{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31590", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.120Z", "datePublished": "2026-04-24T14:42:17.629Z", "dateUpdated": "2026-05-11T22:11:43.972Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:11:43.972Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: SEV: Drop WARN on large size for KVM_MEMORY_ENCRYPT_REG_REGION\n\nDrop the WARN in sev_pin_memory() on npages overflowing an int, as the\nWARN is comically trivially to trigger from userspace, e.g. by doing:\n\n struct kvm_enc_region range = {\n .addr = 0,\n .size = -1ul,\n };\n\n __vm_ioctl(vm, KVM_MEMORY_ENCRYPT_REG_REGION, &range);\n\nNote, the checks in sev_mem_enc_register_region() that presumably exist to\nverify the incoming address+size are completely worthless, as both \"addr\"\nand \"size\" are u64s and SEV is 64-bit only, i.e. they _can't_ be greater\nthan ULONG_MAX. That wart will be cleaned up in the near future.\n\n\tif (range->addr > ULONG_MAX || range->size > ULONG_MAX)\n\t\treturn -EINVAL;\n\nOpportunistically add a comment to explain why the code calculates the\nnumber of pages the \"hard\" way, e.g. instead of just shifting @ulen."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["arch/x86/kvm/svm/sev.c"], "versions": [{"version": "78824fabc72e5e37d51e6e567fde70a4fc41a6d7", "lessThan": "b670833749ffd8681361db2bb047c6f2e3075f3a", "status": "affected", "versionType": "git"}, {"version": "78824fabc72e5e37d51e6e567fde70a4fc41a6d7", "lessThan": "ab423e5892826202a660b5ac85d1125b0e8301a5", "status": "affected", "versionType": "git"}, {"version": "78824fabc72e5e37d51e6e567fde70a4fc41a6d7", "lessThan": "28cc13ca20431b127d42d84ba10898d03e2c8267", "status": "affected", "versionType": "git"}, {"version": "78824fabc72e5e37d51e6e567fde70a4fc41a6d7", "lessThan": "c29ff288a2d97a6f4640a498a367cf0eb91312eb", "status": "affected", "versionType": "git"}, {"version": "78824fabc72e5e37d51e6e567fde70a4fc41a6d7", "lessThan": "1cba4dcd795daf6d257122779fb6a349edf03914", "status": "affected", "versionType": "git"}, {"version": "78824fabc72e5e37d51e6e567fde70a4fc41a6d7", "lessThan": "8acffeef5ef720c35e513e322ab08e32683f32f2", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["arch/x86/kvm/svm/sev.c"], "versions": [{"version": "5.9", "status": "affected"}, {"version": "0", "lessThan": "5.9", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.136", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.83", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.24", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.14", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0.1", "lessThanOrEqual": "7.0.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.1-rc1", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.9", "versionEndExcluding": "6.6.136"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.9", "versionEndExcluding": "6.12.83"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.9", "versionEndExcluding": "6.18.24"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.9", "versionEndExcluding": "6.19.14"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.9", "versionEndExcluding": "7.0.1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.9", "versionEndExcluding": "7.1-rc1"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/b670833749ffd8681361db2bb047c6f2e3075f3a"}, {"url": "https://git.kernel.org/stable/c/ab423e5892826202a660b5ac85d1125b0e8301a5"}, {"url": "https://git.kernel.org/stable/c/28cc13ca20431b127d42d84ba10898d03e2c8267"}, {"url": "https://git.kernel.org/stable/c/c29ff288a2d97a6f4640a498a367cf0eb91312eb"}, {"url": "https://git.kernel.org/stable/c/1cba4dcd795daf6d257122779fb6a349edf03914"}, {"url": "https://git.kernel.org/stable/c/8acffeef5ef720c35e513e322ab08e32683f32f2"}], "title": "KVM: SEV: Drop WARN on large size for KVM_MEMORY_ENCRYPT_REG_REGION", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "5F07F4AC-C44A-486A-9422-D8975351BA25", "versionEndExcluding": "6.6.136", "versionStartIncluding": "5.9", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "7F0AE5B5-23AC-4DCC-B37A-51CA1DAE7BA8", "versionEndExcluding": "6.12.83", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "8126B8B8-6D0B-4443-86C1-672AEE893555", "versionEndExcluding": "6.18.24", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "D6A8A074-BBF4-4803-ABED-519A839435BB", "versionEndExcluding": "6.19.14", "versionStartIncluding": "6.19", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "9B5888AB-7403-4335-89E4-21CC0B48366A", "versionEndExcluding": "7.0.1", "versionStartIncluding": "7.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: SEV: Drop WARN on large size for KVM_MEMORY_ENCRYPT_REG_REGION\n\nDrop the WARN in sev_pin_memory() on npages overflowing an int, as the\nWARN is comically trivially to trigger from userspace, e.g. by doing:\n\n struct kvm_enc_region range = {\n .addr = 0,\n .size = -1ul,\n };\n\n __vm_ioctl(vm, KVM_MEMORY_ENCRYPT_REG_REGION, &range);\n\nNote, the checks in sev_mem_enc_register_region() that presumably exist to\nverify the incoming address+size are completely worthless, as both \"addr\"\nand \"size\" are u64s and SEV is 64-bit only, i.e. they _can't_ be greater\nthan ULONG_MAX. That wart will be cleaned up in the near future.\n\n\tif (range->addr > ULONG_MAX || range->size > ULONG_MAX)\n\t\treturn -EINVAL;\n\nOpportunistically add a comment to explain why the code calculates the\nnumber of pages the \"hard\" way, e.g. instead of just shifting @ulen."}], "id": "CVE-2026-31590", "lastModified": "2026-04-28T20:38:52.100", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-24T15:16:36.170", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/1cba4dcd795daf6d257122779fb6a349edf03914"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/28cc13ca20431b127d42d84ba10898d03e2c8267"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/8acffeef5ef720c35e513e322ab08e32683f32f2"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/ab423e5892826202a660b5ac85d1125b0e8301a5"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/b670833749ffd8681361db2bb047c6f2e3075f3a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/c29ff288a2d97a6f4640a498a367cf0eb91312eb"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: KVM: SEV: Drop WARN on large size for KVM_MEMORY_ENCRYPT_REG_REGION", "id": "2461540", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461540"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-190", "details": ["A flaw was found in the Linux kernel, specifically within the Kernel-based Virtual Machine (KVM) subsystem's Secure Encrypted Virtualization (SEV) feature. A local user could exploit this vulnerability by providing an excessively large memory region size when using the KVM_MEMORY_ENCRYPT_REG_REGION command. This action could trigger a kernel warning, potentially leading to system instability or consuming excessive system resources. The primary impact of this flaw is a Denial of Service (DoS), where legitimate system operations could be disrupted."], "name": "CVE-2026-31590", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-24T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-31590\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31590\nhttps://lore.kernel.org/linux-cve-announce/2026042414-CVE-2026-31590-a7e3@gregkh/T"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[78824fabc72e5e37d51e6e567fde70a4fc41a6d7,b670833749ffd8681361db2bb047c6f2e3075f3a)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[78824fabc72e5e37d51e6e567fde70a4fc41a6d7,ab423e5892826202a660b5ac85d1125b0e8301a5)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[78824fabc72e5e37d51e6e567fde70a4fc41a6d7,28cc13ca20431b127d42d84ba10898d03e2c8267)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[78824fabc72e5e37d51e6e567fde70a4fc41a6d7,c29ff288a2d97a6f4640a498a367cf0eb91312eb)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[78824fabc72e5e37d51e6e567fde70a4fc41a6d7,1cba4dcd795daf6d257122779fb6a349edf03914)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[78824fabc72e5e37d51e6e567fde70a4fc41a6d7,8acffeef5ef720c35e513e322ab08e32683f32f2)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "5.9"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,5.9)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.136,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.83,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.24,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.14,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[7.0-1.0,7.1.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.1-rc1,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-29T01:40:52.880276+00:00", "value": {"mitigation_remediation": ["Upgrade the Linux kernel to a version that includes the CVE\u20112026\u201131590 fix", "Add input validation on the address and size fields of the KVM_MEMORY_ENCRYPT_REG_REGION ioctl before registration", "Audit and monitor the host for anomalous KVM_MEMORY_ENCRYPT_REG_REGION calls, restricting execution to trusted privileged processes"], "summary": {"action": "Apply Patch", "impact": "Integer Overflow / Improper Input Validation"}, "threat_synthesis": {"affected_systems": "All Linux kernel releases that include the KVM\u00a0SEV\u00a0implementation and contain the vulnerable code path are affected. No version range is specified in the CNA data, so any kernel older than the release that introduced the fix for CVE\u20112026\u201131590 is potentially impacted.", "description_and_impact": "In the Linux kernel\u2019s\u00a0KVM\u00a0Secure Encrypted Virtualization subsystem, an integer overflow occurs when the number of pages that a memory region will occupy is calculated. The kernel emits a warning if the computed page count exceeds the size of a signed 32\u2011bit integer. A user with the ability to invoke the\u00a0KVM_MEMORY_ENCRYPT_REG_REGION\u00a0ioctl can deliberately trigger this condition by passing a negative size value. The overflow itself does not provide arbitrary code execution, privilege escalation, or direct data disclosure; it merely results in a warning message.", "risk_and_exploitability": "The CVSS base score of\u00a05.5\u00a0indicates a moderate impact. The EPSS score of\u00a0<\u00a01\u202f%\u00a0suggests a very low probability that the flaw will be actively exploited. The vulnerability is not listed in CISA\u2019s KEV catalog. To exploit the flaw an attacker must have privileged (root or equivalent) access to the host to issue the ioctl; non\u2011privileged users cannot trigger it. Consequently, the overall risk is moderate but the likelihood of successful exploitation remains low."}}}}, "created": "2026-04-27T19:00:15.654031+00:00", "updated": "2026-04-29T01:45:26.028515+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}