CVE-2026-31698
Received Received - Intake
Buffer Overflow in Linux Kernel CCP Driver

Publication date: 2026-05-01

Last updated on: 2026-05-06

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: crypto: ccp: Don't attempt to copy PDH cert to userspace if PSP command failed When retrieving the PDH cert, don't attempt to copy the blobs to userspace if the firmware command failed. If the failure was due to an invalid length, i.e. the userspace buffer+length was too small, copying the number of bytes _firmware_ requires will overflow the kernel-allocated buffer and leak data to userspace. BUG: KASAN: slab-out-of-bounds in instrument_copy_to_user ../include/linux/instrumented.h:129 [inline] BUG: KASAN: slab-out-of-bounds in _inline_copy_to_user ../include/linux/uaccess.h:205 [inline] BUG: KASAN: slab-out-of-bounds in _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26 Read of size 2084 at addr ffff8885c4ab8aa0 by task syz.0.186/21033 CPU: 51 UID: 0 PID: 21033 Comm: syz.0.186 Tainted: G U O 7.0.0-smp-DEV #28 PREEMPTLAZY Tainted: [U]=USER, [O]=OOT_MODULE Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 34.84.12-0 11/17/2025 Call Trace: <TASK> dump_stack_lvl+0xc5/0x110 ../lib/dump_stack.c:120 print_address_description ../mm/kasan/report.c:378 [inline] print_report+0xbc/0x260 ../mm/kasan/report.c:482 kasan_report+0xa2/0xe0 ../mm/kasan/report.c:595 check_region_inline ../mm/kasan/generic.c:-1 [inline] kasan_check_range+0x264/0x2c0 ../mm/kasan/generic.c:200 instrument_copy_to_user ../include/linux/instrumented.h:129 [inline] _inline_copy_to_user ../include/linux/uaccess.h:205 [inline] _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26 copy_to_user ../include/linux/uaccess.h:236 [inline] sev_ioctl_do_pdh_export+0x3d3/0x7c0 ../drivers/crypto/ccp/sev-dev.c:2347 sev_ioctl+0x2a2/0x490 ../drivers/crypto/ccp/sev-dev.c:2568 vfs_ioctl ../fs/ioctl.c:51 [inline] __do_sys_ioctl ../fs/ioctl.c:597 [inline] __se_sys_ioctl+0x11d/0x1b0 ../fs/ioctl.c:583 do_syscall_x64 ../arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xe0/0x800 ../arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x76/0x7e </TASK> WARN if the driver says the command succeeded, but the firmware error code says otherwise, as __sev_do_cmd_locked() is expected to return -EIO on any firwmware error.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-01
Last Modified
2026-05-06
Generated
2026-05-07
AI Q&A
2026-05-01
EPSS Evaluated
2026-05-05
NVD
CVE-2026-31698
EUVD
EUVD-2026-26507
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 6.7 (inc) to 6.12.84 (exc)
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel From 6.13 (inc) to 6.18.25 (exc)
linux linux_kernel From 6.19 (inc) to 7.0.2 (exc)
linux linux_kernel From 4.16 (inc) to 6.6.136 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's crypto CCP driver when handling the retrieval of the Platform Diffie-Hellman (PDH) certificate. If the firmware command to get the PDH certificate fails, especially due to an invalid length (meaning the userspace buffer is too small), the kernel incorrectly attempts to copy more data than the allocated kernel buffer can hold. This results in a buffer overflow and causes data leakage from the kernel space to userspace.

The issue arises because the driver does not properly check the firmware command's failure before copying data, leading to out-of-bounds memory access and potential exposure of sensitive kernel memory.


How can this vulnerability impact me? :

This vulnerability can lead to a kernel memory buffer overflow and data leakage to userspace. An attacker or malicious userspace process could exploit this flaw to read sensitive kernel memory contents that should not be accessible, potentially exposing confidential information or kernel data structures.

Such data leakage can undermine system security by revealing secrets or internal kernel state, which could be leveraged for further attacks or privilege escalation.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability involves a kernel buffer overflow triggered when the PDH certificate retrieval fails due to an invalid length, causing a slab-out-of-bounds error in kernel memory. Detection would typically involve monitoring kernel logs for KASAN (Kernel Address Sanitizer) slab-out-of-bounds warnings related to the crypto CCP driver, specifically messages referencing instrument_copy_to_user or sev_ioctl functions.

You can check the kernel logs for such errors using commands like:

  • dmesg | grep -i kasan
  • journalctl -k | grep -i kasan
  • grep -r 'slab-out-of-bounds' /var/log/

Additionally, monitoring for unusual ioctl calls to the sev device or abnormal behavior in the crypto CCP driver may help identify attempts to exploit this vulnerability.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability has been resolved in the Linux kernel by ensuring that the PDH certificate is not copied to userspace if the firmware command fails, preventing buffer overflow and data leakage.

Immediate mitigation steps include:

  • Update your Linux kernel to the version that includes the fix for this vulnerability.
  • Avoid running untrusted or suspicious userspace applications that interact with the crypto CCP driver or perform PDH certificate retrieval until the patch is applied.
  • Monitor kernel logs for any signs of exploitation attempts and restrict access to the affected device interfaces if possible.

Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart