{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31591", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.120Z", "datePublished": "2026-04-24T14:42:18.276Z", "dateUpdated": "2026-05-11T22:11:45.160Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:11:45.160Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: SEV: Lock all vCPUs when synchronzing VMSAs for SNP launch finish\n\nLock all vCPUs when synchronizing and encrypting VMSAs for SNP guests, as\nallowing userspace to manipulate and/or run a vCPU while its state is being\nsynchronized would at best corrupt vCPU state, and at worst crash the host\nkernel.\n\nOpportunistically assert that vcpu->mutex is held when synchronizing its\nVMSA (the SEV-ES path already locks vCPUs)."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["arch/x86/kvm/svm/sev.c"], "versions": [{"version": "ad27ce155566f2b4400fa865859834592bd18777", "lessThan": "30fd9d8c82087742168db779929d8be0459b0716", "status": "affected", "versionType": "git"}, {"version": "ad27ce155566f2b4400fa865859834592bd18777", "lessThan": "4df77742e8b9a6b935bdf46f02fd0aca4d4ee7f5", "status": "affected", "versionType": "git"}, {"version": "ad27ce155566f2b4400fa865859834592bd18777", "lessThan": "c87938fc7d99a06a7e5477c45b4e5a4148f85d66", "status": "affected", "versionType": "git"}, {"version": "ad27ce155566f2b4400fa865859834592bd18777", "lessThan": "cb923ee6a80f4e604e6242a4702b59251e61a380", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["arch/x86/kvm/svm/sev.c"], "versions": [{"version": "6.11", "status": "affected"}, {"version": "0", "lessThan": "6.11", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.24", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.14", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0.1", "lessThanOrEqual": "7.0.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.1-rc1", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.11", "versionEndExcluding": "6.18.24"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.11", "versionEndExcluding": "6.19.14"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.11", "versionEndExcluding": "7.0.1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.11", "versionEndExcluding": "7.1-rc1"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/30fd9d8c82087742168db779929d8be0459b0716"}, {"url": "https://git.kernel.org/stable/c/4df77742e8b9a6b935bdf46f02fd0aca4d4ee7f5"}, {"url": "https://git.kernel.org/stable/c/c87938fc7d99a06a7e5477c45b4e5a4148f85d66"}, {"url": "https://git.kernel.org/stable/c/cb923ee6a80f4e604e6242a4702b59251e61a380"}], "title": "KVM: SEV: Lock all vCPUs when synchronzing VMSAs for SNP launch finish", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "869D463B-A4DE-4ED4-8FBA-396042335402", "versionEndExcluding": "6.18.24", "versionStartIncluding": "6.11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "D6A8A074-BBF4-4803-ABED-519A839435BB", "versionEndExcluding": "6.19.14", "versionStartIncluding": "6.19", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "9B5888AB-7403-4335-89E4-21CC0B48366A", "versionEndExcluding": "7.0.1", "versionStartIncluding": "7.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: SEV: Lock all vCPUs when synchronzing VMSAs for SNP launch finish\n\nLock all vCPUs when synchronizing and encrypting VMSAs for SNP guests, as\nallowing userspace to manipulate and/or run a vCPU while its state is being\nsynchronized would at best corrupt vCPU state, and at worst crash the host\nkernel.\n\nOpportunistically assert that vcpu->mutex is held when synchronizing its\nVMSA (the SEV-ES path already locks vCPUs)."}], "id": "CVE-2026-31591", "lastModified": "2026-04-28T20:34:54.953", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-24T15:16:36.480", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/30fd9d8c82087742168db779929d8be0459b0716"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/4df77742e8b9a6b935bdf46f02fd0aca4d4ee7f5"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/c87938fc7d99a06a7e5477c45b4e5a4148f85d66"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/cb923ee6a80f4e604e6242a4702b59251e61a380"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: KVM: SEV: Lock all vCPUs when synchronzing VMSAs for SNP launch finish", "id": "2461489", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461489"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-820", "details": ["A flaw was found in the Linux kernel's Kernel-based Virtual Machine (KVM) component. This vulnerability allows a local user in userspace to manipulate or run a virtual CPU (vCPU) while its state is being synchronized during the Secure Nested Paging (SNP) launch process. This improper synchronization can lead to corruption of the vCPU state or, in the worst case, cause the host kernel to crash, resulting in a Denial of Service (DoS)."], "name": "CVE-2026-31591", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-24T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-31591\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31591\nhttps://lore.kernel.org/linux-cve-announce/2026042415-CVE-2026-31591-4148@gregkh/T"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[ad27ce155566f2b4400fa865859834592bd18777,30fd9d8c82087742168db779929d8be0459b0716)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[ad27ce155566f2b4400fa865859834592bd18777,4df77742e8b9a6b935bdf46f02fd0aca4d4ee7f5)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[ad27ce155566f2b4400fa865859834592bd18777,c87938fc7d99a06a7e5477c45b4e5a4148f85d66)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[ad27ce155566f2b4400fa865859834592bd18777,cb923ee6a80f4e604e6242a4702b59251e61a380)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "6.11"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,6.11)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.24,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.14,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[7.0.1,7.1.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.1-rc1,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-28T23:41:42.729945+00:00", "value": {"mitigation_remediation": ["Update the Linux kernel to a version that includes the patch which locks all vCPUs when synchronizing VMSAs as referenced by commits 30fd9d8c82087742168db779929d8be0459b0716 and 4df77742e8b9a6b935bdf46f02fd0aca4d4ee7f5", "Restrict KVM access to trusted users and avoid running untrusted or elevated userspace processes that can interact with vCPU state", "Review and harden host configuration so that only authenticated and authorized guests can interact with the KVM driver"], "summary": {"action": "Patch", "impact": "Kernel state corruption and potential host crash leading to denial of service"}, "threat_synthesis": {"affected_systems": "Linux kernel systems running KVM are affected. No specific affected kernel version is listed; any kernel that has not incorporated the recent lock\u2011insertion patch is potentially vulnerable.", "description_and_impact": "The flaw in the Linux kernel\u2019s KVM implementation allows a userspace process that manages a virtual machine to manipulate or run a vCPU while its state is being synchronized and encrypted for SEV (Secure Encrypted Virtualization) guests. This unsynchronized access can corrupt the vCPU\u2019s state or, in the worst case, crash the host kernel. The flaw is classified under CWE\u2011820, indicating improper handling of shared state during synchronization.", "risk_and_exploitability": "The CVSS score of 5.5 reflects a likely crash scenario and moderate exploitation complexity. The EPSS score is under 1%, indicating a low current probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. Exploitation would require the ability to control the execution of a KVM guest on the host, suggesting a privileged or compromised userspace process as the attack vector. Once accessed, a malicious user could trigger state corruption and cause a kernel panic, effectively denying service to the host and any other VMs running on it."}}}}, "created": "2026-04-27T19:00:15.653453+00:00", "updated": "2026-04-28T23:45:16.059228+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}