{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31569", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.117Z", "datePublished": "2026-04-24T14:35:48.768Z", "dateUpdated": "2026-05-11T22:11:19.509Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:11:19.509Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nLoongArch: KVM: Handle the case that EIOINTC's coremap is empty\n\nEIOINTC's coremap in eiointc_update_sw_coremap() can be empty, currently\nwe get a cpuid with -1 in this case, but we actually need 0 because it's\nsimilar as the case that cpuid >= 4.\n\nThis fix an out-of-bounds access to kvm_arch::phyid_map::phys_map[]."}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:H", "baseScore": 7.3, "baseSeverity": "HIGH"}}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["arch/loongarch/kvm/intc/eiointc.c"], "versions": [{"version": "3956a52bc05bd811082a3c9d2b423ee957e6fefc", "lessThan": "126053d0a685bf1f2e98db8966386f38b2336338", "status": "affected", "versionType": "git"}, {"version": "3956a52bc05bd811082a3c9d2b423ee957e6fefc", "lessThan": "2a0cbcd28ecf6e0b88fa498bebb94bd1be61a7c3", "status": "affected", "versionType": "git"}, {"version": "3956a52bc05bd811082a3c9d2b423ee957e6fefc", "lessThan": "b97bd69eb0f67b5f961b304d28e9ba45e202d841", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["arch/loongarch/kvm/intc/eiointc.c"], "versions": [{"version": "6.13", "status": "affected"}, {"version": "0", "lessThan": "6.13", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.21", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.11", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.21"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.19.11"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/126053d0a685bf1f2e98db8966386f38b2336338"}, {"url": "https://git.kernel.org/stable/c/2a0cbcd28ecf6e0b88fa498bebb94bd1be61a7c3"}, {"url": "https://git.kernel.org/stable/c/b97bd69eb0f67b5f961b304d28e9ba45e202d841"}], "title": "LoongArch: KVM: Handle the case that EIOINTC's coremap is empty", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "539740A6-2448-4C77-8279-4E64A6FD93E4", "versionEndExcluding": "6.18.21", "versionStartIncluding": "6.13.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "4CA2E747-A9EC-4518-9AA2-B4247FC748B7", "versionEndExcluding": "6.19.11", "versionStartIncluding": "6.19", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.13:-:*:*:*:*:*:*", "matchCriteriaId": "5A3F9505-6B98-4269-8B81-127E55A1BF00", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*", "matchCriteriaId": "512EE3A8-A590-4501-9A94-5D4B268D6138", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nLoongArch: KVM: Handle the case that EIOINTC's coremap is empty\n\nEIOINTC's coremap in eiointc_update_sw_coremap() can be empty, currently\nwe get a cpuid with -1 in this case, but we actually need 0 because it's\nsimilar as the case that cpuid >= 4.\n\nThis fix an out-of-bounds access to kvm_arch::phyid_map::phys_map[]."}], "id": "CVE-2026-31569", "lastModified": "2026-04-27T20:33:04.393", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.0, "impactScore": 4.7, "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary"}]}, "published": "2026-04-24T15:16:31.420", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/126053d0a685bf1f2e98db8966386f38b2336338"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/2a0cbcd28ecf6e0b88fa498bebb94bd1be61a7c3"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/b97bd69eb0f67b5f961b304d28e9ba45e202d841"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: LoongArch: KVM: Handle the case that EIOINTC's coremap is empty", "id": "2461444", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461444"}, "csaw": false, "cwe": "CWE-823", "details": ["A flaw was found in the Linux kernel's Kernel-based Virtual Machine (KVM) component. When a specific internal data structure, known as EIOINTC's coremap, is empty, the system incorrectly processes a processor ID. This error can lead to an out-of-bounds memory access, meaning the system tries to read or write data beyond its allocated memory space. Such an issue could result in system instability, causing the system to crash, or potentially lead to the disclosure of sensitive information."], "name": "CVE-2026-31569", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-24T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-31569\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31569\nhttps://lore.kernel.org/linux-cve-announce/2026042401-CVE-2026-31569-41ce@gregkh/T"]}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[3956a52bc05bd811082a3c9d2b423ee957e6fefc,126053d0a685bf1f2e98db8966386f38b2336338)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[3956a52bc05bd811082a3c9d2b423ee957e6fefc,2a0cbcd28ecf6e0b88fa498bebb94bd1be61a7c3)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[3956a52bc05bd811082a3c9d2b423ee957e6fefc,b97bd69eb0f67b5f961b304d28e9ba45e202d841)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "6.13"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,6.13)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.21,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.11,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-28T14:10:51.519524+00:00", "value": {"mitigation_remediation": ["Upgrade the Linux kernel to a version that includes the patch (e.g., 6.13 or 7.0 RC7 or later).", "Verify that the KVM module for LoongArch is compiled and activated in the updated kernel.", "If immediate kernel upgrade is not possible, consider disabling or reconfiguring EIOINTC devices in KVM to avoid an empty coremap scenario until a patch is applied."], "summary": {"action": "Apply Patch", "impact": "Out-of-Bounds Memory Corruption"}, "threat_synthesis": {"affected_systems": "Affected by CVE\u20112026\u201131569 are Linux kernel releases 6.13 and all 7.0 release candidates (RC1 through RC7). The issue exists in the Linux:Linux vendor\u2019s kernel for the LoongArch architecture, any system running one of those kernel versions with KVM enabled.", "description_and_impact": "The vulnerability arises in the LoongArch KVM implementation when the EIOINTC controller\u2019s coremap is empty, causing eiointc_update_sw_coremap() to retrieve a cpuid of \u20131 instead of 0. This leads to an out\u2011of-bounds read into the kvm_arch::phyid_map::phys_map array, potentially corrupting kernel memory and compromising integrity. The flaw is a classic CWE\u2011125 out\u2011of\u2011bounds read that could be leveraged for privilege escalation within the kernel space.", "risk_and_exploitability": "The CVSS score of 7.3 indicates a high severity for local privilege escalation, while the EPSS score of less than 1% suggests the likelihood of exploitation is low at present, and the vulnerability is not listed in CISA KEV. Exploitation would require the attacker to run code or trigger operations in a LoongArch virtualized environment where KVM interacts with an EIOINTC that has an empty coremap; thus, the attack vector is likely local or requires privileged access to a virtual machine. The risk remains significant for environments that use the affected kernels in production, especially those deploying LoongArch KVM instances."}}}}, "created": "2026-04-27T19:00:15.752866+00:00", "updated": "2026-04-28T14:15:34.924347+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}