Out-of-bounds read in Linux kernel - CVE-2026-31698
Published: May 2, 2026
Vulnerability identifier: #VU128999
CSH Severity: Low
CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-31698
CWE-ID: CWE-125
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vulnerable software:
Linux kernel
Linux kernel
Software vendor:
Linux Foundation
Linux Foundation
Description
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to an out-of-bounds read in sev_ioctl_do_pdh_export when handling a PDH certificate export ioctl after a firmware command failure caused by an invalid length. A local user can provide a userspace buffer and length that are too small to trigger copying beyond the kernel-allocated buffer to disclose sensitive information.
The issue occurs when retrieving the PDH certificate and the firmware reports the required size after the supplied userspace buffer is too small.
Remediation
Install security update from vendor's repository.
External links
- https://git.kernel.org/stable/c/051e51aa55fd4cdc3e8283cf4476aeeb5f563274
- https://git.kernel.org/stable/c/50808c13452dae43a2c90b1bbbf9daa16501ce70
- https://git.kernel.org/stable/c/78b97e43d0b3e674d9d49ae56937b11e2ba3fcaf
- https://git.kernel.org/stable/c/b5c14bd4da1f376f385722fe1da993f1edab6472
- https://git.kernel.org/stable/c/e76239fed3cffd6d304d8ca3ce23984fd24f57d3