Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Local, low-priv, no-interaction access to KVM AIF paths on s390; OOB read leaks memory (C:H) and OOB writes to GAIT corrupt kernel state (I:H) and can crash the host (A:H).
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Lifecycle Timeline
5DescriptionNVD
In the Linux kernel, the following vulnerability has been resolved:
KVM: s390: pci: fix GAIT table indexing due to double-scaling pointer arithmetic
kvm_s390_pci_aif_enable(), kvm_s390_pci_aif_disable(), and aen_host_forward() index the GAIT by manually multiplying the index with sizeof(struct zpci_gaite).
Since aift->gait is already a struct zpci_gaite pointer, this double-scales the offset, accessing element aisb*16 instead of aisb.
This causes out-of-bounds accesses when aisb >= 32 (with ZPCI_NR_DEVICES=512)
Fix by removing the erroneous sizeof multiplication.
AnalysisAI
Out-of-bounds memory access in the Linux kernel's KVM s390 PCI adapter-interrupt-forwarding (AIF) code allows a low-privileged local actor on IBM Z (s390x) hosts to read and corrupt kernel memory. The flaw stems from double-scaled pointer arithmetic when indexing the GAIT table in kvm_s390_pci_aif_enable(), kvm_s390_pci_aif_disable(), and aen_host_forward(), triggered when an adapter interrupt source (aisb) index reaches 32 or higher under ZPCI_NR_DEVICES=512. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a Linux host on the s390/s390x (IBM Z) architecture running KVM with zPCI/PCI adapter passthrough and Adapter Interrupt Forwarding (AIF) in use, and the kernel built with ZPCI_NR_DEVICES=512 (or otherwise permitting an adapter interrupt source block index, aisb, of 32 or greater). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H, base 7.1) indicates a local, low-privileged, no-interaction attack with high confidentiality and availability impact but no integrity impact - though the description's writes during AIF enable/disable suggest integrity impact may be understated. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | On an IBM Z host running KVM with PCI device passthrough, a local user or guest able to invoke the AIF enable/disable paths configures enough adapter interrupt sources that an aisb index of 32 or greater is used, causing the kernel to index the GAIT at offset aisb*16 and access memory far outside the table. This out-of-bounds read/write can leak adjacent kernel memory or corrupt kernel structures, potentially crashing the host (denial of service) or aiding privilege escalation. … |
| Remediation | Upgrade to a patched stable kernel: Vendor-released patch - 6.1.175, 6.6.141, 6.12.91, 6.18.33, or 7.0.10 (and 7.1), whichever matches your series, via your distribution's kernel updates or the stable commits at git.kernel.org/stable/c/31a9d9f9942885aae356a1a57c79e82c5b5b0828. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all IBM Z systems running Linux kernel with KVM virtualization enabled; verify ZPCI_NR_DEVICES configuration to scope exposure. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38836
GHSA-8vvj-3j37-6m3p