7.8

CVE-2026-52959

virt: sev-guest: Do not use host-controlled page order in cleanup path

In the Linux kernel, the following vulnerability has been resolved:

virt: sev-guest: Do not use host-controlled page order in cleanup path

When issuing an extended guest request (SVM_VMGEXIT_EXT_GUEST_REQUEST),
get_ext_report() allocates a buffer to retrieve a certificate blob from the
host, keeping track of its size in report_req->certs_len.

However, the host may return SNP_GUEST_VMM_ERR_INVALID_LEN, indicating
an invalid buffer size, as well as the expected length of such buffer.
get_ext_report() subsequently updates report_req->certs_len with the
host-controlled value, and cleans up the buffer by computing a page order
from such value. This is incorrect, as the host-provided length may not
match the page order of the original allocation, potentially resulting
in corruption in the page allocator.

Fix this by using alloc_pages_exact() instead, and reusing @npages to
compute the size passed to free_pages_exact(). For consistency, also
use @npages to compute the size when allocating the pages, even though
this last change has no functional effect.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerLinux
Produkt Linux
Default Statusunaffected
Version 3e385c0d6ce88ac9916dcf84267bd5855d830748
Version < 3f6fb0211b39aaa1b841260681dd02ca6b693ed5
Status affected
Version 3e385c0d6ce88ac9916dcf84267bd5855d830748
Version < 9e48b4f813d2c3db75d522aa82ab705ce04b7e2d
Status affected
Version 3e385c0d6ce88ac9916dcf84267bd5855d830748
Version < 23e6a1ca04ae44806439a5a446e62e4d42e80bb4
Status affected
Version 0b16521f95c875e79d657cb8d6911c15080dbb80
Status affected
Version 6.13.8
Version < 6.14
Status affected
HerstellerLinux
Produkt Linux
Default Statusaffected
Version 6.14
Status affected
Version 0
Version < 6.14
Status unaffected
Version <= 6.18.*
Version 6.18.33
Status unaffected
Version <= 7.0.*
Version 7.0.10
Status unaffected
Version <= *
Version 7.1
Status unaffected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.09% 0.007
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
416baaa9-dc9f-4396-8d5f-8c081fb06d67 7.8 1.8 5.9
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Es wurden noch keine Informationen zu CWE veröffentlicht.
https://git.kernel.org/stable/c/3f6fb0211b39aaa1b841260681dd02ca6b693ed5
https://git.kernel.org/stable/c/9e48b4f813d2c3db75d522aa82ab705ce04b7e2d
https://git.kernel.org/stable/c/23e6a1ca04ae44806439a5a446e62e4d42e80bb4