CVE-2026-31470
Buffer Overflow in Linux TDX Guest Quote Buffer Handling
Publication date: 2026-04-22
Last updated on: 2026-04-27
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability involves improper handling of a host-controlled buffer length in TDX guest environments, which could lead to information leakage across container boundaries.
Since the vulnerability may allow data beyond allocated memory to be read and potentially forwarded in attestation requests, it could pose risks related to data confidentiality and isolation.
However, the description notes that quotes used in remote attestation are not considered private, and the vulnerability primarily affects the integrity of memory boundaries rather than direct exposure of sensitive personal data.
There is no explicit information provided about the impact on compliance with standards like GDPR or HIPAA.
Can you explain this vulnerability to me?
This vulnerability exists in the Linux kernel's handling of the 'quote' buffer length in TDX guest environments. Specifically, the host controls a value called 'quote_buf->out_len' which determines how many bytes of a quote are copied to the guest userspace. The vulnerability arises because this host-controlled value was not properly validated, allowing scenarios where the host could specify a response length larger than the guest's allocated buffer or modify the response while the guest is reading it.
This flaw could lead to the guest reading memory beyond its allocated pages, potentially leaking sensitive data across container boundaries or local root boundaries. The fix involves validating the host-controlled length to prevent reading beyond the allocated buffer size.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of memory contents beyond the allocated buffer in a TDX guest environment. Because the leaked data can cross container protection boundaries, it may expose sensitive information from other containers or local root processes.
In environments using remote attestation, the leaked quote data could be forwarded to attestation servers, potentially compromising the integrity or confidentiality of attestation processes.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability has been resolved by fixing the handling of the host controlled 'quote' buffer length in the Linux kernel's TDX guest code.
To mitigate this vulnerability, you should update your Linux kernel to a version that includes this fix.