Skip to main content

Linux Kernel CCP EUVDEUVD-2026-26507

| CVE-2026-31698 HIGH
Out-of-bounds Write (CWE-787)
2026-05-01 416baaa9-dc9f-4396-8d5f-8c081fb06d67
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

7
Analysis Generated
May 03, 2026 - 07:22 vuln.today
CVSS changed
May 03, 2026 - 07:22 NVD
7.1 (HIGH)
Patch released
May 03, 2026 - 07:16 nvd
Patch available
Patch available
May 01, 2026 - 15:02 EUVD
EUVD ID Assigned
May 01, 2026 - 14:22 euvd
EUVD-2026-26507
Analysis Generated
May 01, 2026 - 14:22 vuln.today
CVE Published
May 01, 2026 - 14:16 nvd
HIGH 7.1

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

crypto: ccp: Don't attempt to copy PDH cert to userspace if PSP command failed

When retrieving the PDH cert, don't attempt to copy the blobs to userspace if the firmware command failed. If the failure was due to an invalid length, i.e. the userspace buffer+length was too small, copying the number of bytes _firmware_ requires will overflow the kernel-allocated buffer and leak data to userspace.

BUG: KASAN: slab-out-of-bounds in instrument_copy_to_user ../include/linux/instrumented.h:129 [inline] BUG: KASAN: slab-out-of-bounds in _inline_copy_to_user ../include/linux/uaccess.h:205 [inline] BUG: KASAN: slab-out-of-bounds in _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26 Read of size 2084 at addr ffff8885c4ab8aa0 by task syz.0.186/21033

CPU: 51 UID: 0 PID: 21033 Comm: syz.0.186 Tainted: G U O 7.0.0-smp-DEV #28 PREEMPTLAZY Tainted: [U]=USER, [O]=OOT_MODULE Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 34.84.12-0 11/17/2025 Call Trace: <TASK> dump_stack_lvl+0xc5/0x110 ../lib/dump_stack.c:120 print_address_description ../mm/kasan/report.c:378 [inline] print_report+0xbc/0x260 ../mm/kasan/report.c:482 kasan_report+0xa2/0xe0 ../mm/kasan/report.c:595 check_region_inline ../mm/kasan/generic.c:-1 [inline] kasan_check_range+0x264/0x2c0 ../mm/kasan/generic.c:200 instrument_copy_to_user ../include/linux/instrumented.h:129 [inline] _inline_copy_to_user ../include/linux/uaccess.h:205 [inline] _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26 copy_to_user ../include/linux/uaccess.h:236 [inline] sev_ioctl_do_pdh_export+0x3d3/0x7c0 ../drivers/crypto/ccp/sev-dev.c:2347 sev_ioctl+0x2a2/0x490 ../drivers/crypto/ccp/sev-dev.c:2568 vfs_ioctl ../fs/ioctl.c:51 [inline] __do_sys_ioctl ../fs/ioctl.c:597 [inline] __se_sys_ioctl+0x11d/0x1b0 ../fs/ioctl.c:583 do_syscall_x64 ../arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xe0/0x800 ../arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x76/0x7e </TASK>

WARN if the driver says the command succeeded, but the firmware error code says otherwise, as __sev_do_cmd_locked() is expected to return -EIO on any firwmware error.

AnalysisAI

Information disclosure in Linux kernel's AMD Cryptographic Coprocessor (CCP) driver allows local authenticated attackers to leak kernel memory to userspace via out-of-bounds read. When retrieving PDH certificates through SEV ioctl, the driver incorrectly copies data to userspace even after firmware command failures, potentially reading 2084+ bytes beyond allocated buffer boundaries. EPSS score of 0.02% (5th percentile) indicates minimal observed exploitation probability. Vendor patches available across multiple stable kernel branches (6.6.136, 6.12.84, 6.18.25, 7.0.2, 7.1-rc1) per upstream commits.

Technical ContextAI

The vulnerability resides in the AMD Secure Encrypted Virtualization (SEV) Platform Security Processor (PSP) driver code within the Linux kernel's CCP (Cryptographic Coprocessor) subsystem. Specifically, the sev_ioctl_do_pdh_export() function in drivers/crypto/ccp/sev-dev.c fails to validate firmware command success before copying PDH (Platform Diffie-Hellman) certificate blobs to userspace. When userspace provides an undersized buffer, the firmware command returns an error indicating required buffer size, but the kernel driver proceeds with the copy operation using the firmware-specified length rather than the actual allocated buffer size. This triggers a KASAN-detected slab-out-of-bounds read condition, where copy_to_user() attempts to read beyond the kernel-allocated buffer, potentially exposing adjacent kernel memory contents. The vulnerability affects the SEV API used for confidential computing workloads on AMD platforms. The root cause is inadequate error checking in the ioctl handler path, where __sev_do_cmd_locked() should return -EIO on firmware errors, but the caller doesn't verify this before proceeding with memory operations.

RemediationAI

Upgrade to patched Linux kernel versions: 7.1-rc1 or later for mainline, 7.0.2+ for 7.0.x stable branch, 6.18.25+ for 6.18.x branch, 6.12.84+ for 6.12.x branch, or 6.6.136+ for long-term support 6.6.x branch. Patches available from upstream commits at https://git.kernel.org/stable/c/051e51aa55fd4cdc3e8283cf4476aeeb5f563274 (and associated stable branch backports). If immediate patching is not feasible, restrict access to /dev/sev device node to only fully trusted administrative users via udev rules or filesystem permissions (chmod 600 /dev/sev, chown root:root /dev/sev) to prevent local unprivileged exploitation. Note this mitigation reduces attack surface but does not eliminate risk from local privileged users. Alternatively, blacklist the ccp kernel module (echo 'blacklist ccp' >> /etc/modprobe.d/blacklist-ccp.conf) if AMD SEV functionality is not required, though this disables all SEV/PSP capabilities including confidential computing features. No SEV firmware update is required as the vulnerability is purely in the kernel driver logic. Verify patch application by checking kernel version (uname -r) matches patched releases or examining git commit history of installed kernel source.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-26507 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy