๐Ÿ” CVE Alert

CVE-2026-53360

UNKNOWN 0.0

KVM: SEV: Require in-GHCB scratch area if GHCB v2+ is in use

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

In the Linux kernel, the following vulnerability has been resolved: KVM: SEV: Require in-GHCB scratch area if GHCB v2+ is in use As per the GHCB spec, when using GHCB v2+ require the software scratch area to reside in the GHCB's shared buffer. Note, things like Page State Change (PSC) requests _rely_ on this behavior, as the guest can't provide a length when making the request, i.e. the size of the guest payload is bounded by the size of the shared buffer. Failure to force usage of the GHCB, and a slew of other flaws, lets a malicious SNP guest corrupt host kernel heap memory, and leak host heap layout information. setup_vmgexit_scratch() allocates a buffer via kvzalloc(exit_info_2), where exit_info_2 is guest-controlled. With exit_info_2=24, this yields a 24-byte allocation in kmalloc-cg-32 (32-byte slab objects). The buffer holds an 8-byte psc_hdr followed by 8-byte psc_entry structs, so only entries[0] and entries[1] are in-bounds. snp_begin_psc() validates end_entry against VMGEXIT_PSC_MAX_COUNT (253) but NOT against the actual buffer size: idx_end = hdr->end_entry; if (idx_end >= VMGEXIT_PSC_MAX_COUNT) { // checks 253, not buffer snp_complete_psc(svm, ...); return 1; } for (idx = idx_start; idx <= idx_end; idx++) { entry_start = entries[idx]; // OOB when idx >= 2 The guest sets end_entry=10+, causing the host to iterate entries[2+] which are OOB into adjacent slab objects. For each OOB entry: - The host reads 8 bytes (OOB READ / info leak oracle) - If the data passes PSC validation, __snp_complete_one_psc() writes cur_page = 1 or 512 into the entry (OOB WRITE, sev.c:3806) - If validation fails, the error response reveals whether adjacent memory is zero vs non-zero (information disclosure to guest) The guest controls allocation size (exit_info_2), entry range (cur_entry/end_entry), and can fire unlimited VMGEXITs to repeatedly hit different slab positions. By exploiting the variety of bugs, a malicious SEV-SNP guest can: - OOB read adjacent kmalloc-cg-32 objects (heap layout disclosure) - OOB write cur_page bits into adjacent objects (heap corruption) - Trigger use-after-free conditions across VMGEXITs E.g. with KASAN enabled, a single insmod of the PoC guest module produces 73 KASAN reports: BUG: KASAN: slab-out-of-bounds in snp_begin_psc+0x126/0x890 Read of size 8 at addr ffff888219ffb5e0 by task qemu-system-x86/2199 BUG: KASAN: slab-out-of-bounds in snp_begin_psc+0x468/0x890 Write of size 8 at addr ffff888351566648 by task qemu-system-x86/2199 The buggy address belongs to the object at ffff888XXXXXXXXX which belongs to the cache kmalloc-cg-32 of size 32 The buggy address is located N bytes to the right of allocated 32-byte region [ffff888XXXXXXXXX, ffff888XXXXXXXXX) Breakdown: 62 slab-out-of-bounds (reads + writes past allocation) 7 slab-use-after-free 4 use-after-free All credit to Stan for the wonderful description and reproducer! [sean: write changelog]

Vendor linux
Product linux
Ecosystems
Industries
Technology
Published Jul 4, 2026
Stay Ahead of the Next One

Get instant alerts for linux linux

Be the first to know when new unknown vulnerabilities affecting linux linux are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

Linux / Linux
4af663c2f64a8d252e690c60cf8b8abf22dc2951 < bf9ba093fbb83c0c9a3dedd50efec29424eca2fc 4af663c2f64a8d252e690c60cf8b8abf22dc2951 < c9b4198fbc6ed99a9da4bee9f74bb730f926c9ae 4af663c2f64a8d252e690c60cf8b8abf22dc2951 < b328ede59ac34e7998e1eee5e5f0cc26c2a91846 4af663c2f64a8d252e690c60cf8b8abf22dc2951 < db3f2195d29344a3cf1e9dd9ab7f21ced7308cf7
Linux / Linux
6.10

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
git.kernel.org: https://git.kernel.org/stable/c/bf9ba093fbb83c0c9a3dedd50efec29424eca2fc git.kernel.org: https://git.kernel.org/stable/c/c9b4198fbc6ed99a9da4bee9f74bb730f926c9ae git.kernel.org: https://git.kernel.org/stable/c/b328ede59ac34e7998e1eee5e5f0cc26c2a91846 git.kernel.org: https://git.kernel.org/stable/c/db3f2195d29344a3cf1e9dd9ab7f21ced7308cf7