CVE-2026-31699
Received Received - Intake
Buffer Overflow in Linux Kernel Crypto CCP Driver

Publication date: 2026-05-01

Last updated on: 2026-05-06

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: crypto: ccp: Don't attempt to copy CSR to userspace if PSP command failed When retrieving the PEK CSR, don't attempt to copy the blob to userspace if the firmware command failed. If the failure was due to an invalid length, i.e. the userspace buffer+length was too small, copying the number of bytes _firmware_ requires will overflow the kernel-allocated buffer and leak data to userspace. BUG: KASAN: slab-out-of-bounds in instrument_copy_to_user ../include/linux/instrumented.h:129 [inline] BUG: KASAN: slab-out-of-bounds in _inline_copy_to_user ../include/linux/uaccess.h:205 [inline] BUG: KASAN: slab-out-of-bounds in _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26 Read of size 2084 at addr ffff898144612e20 by task syz.9.219/21405 CPU: 14 UID: 0 PID: 21405 Comm: syz.9.219 Tainted: G U O 7.0.0-smp-DEV #28 PREEMPTLAZY Tainted: [U]=USER, [O]=OOT_MODULE Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 12.62.0-0 11/19/2025 Call Trace: <TASK> dump_stack_lvl+0xc5/0x110 ../lib/dump_stack.c:120 print_address_description ../mm/kasan/report.c:378 [inline] print_report+0xbc/0x260 ../mm/kasan/report.c:482 kasan_report+0xa2/0xe0 ../mm/kasan/report.c:595 check_region_inline ../mm/kasan/generic.c:-1 [inline] kasan_check_range+0x264/0x2c0 ../mm/kasan/generic.c:200 instrument_copy_to_user ../include/linux/instrumented.h:129 [inline] _inline_copy_to_user ../include/linux/uaccess.h:205 [inline] _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26 copy_to_user ../include/linux/uaccess.h:236 [inline] sev_ioctl_do_pek_csr+0x31f/0x590 ../drivers/crypto/ccp/sev-dev.c:1872 sev_ioctl+0x3a4/0x490 ../drivers/crypto/ccp/sev-dev.c:2562 vfs_ioctl ../fs/ioctl.c:51 [inline] __do_sys_ioctl ../fs/ioctl.c:597 [inline] __se_sys_ioctl+0x11d/0x1b0 ../fs/ioctl.c:583 do_syscall_x64 ../arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xe0/0x800 ../arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x76/0x7e </TASK> WARN if the driver says the command succeeded, but the firmware error code says otherwise, as __sev_do_cmd_locked() is expected to return -EIO on any firwmware error.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-01
Last Modified
2026-05-06
Generated
2026-05-07
AI Q&A
2026-05-01
EPSS Evaluated
2026-05-05
NVD
CVE-2026-31699
EUVD
EUVD-2026-26508
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 6.7 (inc) to 6.12.84 (exc)
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel From 6.13 (inc) to 6.18.25 (exc)
linux linux_kernel From 6.19 (inc) to 7.0.2 (exc)
linux linux_kernel From 4.16 (inc) to 6.6.136 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's crypto CCP driver when retrieving the PEK CSR (Certificate Signing Request). If the firmware command to get the CSR fails due to an invalid length (meaning the userspace buffer is too small), the kernel incorrectly attempts to copy more data than the allocated buffer size. This causes a buffer overflow in the kernel memory and can leak sensitive data to userspace.


How can this vulnerability impact me? :

The vulnerability can lead to a kernel buffer overflow and data leakage. Specifically, if exploited, it may allow unauthorized userspace processes to access kernel memory contents that should be protected, potentially exposing sensitive information and compromising system security.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability involves a kernel buffer overflow triggered when the firmware command to retrieve the PEK CSR fails but the driver attempts to copy data to userspace regardless. Detection would involve monitoring kernel logs for related error messages or warnings.

Specifically, look for kernel warnings or BUG reports mentioning slab-out-of-bounds errors in functions like instrument_copy_to_user, _copy_to_user, or sev_ioctl related to the crypto CCP driver.

Commands to check kernel logs for such errors include:

  • dmesg | grep -i 'slab-out-of-bounds'
  • journalctl -k | grep -i 'sev_ioctl'
  • journalctl -k | grep -i 'kasan_report'

Additionally, monitoring for unexpected firmware error codes or ioctl failures related to the CCP crypto driver may help detect attempts to exploit this issue.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability has been resolved by ensuring that the kernel does not attempt to copy the CSR to userspace if the firmware command failed, preventing buffer overflow and data leakage.

Immediate mitigation steps include:

  • Update the Linux kernel to a version that includes the fix for this vulnerability.
  • Avoid using or disable the affected crypto CCP driver functionality if an immediate kernel update is not possible.
  • Monitor kernel logs for related errors to detect any exploitation attempts.

Applying the official patch or upgrading to a kernel version released after 2026-05-01 is the most effective way to mitigate this issue.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart