7.1

CVE-2026-31470

EPSS 0.01%
Veröffentlicht 22.04.2026 14:16:43
Zuletzt bearbeitet 07.05.2026 17:39:34
Quelle 416baaa9-dc9f-4396-8d5f-8c081f
CVE-Watchlists
Login
Unerledigt
Login

virt: tdx-guest: Fix handling of host controlled 'quote' buffer length

In the Linux kernel, the following vulnerability has been resolved:

virt: tdx-guest: Fix handling of host controlled 'quote' buffer length

Validate host controlled value `quote_buf->out_len` that determines how
many bytes of the quote are copied out to guest userspace. In TDX
environments with remote attestation, quotes are not considered private,
and can be forwarded to an attestation server.

Catch scenarios where the host specifies a response length larger than
the guest's allocation, or otherwise races modifying the response while
the guest consumes it.

This prevents contents beyond the pages allocated for `quote_buf`
(up to TSM_REPORT_OUTBLOB_MAX) from being read out to guest userspace,
and possibly forwarded in attestation requests.

Recall that some deployments want per-container configs-tsm-report
interfaces, so the leak may cross container protection boundaries, not
just local root.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 7

NVD 8 VulnDex Vulnerability Enrichment 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Linux ≫ Linux Kernel Version >= 6.7 < 6.12.80

Linux ≫ Linux Kernel Version >= 6.13 < 6.18.21

Linux ≫ Linux Kernel Version >= 6.19 < 6.19.11

Linux ≫ Linux Kernel Version7.0 Updaterc1

Linux ≫ Linux Kernel Version7.0 Updaterc2

Linux ≫ Linux Kernel Version7.0 Updaterc3

Linux ≫ Linux Kernel Version7.0 Updaterc4

Linux ≫ Linux Kernel Version7.0 Updaterc5

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.01%	0.024

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
416baaa9-dc9f-4396-8d5f-8c081fb06d67	7.1	1.8	5.2	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

CWE-787 Out-of-bounds Write

The product writes data past the end, or before the beginning, of the intended buffer.

https://git.kernel.org/stable/c/02ca2d9d197723696cb9cc0cb159eb7e8bf5f89b

Patch

https://git.kernel.org/stable/c/6f3c8795ae9ba74fa10fe979293d1904712d3fb1

Patch

https://git.kernel.org/stable/c/a079a62883e3365de592cea9f7a669d8115433b0

Patch

https://git.kernel.org/stable/c/c3fd16c3b98ed726294feab2f94f876290bf7b61

Patch

https://nvd.nist.gov/vuln/detail/CVE-2026-31470

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-31470

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-31470

EUVD