; OOB read leaks memory (C:H) and OOB writes to GAIT corrupt kernel state (I:H) and can crash the host (A:H).

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jul 14, 2026 - 21:05 vuln.today
CVSS changed
Jul 14, 2026 - 20:22 NVD
7.1 (HIGH)
Patch available
Jun 24, 2026 - 18:02 EUVD
CVE Published
Jun 24, 2026 - 16:28 nvd
HIGH 7.1
CVE Published
Jun 24, 2026 - 16:28 cve.org
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

KVM: s390: pci: fix GAIT table indexing due to double-scaling pointer arithmetic

kvm_s390_pci_aif_enable(), kvm_s390_pci_aif_disable(), and aen_host_forward() index the GAIT by manually multiplying the index with sizeof(struct zpci_gaite).

Since aift->gait is already a struct zpci_gaite pointer, this double-scales the offset, accessing element aisb*16 instead of aisb.

This causes out-of-bounds accesses when aisb >= 32 (with ZPCI_NR_DEVICES=512)

Fix by removing the erroneous sizeof multiplication.

AnalysisAI

Out-of-bounds memory access in the Linux kernel's KVM s390 PCI adapter-interrupt-forwarding (AIF) code allows a low-privileged local actor on IBM Z (s390x) hosts to read and corrupt kernel memory. The flaw stems from double-scaled pointer arithmetic when indexing the GAIT table in kvm_s390_pci_aif_enable(), kvm_s390_pci_aif_disable(), and aen_host_forward(), triggered when an adapter interrupt source (aisb) index reaches 32 or higher under ZPCI_NR_DEVICES=512. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain local low-priv access on s390 KVM host
Delivery
Configure guest with zPCI passthrough (AIF)
Exploit
Provision adapter interrupts so aisb ≥ 32
Install
Trigger AIF enable/disable or interrupt forward
C2
Kernel indexes GAIT at aisb*16
Execute
Out-of-bounds kernel read/write
Impact
Info disclosure or host crash

Vulnerability AssessmentAI

Exploitation Exploitation requires a Linux host on the s390/s390x (IBM Z) architecture running KVM with zPCI/PCI adapter passthrough and Adapter Interrupt Forwarding (AIF) in use, and the kernel built with ZPCI_NR_DEVICES=512 (or otherwise permitting an adapter interrupt source block index, aisb, of 32 or greater). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H, base 7.1) indicates a local, low-privileged, no-interaction attack with high confidentiality and availability impact but no integrity impact - though the description's writes during AIF enable/disable suggest integrity impact may be understated. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario On an IBM Z host running KVM with PCI device passthrough, a local user or guest able to invoke the AIF enable/disable paths configures enough adapter interrupt sources that an aisb index of 32 or greater is used, causing the kernel to index the GAIT at offset aisb*16 and access memory far outside the table. This out-of-bounds read/write can leak adjacent kernel memory or corrupt kernel structures, potentially crashing the host (denial of service) or aiding privilege escalation. …
Remediation Upgrade to a patched stable kernel: Vendor-released patch - 6.1.175, 6.6.141, 6.12.91, 6.18.33, or 7.0.10 (and 7.1), whichever matches your series, via your distribution's kernel updates or the stable commits at git.kernel.org/stable/c/31a9d9f9942885aae356a1a57c79e82c5b5b0828. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all IBM Z systems running Linux kernel with KVM virtualization enabled; verify ZPCI_NR_DEVICES configuration to scope exposure. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-52968 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy