CVE-2026-52968
Analyzed Analyzed - Analysis Complete

KVM s390 PCI GAIT Table Indexing Vulnerability

Vulnerability report for CVE-2026-52968, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-24

Last updated on: 2026-07-14

Assigner: kernel.org

Description

In the Linux kernel, the following vulnerability has been resolved: KVM: s390: pci: fix GAIT table indexing due to double-scaling pointer arithmetic kvm_s390_pci_aif_enable(), kvm_s390_pci_aif_disable(), and aen_host_forward() index the GAIT by manually multiplying the index with sizeof(struct zpci_gaite). Since aift->gait is already a struct zpci_gaite pointer, this double-scales the offset, accessing element aisb*16 instead of aisb. This causes out-of-bounds accesses when aisb >= 32 (with ZPCI_NR_DEVICES=512) Fix by removing the erroneous sizeof multiplication.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-24
Last Modified
2026-07-14
Generated
2026-07-15
AI Q&A
2026-06-24
EPSS Evaluated
2026-07-13
NVD
EUVD

Affected Vendors & Products

Showing 8 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel From 6.2 (inc) to 6.6.141 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.91 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.33 (exc)
linux linux_kernel From 6.19 (inc) to 7.0.10 (exc)
linux linux_kernel From 6.0 (inc) to 6.1.175 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's KVM s390 PCI code where certain functions incorrectly calculate an index into the GAIT table. Specifically, the functions kvm_s390_pci_aif_enable(), kvm_s390_pci_aif_disable(), and aen_host_forward() multiply the index by the size of the struct zpci_gaite, even though the pointer is already of that type. This results in a double scaling of the pointer arithmetic, causing out-of-bounds memory accesses when the index (aisb) is 32 or greater.

The issue is fixed by removing the erroneous multiplication by sizeof(struct zpci_gaite), preventing the out-of-bounds access.

Impact Analysis

This vulnerability can cause out-of-bounds memory accesses in the Linux kernel's KVM s390 PCI subsystem. Such out-of-bounds accesses may lead to system instability, crashes, or potentially allow an attacker to execute arbitrary code or cause denial of service, depending on the context and exploitability.

Mitigation Strategies

The vulnerability is fixed by correcting the pointer arithmetic in the Linux kernel's KVM s390 PCI code. To mitigate this vulnerability, you should update your Linux kernel to a version that includes this fix.

Specifically, apply the patch that removes the erroneous sizeof multiplication in the functions kvm_s390_pci_aif_enable(), kvm_s390_pci_aif_disable(), and aen_host_forward().

Until the update is applied, avoid running workloads that could trigger out-of-bounds accesses related to the GAIT table indexing on s390 KVM PCI devices.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52968. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart