virt: sev-guest: Do not use host-controlled page order in cleanup path

MITRE NVD CVE.ORG JSON API Print: PDF PDF

Summary

CVECVE-2026-52959
StatePUBLISHED
AssignerLinux
Source PriorityCVE Program / NVD first with legacy fallback
Published2026-06-24 17:17:06 UTC
Updated2026-06-24 17:17:06 UTC
DescriptionIn the Linux kernel, the following vulnerability has been resolved: virt: sev-guest: Do not use host-controlled page order in cleanup path When issuing an extended guest request (SVM_VMGEXIT_EXT_GUEST_REQUEST), get_ext_report() allocates a buffer to retrieve a certificate blob from the host, keeping track of its size in report_req->certs_len. However, the host may return SNP_GUEST_VMM_ERR_INVALID_LEN, indicating an invalid buffer size, as well as the expected length of such buffer. get_ext_report() subsequently updates report_req->certs_len with the host-controlled value, and cleans up the buffer by computing a page order from such value. This is incorrect, as the host-provided length may not match the page order of the original allocation, potentially resulting in corruption in the page allocator. Fix this by using alloc_pages_exact() instead, and reusing @npages to compute the size passed to free_pages_exact(). For consistency, also use @npages to compute the size when allocating the pages, even though this last change has no functional effect.

Risk And Classification

EPSS: 0.001150000 probability, percentile 0.018490000 (date 2026-06-26)

Vendor Declared Affected Products

SourceVendorProductVersionPlatforms
CNA Linux Linux affected 3e385c0d6ce88ac9916dcf84267bd5855d830748 3f6fb0211b39aaa1b841260681dd02ca6b693ed5 git Not specified
CNA Linux Linux affected 3e385c0d6ce88ac9916dcf84267bd5855d830748 9e48b4f813d2c3db75d522aa82ab705ce04b7e2d git Not specified
CNA Linux Linux affected 3e385c0d6ce88ac9916dcf84267bd5855d830748 23e6a1ca04ae44806439a5a446e62e4d42e80bb4 git Not specified
CNA Linux Linux affected 0b16521f95c875e79d657cb8d6911c15080dbb80 git Not specified
CNA Linux Linux affected 6.13.8 6.14 semver Not specified
CNA Linux Linux affected 6.14 Not specified
CNA Linux Linux unaffected 6.14 semver Not specified
CNA Linux Linux unaffected 6.18.33 6.18.* semver Not specified
CNA Linux Linux unaffected 7.0.10 7.0.* semver Not specified
CNA Linux Linux unaffected 7.1 * original_commit_for_fix Not specified

References

ReferenceSourceLinkTags
git.kernel.org/stable/c/3f6fb0211b39aaa1b841260681dd02ca6b693ed5 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/23e6a1ca04ae44806439a5a446e62e4d42e80bb4 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/9e48b4f813d2c3db75d522aa82ab705ce04b7e2d 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report