CVE-2026-31470

EUVD-2026-24820

22.04.2026, 14:16

In the Linux kernel, the following vulnerability has been resolved:

virt: tdx-guest: Fix handling of host controlled 'quote' buffer length

Validate host controlled value `quote_buf->out_len` that determines how
many bytes of the quote are copied out to guest userspace. In TDX
environments with remote attestation, quotes are not considered private,
and can be forwarded to an attestation server.

Catch scenarios where the host specifies a response length larger than
the guest's allocation, or otherwise races modifying the response while
the guest consumes it.

This prevents contents beyond the pages allocated for `quote_buf`
(up to TSM_REPORT_OUTBLOB_MAX) from being read out to guest userspace,
and possibly forwarded in attestation requests.

Recall that some deployments want per-container configs-tsm-report
interfaces, so the leak may cross container protection boundaries, not
just local root.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.1 HIGH	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 3%

Affected Products (NVD)

Vendor	Product	Version
linux	linux_kernel	6.7 ≤ 𝑥 < 6.12.80
linux	linux_kernel	6.13 ≤ 𝑥 < 6.18.21
linux	linux_kernel	6.19 ≤ 𝑥 < 6.19.11
linux	linux_kernel	7.0:rc1
linux	linux_kernel	7.0:rc2
linux	linux_kernel	7.0:rc3
linux	linux_kernel	7.0:rc4
linux	linux_kernel	7.0:rc5

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

linux

bookworm	6.1.170-3 fixed
bookworm (security)	6.1.174-1 fixed
bullseye	5.10.223-1 fixed
bullseye (security)	5.10.257-1 fixed
forky	7.0.10-1 fixed
sid	7.0.10-1 fixed
trixie	6.12.86-1 fixed
trixie (security)	6.12.90-2 fixed

openSUSE / SLES Releases

openSUSE Product

Release

cluster-md-kmp-default

suse enterprise server 15 SP6

6.4.0-150600.23.112.1

fixed

dlm-kmp-default

suse enterprise server 15 SP6

6.4.0-150600.23.112.1

fixed

gfs2-kmp-default

suse enterprise server 15 SP6

6.4.0-150600.23.112.1

fixed

kernel-64kb

suse enterprise server 15 SP6

6.4.0-150600.23.112.1

fixed

kernel-default

suse enterprise server 15 SP6

6.4.0-150600.23.112.1

fixed

kernel-default-base

suse enterprise server 15 SP6

6.4.0-150600.23.112.1.150600.12.52.1

fixed

kernel-docs

suse enterprise server 15 SP6

6.4.0-150600.23.112.1

fixed

kernel-macros

suse enterprise server 15 SP6

6.4.0-150600.23.112.1

fixed

kernel-obs-build

suse enterprise server 15 SP6

6.4.0-150600.23.112.1

fixed

kernel-source

suse enterprise server 15 SP6

6.4.0-150600.23.112.1

fixed

kernel-syms

suse enterprise server 15 SP6

6.4.0-150600.23.112.1

fixed

kernel-zfcpdump

suse enterprise server 15 SP6

6.4.0-150600.23.112.1

fixed

ocfs2-kmp-default

suse enterprise server 15 SP6

6.4.0-150600.23.112.1

fixed

reiserfs-kmp-default

suse enterprise server 15 SP6

6.4.0-150600.23.112.1

fixed

Common Weakness Enumeration

CWE-787 - Out-of-bounds Write
The software writes data past the end, or before the beginning, of the intended buffer.

Vulnerability Media Exposure

[GERMAN] Linux Kernel: Mehrere Schwachstellen
Ein Angreifer kann mehrere Schwachstellen im Linux Kernel ausnutzen, um einen Denial of Service Angriff durchzuführen, Sicherheitsmaßnahmen zu umgehen, Informationen offenzulegen, andere nicht näher spezifizierte Auswirkungen zu verursachen und möglicherweise Code auszuführen.
Published: 2026-04-22T22:00:00+00:00

References

https://git.kernel.org/stable/c/02ca2d9d197723696cb9cc0cb159eb7e8bf5f89b

https://git.kernel.org/stable/c/6f3c8795ae9ba74fa10fe979293d1904712d3fb1

https://git.kernel.org/stable/c/a079a62883e3365de592cea9f7a669d8115433b0

https://git.kernel.org/stable/c/c3fd16c3b98ed726294feab2f94f876290bf7b61