7.8
CVE-2026-52959
- EPSS 0.09%
- Veröffentlicht 24.06.2026 16:28:40
- Zuletzt bearbeitet 10.07.2026 19:23:34
- Quelle 416baaa9-dc9f-4396-8d5f-8c081f
- CVE-Watchlists
- Unerledigt
virt: sev-guest: Do not use host-controlled page order in cleanup path
In the Linux kernel, the following vulnerability has been resolved: virt: sev-guest: Do not use host-controlled page order in cleanup path When issuing an extended guest request (SVM_VMGEXIT_EXT_GUEST_REQUEST), get_ext_report() allocates a buffer to retrieve a certificate blob from the host, keeping track of its size in report_req->certs_len. However, the host may return SNP_GUEST_VMM_ERR_INVALID_LEN, indicating an invalid buffer size, as well as the expected length of such buffer. get_ext_report() subsequently updates report_req->certs_len with the host-controlled value, and cleans up the buffer by computing a page order from such value. This is incorrect, as the host-provided length may not match the page order of the original allocation, potentially resulting in corruption in the page allocator. Fix this by using alloc_pages_exact() instead, and reusing @npages to compute the size passed to free_pages_exact(). For consistency, also use @npages to compute the size when allocating the pages, even though this last change has no functional effect.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerLinux
≫
Produkt
Linux
Default Statusunaffected
Version
3e385c0d6ce88ac9916dcf84267bd5855d830748
Version <
3f6fb0211b39aaa1b841260681dd02ca6b693ed5
Status
affected
Version
3e385c0d6ce88ac9916dcf84267bd5855d830748
Version <
9e48b4f813d2c3db75d522aa82ab705ce04b7e2d
Status
affected
Version
3e385c0d6ce88ac9916dcf84267bd5855d830748
Version <
23e6a1ca04ae44806439a5a446e62e4d42e80bb4
Status
affected
Version
0b16521f95c875e79d657cb8d6911c15080dbb80
Status
affected
Version
6.13.8
Version <
6.14
Status
affected
HerstellerLinux
≫
Produkt
Linux
Default Statusaffected
Version
6.14
Status
affected
Version
0
Version <
6.14
Status
unaffected
Version <=
6.18.*
Version
6.18.33
Status
unaffected
Version <=
7.0.*
Version
7.0.10
Status
unaffected
Version <=
*
Version
7.1
Status
unaffected
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.09% | 0.007 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | 7.8 | 1.8 | 5.9 |
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
https://git.kernel.org/stable/c/3f6fb0211b39aaa1b841260681dd02ca6b693ed5
https://git.kernel.org/stable/c/9e48b4f813d2c3db75d522aa82ab705ce04b7e2d
https://git.kernel.org/stable/c/23e6a1ca04ae44806439a5a446e62e4d42e80bb4