{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31553", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.115Z", "datePublished": "2026-04-24T14:35:37.828Z", "dateUpdated": "2026-05-11T22:11:00.473Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:11:00.473Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: arm64: Fix the descriptor address in __kvm_at_swap_desc()\n\nUsing \"(u64 __user *)hva + offset\" to get the virtual addresses of S1/S2\ndescriptors looks really wrong, if offset is not zero. What we want to get\nfor swapping is hva + offset, not hva + offset*8. ;-)\n\nFix it."}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH"}}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["arch/arm64/kvm/at.c"], "versions": [{"version": "f6927b41d57390c597a126063e2e518911976878", "lessThan": "4307e05e568782fc92eff651b09ee5dee88a058d", "status": "affected", "versionType": "git"}, {"version": "f6927b41d57390c597a126063e2e518911976878", "lessThan": "0496acc42fb51eee040b5170cec05cec41385540", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["arch/arm64/kvm/at.c"], "versions": [{"version": "6.19", "status": "affected"}, {"version": "0", "lessThan": "6.19", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.11", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.11"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/4307e05e568782fc92eff651b09ee5dee88a058d"}, {"url": "https://git.kernel.org/stable/c/0496acc42fb51eee040b5170cec05cec41385540"}], "title": "KVM: arm64: Fix the descriptor address in __kvm_at_swap_desc()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "5054C854-C253-4020-BD2E-2BDA121E424C", "versionEndExcluding": "6.19.11", "versionStartIncluding": "6.19.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:-:*:*:*:*:*:*", "matchCriteriaId": "35C8A871-4971-433E-A046-FC9F7B7D190A", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*", "matchCriteriaId": "512EE3A8-A590-4501-9A94-5D4B268D6138", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: arm64: Fix the descriptor address in __kvm_at_swap_desc()\n\nUsing \"(u64 __user *)hva + offset\" to get the virtual addresses of S1/S2\ndescriptors looks really wrong, if offset is not zero. What we want to get\nfor swapping is hva + offset, not hva + offset*8. ;-)\n\nFix it."}], "id": "CVE-2026-31553", "lastModified": "2026-04-27T20:15:03.240", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.0, "impactScore": 6.0, "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary"}]}, "published": "2026-04-24T15:16:29.633", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/0496acc42fb51eee040b5170cec05cec41385540"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/4307e05e568782fc92eff651b09ee5dee88a058d"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: KVM: arm64: Fix the descriptor address in __kvm_at_swap_desc()", "id": "2461560", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461560"}, "csaw": false, "cwe": "CWE-468", "details": ["A flaw was found in the Linux kernel's KVM (Kernel-based Virtual Machine) component. Specifically, in the ARM64 architecture, an incorrect calculation of the descriptor address in the `__kvm_at_swap_desc()` function could lead to memory corruption. This vulnerability may allow an attacker to cause system instability or affect the integrity of virtual machines."], "name": "CVE-2026-31553", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-24T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-31553\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31553\nhttps://lore.kernel.org/linux-cve-announce/2026042456-CVE-2026-31553-0d39@gregkh/T"]}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[f6927b41d57390c597a126063e2e518911976878,4307e05e568782fc92eff651b09ee5dee88a058d)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[f6927b41d57390c597a126063e2e518911976878,0496acc42fb51eee040b5170cec05cec41385540)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "6.19"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,6.19)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.11,6.20.0]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-28T14:16:41.233969+00:00", "value": {"mitigation_remediation": ["Upgrade the kernel to a patched version that includes the __kvm_at_swap_desc() fix, such as Linux\u00a06.19.1 or any 7.x release beyond rc7.", "If upgrading cannot be performed immediately, disable KVM on affected hosts or restrict guest privileges to prevent access to legacy descriptor swaps.", "Alternatively, apply the specific kernel patch from commit 0496acc42fb51eee040b5170cec05cec41385540, rebuild, and deploy the updated kernel to the affected systems."], "summary": {"action": "Patch Kernel", "impact": "Privilege escalation via KVM memory corruption"}, "threat_synthesis": {"affected_systems": "The flaw affects the Linux kernel on arm64 for all builds 6.19 and the 7.0 release candidates (rc1 through rc7). It is relevant for any Linux distribution that ships these kernel versions and has KVM enabled.", "description_and_impact": "KVM for arm64 contains a bug in the __kvm_at_swap_desc() routine where a descriptor address is calculated incorrectly. The code uses (u64 __user *)hva + offset instead of hva + offset, which can cause memory corruption when offset is non\u2011zero. This flaw could enable an attacker to corrupt kernel memory or execute arbitrary code within the KVM environment, leading to privilege escalation on the host.", "risk_and_exploitability": "The CVSS score of 8.8 indicates high severity, while the EPSS score of less than 1% suggests a low current likelihood of exploitation. The vulnerability is not listed in CISA's KEV catalog, implying no known active exploits. Inference: the flaw is in the KVM core and could be triggered by a guest with sufficient privileges or by a local attacker able to manipulate virtual memory offsets. As a result, the risk remains significant for environments running KVM on the affected kernel releases."}}}}, "created": "2026-04-27T19:15:11.617610+00:00", "updated": "2026-04-28T14:30:33.739755+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}