CVE-2026-52959
Received Received - Intake
BaseFortify

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: virt: sev-guest: Do not use host-controlled page order in cleanup path When issuing an extended guest request (SVM_VMGEXIT_EXT_GUEST_REQUEST), get_ext_report() allocates a buffer to retrieve a certificate blob from the host, keeping track of its size in report_req->certs_len. However, the host may return SNP_GUEST_VMM_ERR_INVALID_LEN, indicating an invalid buffer size, as well as the expected length of such buffer. get_ext_report() subsequently updates report_req->certs_len with the host-controlled value, and cleans up the buffer by computing a page order from such value. This is incorrect, as the host-provided length may not match the page order of the original allocation, potentially resulting in corruption in the page allocator. Fix this by using alloc_pages_exact() instead, and reusing @npages to compute the size passed to free_pages_exact(). For consistency, also use @npages to compute the size when allocating the pages, even though this last change has no functional effect.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-52959
EUVD
EUVD-2026-38827
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's SEV-guest feature, specifically in the cleanup path when handling extended guest requests.

When the kernel function get_ext_report() requests a certificate blob from the host, it allocates a buffer and tracks its size. However, the host can respond with an error indicating an invalid buffer size and provide a different length.

The vulnerability arises because get_ext_report() updates the buffer size with this host-controlled length and uses it to compute the page order for cleanup. Since this length may not match the originally allocated buffer size, it can cause corruption in the page allocator.

The fix involves using alloc_pages_exact() and reusing the original page count to correctly compute the size for freeing the pages, preventing corruption.

Impact Analysis

This vulnerability can lead to corruption in the Linux kernel's page allocator due to improper handling of buffer sizes during cleanup.

Such corruption may cause system instability, crashes, or potentially allow an attacker to exploit the corrupted memory management to execute arbitrary code or escalate privileges.

Mitigation Strategies

The vulnerability has been resolved in the Linux kernel by changing the way memory pages are allocated and freed in the SEV-guest code path. To mitigate this vulnerability, you should update your Linux kernel to a version that includes this fix.

Specifically, ensure your system is running a kernel version released on or after 2026-06-24 that incorporates the patch which uses alloc_pages_exact() and properly computes page sizes to avoid corruption.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52959. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart