CVE-2026-31553

HIGH

KVM: arm64: Fix the descriptor address in __kvm_at_swap_desc()

Title source: cna

Description

In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Fix the descriptor address in __kvm_at_swap_desc() Using "(u64 __user *)hva + offset" to get the virtual addresses of S1/S2 descriptors looks really wrong, if offset is not zero. What we want to get for swapping is hva + offset, not hva + offset*8. ;-) Fix it.

References (2)

Core 2

Core References

https://git.kernel.org/stable/c/4307e05e568782fc92eff651b09ee5dee88a058d

https://git.kernel.org/stable/c/0496acc42fb51eee040b5170cec05cec41385540

Scores

CVSS v3 8.8

EPSS 0.0001

EPSS Percentile 3.1%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Details

Status published

Products (9)

Linux/Linux < 6.19

Linux/Linux 6.19

Linux/Linux 6.19.11 - 6.19.*

Linux/Linux 7.0

Linux/Linux f6927b41d57390c597a126063e2e518911976878 - 0496acc42fb51eee040b5170cec05cec41385540

Linux/Linux f6927b41d57390c597a126063e2e518911976878 - 4307e05e568782fc92eff651b09ee5dee88a058d

linux/linux_kernel 6.19

linux/linux_kernel 7.0 rc1 (7 CPE variants)

linux/linux_kernel 6.19.1 - 6.19.11

Published Apr 24, 2026

Tracked Since Apr 24, 2026