Skip to main content

Linux Kernel EUVDEUVD-2026-32317

| CVE-2026-45851 HIGH
Out-of-bounds Read (CWE-125)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-r9jv-8h68-mr7c
High
Disputed · 7.1 NVD
Share

Severity by source

Sources disagree (Low–High)
NVD PRIMARY
7.1 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
vuln.today AI
5.3 MEDIUM

AC:H because it needs a non-aligned table plus large-memory TDX config; PR:L for local guest context; impact is panic (A:H) with possible table corruption (I:L) and no real confidentiality loss (C:N).

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H
4.0 AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N
SUSE
HIGH
qualitative
Red Hat
5.5 LOW
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 25, 2026 - 23:31 vuln.today
CVSS changed
Jun 25, 2026 - 21:22 NVD
7.1 (HIGH)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:16 nvd
HIGH 7.1
CVE Published
May 27, 2026 - 14:16 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

efi: Fix reservation of unaccepted memory table

The reserve_unaccepted() function incorrectly calculates the size of the memblock reservation for the unaccepted memory table. It aligns the size of the table, but fails to account for cases where the table's starting physical address (efi.unaccepted) is not page-aligned.

If the table starts at an offset within a page and its end crosses into a subsequent page that the aligned size does not cover, the end of the table will not be reserved. This can lead to the table being overwritten or inaccessible, causing a kernel panic in accept_memory().

This issue was observed when starting Intel TDX VMs with specific memory sizes (e.g., > 64GB).

Fix this by calculating the end address first (including the unaligned start) and then aligning it up, ensuring the entire range is covered by the reservation.

AnalysisAI

Denial of service in the Linux kernel's EFI unaccepted-memory handling allows a boot-time kernel panic on confidential-computing guests, affecting kernels from 6.6 through the 6.19/7.0 development line. The reserve_unaccepted() routine miscalculates the memblock reservation size when the unaccepted memory table is not page-aligned, leaving the table's tail unreserved so it can be overwritten or rendered inaccessible, triggering a panic in accept_memory(). It is observed on Intel TDX VMs with larger memory sizes (e.g. >64GB); there is no public exploit identified at time of analysis and EPSS is negligible (0.02%).

Technical ContextAI

The flaw lives in the x86 EFI early-boot path that supports 'unaccepted memory', a feature of confidential VMs (notably Intel TDX, and conceptually AMD SEV-SNP) where guest memory must be explicitly 'accepted' before first use. The firmware exposes an EFI configuration table (efi.unaccepted) describing which regions are unaccepted; reserve_unaccepted() must reserve this table in memblock so it survives early allocation. CWE-125 (Out-of-bounds Read) is the assigned root-cause class, but the concrete defect is an alignment arithmetic error: the code aligns only the table size without accounting for a non-page-aligned start address, so when the table straddles a page boundary the final page is omitted from the reservation. Later, accept_memory() reads/uses that clobbered table and panics. The affected CPE set is generic linux:linux_kernel including 6.6 and its rc builds, but the vulnerable code path is exercised only on confidential-compute guests.

RemediationAI

Vendor-released patch: update to a fixed stable kernel - 6.6.128, 6.12.75, 6.18.14, 6.19.4, or 7.0 (or later within each series), which carry the backport of upstream commit 8dbe33956d96c9d066ef15ca933ede30748198b2 that computes the table end address (including the unaligned start) before aligning up. The fix is available via the stable trees at git.kernel.org (e.g. https://git.kernel.org/stable/c/0862438c90487e79822d5647f854977d50381505); track NVD at https://nvd.nist.gov/vuln/detail/CVE-2026-45851. Until patched, the practical workaround is to avoid the trigger condition: run affected Intel TDX guests with memory sizes that do not exercise the bug (notably below the ~64GB threshold where it was observed), or temporarily disable the unaccepted-memory code path (CONFIG_UNACCEPTED_MEMORY) where the platform permits - with the trade-off that disabling lazy acceptance forces all guest memory to be accepted up front, increasing boot time and memory pressure, and constraining memory sizing limits TDX VM scale.

More in Intel

View all
CVE-2017-5689 CRITICAL POC
9.8 May 02

An unprivileged network attacker could gain system privileges to provisioned Intel manageability SKUs: Intel Active Mana

CVE-2012-5958 CRITICAL POC
10.0 Jan 31

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable

CVE-2012-0217 HIGH POC
7.2 Jun 12

The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as used in Citrix XenServer 6.0.2 and earlier and

CVE-2012-5959 CRITICAL POC
10.0 Jan 31

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable

CVE-2012-5964 CRITICAL POC
10.0 Jan 31

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable

CVE-2012-5963 CRITICAL POC
10.0 Jan 31

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable

CVE-2012-5961 CRITICAL POC
10.0 Jan 31

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable

CVE-2012-5965 CRITICAL POC
10.0 Jan 31

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable

CVE-2012-5962 CRITICAL POC
10.0 Jan 31

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable

CVE-2012-5960 CRITICAL POC
10.0 Jan 31

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable

CVE-2015-2291 HIGH POC
7.8 Aug 09

Local privilege escalation to SYSTEM in Intel Ethernet diagnostics driver (IQVW32.sys/IQVW64.sys versions before 1.3.1.0

CVE-2024-44308 HIGH
8.8 Nov 20

Arbitrary code execution in Apple Safari, iOS/iPadOS, macOS Sequoia, and visionOS occurs when processing maliciously cra

Vendor StatusVendor

SUSE

Severity: Important
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected

Share

EUVD-2026-32317 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy