{"api_version":"1","generated_at":"2026-04-24T20:55:51+00:00","cve":"CVE-2026-31593","urls":{"html":"https://cve.report/CVE-2026-31593","api":"https://cve.report/api/cve/CVE-2026-31593.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-31593","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-31593"},"summary":{"title":"KVM: SEV: Reject attempts to sync VMSA of an already-launched/encrypted vCPU","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: SEV: Reject attempts to sync VMSA of an already-launched/encrypted vCPU\n\nReject synchronizing vCPU state to its associated VMSA if the vCPU has\nalready been launched, i.e. if the VMSA has already been encrypted.  On a\nhost with SNP enabled, accessing guest-private memory generates an RMP #PF\nand panics the host.\n\n  BUG: unable to handle page fault for address: ff1276cbfdf36000\n  #PF: supervisor write access in kernel mode\n  #PF: error_code(0x80000003) - RMP violation\n  PGD 5a31801067 P4D 5a31802067 PUD 40ccfb5063 PMD 40e5954063 PTE 80000040fdf36163\n  SEV-SNP: PFN 0x40fdf36, RMP entry: [0x6010fffffffff001 - 0x000000000000001f]\n  Oops: Oops: 0003 [#1] SMP NOPTI\n  CPU: 33 UID: 0 PID: 996180 Comm: qemu-system-x86 Tainted: G           OE\n  Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE\n  Hardware name: Dell Inc. PowerEdge R7625/0H1TJT, BIOS 1.5.8 07/21/2023\n  RIP: 0010:sev_es_sync_vmsa+0x54/0x4c0 [kvm_amd]\n  Call Trace:\n   <TASK>\n   snp_launch_update_vmsa+0x19d/0x290 [kvm_amd]\n   snp_launch_finish+0xb6/0x380 [kvm_amd]\n   sev_mem_enc_ioctl+0x14e/0x720 [kvm_amd]\n   kvm_arch_vm_ioctl+0x837/0xcf0 [kvm]\n   kvm_vm_ioctl+0x3fd/0xcc0 [kvm]\n   __x64_sys_ioctl+0xa3/0x100\n   x64_sys_call+0xfe0/0x2350\n   do_syscall_64+0x81/0x10f0\n   entry_SYSCALL_64_after_hwframe+0x76/0x7e\n  RIP: 0033:0x7ffff673287d\n   </TASK>\n\nNote, the KVM flaw has been present since commit ad73109ae7ec (\"KVM: SVM:\nProvide support to launch and run an SEV-ES guest\"), but has only been\nactively dangerous for the host since SNP support was added.  With SEV-ES,\nKVM would \"just\" clobber guest state, which is totally fine from a host\nkernel perspective since userspace can clobber guest state any time before\nsev_launch_update_vmsa().","state":"PUBLISHED","assigner":"Linux","published_at":"2026-04-24 15:16:36","updated_at":"2026-04-24 17:51:40"},"problem_types":[],"metrics":[],"references":[{"url":"https://git.kernel.org/stable/c/6ef109e01e1d35199e1a97ea68bdfd3cf3fbf9ab","name":"https://git.kernel.org/stable/c/6ef109e01e1d35199e1a97ea68bdfd3cf3fbf9ab","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/692fdf05e55fa03960a1278afdc2478c12daea13","name":"https://git.kernel.org/stable/c/692fdf05e55fa03960a1278afdc2478c12daea13","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/c9609847ae65ca36233077c2b6cb2bc0fb37c77a","name":"https://git.kernel.org/stable/c/c9609847ae65ca36233077c2b6cb2bc0fb37c77a","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/8f85a4885eee8cb495961ffa371a91828afb9445","name":"https://git.kernel.org/stable/c/8f85a4885eee8cb495961ffa371a91828afb9445","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-31593","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31593","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 c9609847ae65ca36233077c2b6cb2bc0fb37c77a git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 692fdf05e55fa03960a1278afdc2478c12daea13 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 6ef109e01e1d35199e1a97ea68bdfd3cf3fbf9ab git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 8f85a4885eee8cb495961ffa371a91828afb9445 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.12.83 6.12.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.18.24 6.18.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.19.14 6.19.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.0.1 7.0.* semver","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["arch/x86/kvm/svm/sev.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"c9609847ae65ca36233077c2b6cb2bc0fb37c77a","status":"affected","version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","versionType":"git"},{"lessThan":"692fdf05e55fa03960a1278afdc2478c12daea13","status":"affected","version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","versionType":"git"},{"lessThan":"6ef109e01e1d35199e1a97ea68bdfd3cf3fbf9ab","status":"affected","version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","versionType":"git"},{"lessThan":"8f85a4885eee8cb495961ffa371a91828afb9445","status":"affected","version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["arch/x86/kvm/svm/sev.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThanOrEqual":"6.12.*","status":"unaffected","version":"6.12.83","versionType":"semver"},{"lessThanOrEqual":"6.18.*","status":"unaffected","version":"6.18.24","versionType":"semver"},{"lessThanOrEqual":"6.19.*","status":"unaffected","version":"6.19.14","versionType":"semver"},{"lessThanOrEqual":"7.0.*","status":"unaffected","version":"7.0.1","versionType":"semver"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.12.83","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.18.24","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.19.14","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0.1","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: SEV: Reject attempts to sync VMSA of an already-launched/encrypted vCPU\n\nReject synchronizing vCPU state to its associated VMSA if the vCPU has\nalready been launched, i.e. if the VMSA has already been encrypted.  On a\nhost with SNP enabled, accessing guest-private memory generates an RMP #PF\nand panics the host.\n\n  BUG: unable to handle page fault for address: ff1276cbfdf36000\n  #PF: supervisor write access in kernel mode\n  #PF: error_code(0x80000003) - RMP violation\n  PGD 5a31801067 P4D 5a31802067 PUD 40ccfb5063 PMD 40e5954063 PTE 80000040fdf36163\n  SEV-SNP: PFN 0x40fdf36, RMP entry: [0x6010fffffffff001 - 0x000000000000001f]\n  Oops: Oops: 0003 [#1] SMP NOPTI\n  CPU: 33 UID: 0 PID: 996180 Comm: qemu-system-x86 Tainted: G           OE\n  Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE\n  Hardware name: Dell Inc. PowerEdge R7625/0H1TJT, BIOS 1.5.8 07/21/2023\n  RIP: 0010:sev_es_sync_vmsa+0x54/0x4c0 [kvm_amd]\n  Call Trace:\n   <TASK>\n   snp_launch_update_vmsa+0x19d/0x290 [kvm_amd]\n   snp_launch_finish+0xb6/0x380 [kvm_amd]\n   sev_mem_enc_ioctl+0x14e/0x720 [kvm_amd]\n   kvm_arch_vm_ioctl+0x837/0xcf0 [kvm]\n   kvm_vm_ioctl+0x3fd/0xcc0 [kvm]\n   __x64_sys_ioctl+0xa3/0x100\n   x64_sys_call+0xfe0/0x2350\n   do_syscall_64+0x81/0x10f0\n   entry_SYSCALL_64_after_hwframe+0x76/0x7e\n  RIP: 0033:0x7ffff673287d\n   </TASK>\n\nNote, the KVM flaw has been present since commit ad73109ae7ec (\"KVM: SVM:\nProvide support to launch and run an SEV-ES guest\"), but has only been\nactively dangerous for the host since SNP support was added.  With SEV-ES,\nKVM would \"just\" clobber guest state, which is totally fine from a host\nkernel perspective since userspace can clobber guest state any time before\nsev_launch_update_vmsa()."}],"providerMetadata":{"dateUpdated":"2026-04-24T14:42:19.567Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/c9609847ae65ca36233077c2b6cb2bc0fb37c77a"},{"url":"https://git.kernel.org/stable/c/692fdf05e55fa03960a1278afdc2478c12daea13"},{"url":"https://git.kernel.org/stable/c/6ef109e01e1d35199e1a97ea68bdfd3cf3fbf9ab"},{"url":"https://git.kernel.org/stable/c/8f85a4885eee8cb495961ffa371a91828afb9445"}],"title":"KVM: SEV: Reject attempts to sync VMSA of an already-launched/encrypted vCPU","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-31593","datePublished":"2026-04-24T14:42:19.567Z","dateReserved":"2026-03-09T15:48:24.121Z","dateUpdated":"2026-04-24T14:42:19.567Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-04-24 15:16:36","lastModifiedDate":"2026-04-24 17:51:40","problem_types":[],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"31593","Ordinal":"1","Title":"KVM: SEV: Reject attempts to sync VMSA of an already-launched/en","CVE":"CVE-2026-31593","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"31593","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: SEV: Reject attempts to sync VMSA of an already-launched/encrypted vCPU\n\nReject synchronizing vCPU state to its associated VMSA if the vCPU has\nalready been launched, i.e. if the VMSA has already been encrypted.  On a\nhost with SNP enabled, accessing guest-private memory generates an RMP #PF\nand panics the host.\n\n  BUG: unable to handle page fault for address: ff1276cbfdf36000\n  #PF: supervisor write access in kernel mode\n  #PF: error_code(0x80000003) - RMP violation\n  PGD 5a31801067 P4D 5a31802067 PUD 40ccfb5063 PMD 40e5954063 PTE 80000040fdf36163\n  SEV-SNP: PFN 0x40fdf36, RMP entry: [0x6010fffffffff001 - 0x000000000000001f]\n  Oops: Oops: 0003 [#1] SMP NOPTI\n  CPU: 33 UID: 0 PID: 996180 Comm: qemu-system-x86 Tainted: G           OE\n  Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE\n  Hardware name: Dell Inc. PowerEdge R7625/0H1TJT, BIOS 1.5.8 07/21/2023\n  RIP: 0010:sev_es_sync_vmsa+0x54/0x4c0 [kvm_amd]\n  Call Trace:\n   <TASK>\n   snp_launch_update_vmsa+0x19d/0x290 [kvm_amd]\n   snp_launch_finish+0xb6/0x380 [kvm_amd]\n   sev_mem_enc_ioctl+0x14e/0x720 [kvm_amd]\n   kvm_arch_vm_ioctl+0x837/0xcf0 [kvm]\n   kvm_vm_ioctl+0x3fd/0xcc0 [kvm]\n   __x64_sys_ioctl+0xa3/0x100\n   x64_sys_call+0xfe0/0x2350\n   do_syscall_64+0x81/0x10f0\n   entry_SYSCALL_64_after_hwframe+0x76/0x7e\n  RIP: 0033:0x7ffff673287d\n   </TASK>\n\nNote, the KVM flaw has been present since commit ad73109ae7ec (\"KVM: SVM:\nProvide support to launch and run an SEV-ES guest\"), but has only been\nactively dangerous for the host since SNP support was added.  With SEV-ES,\nKVM would \"just\" clobber guest state, which is totally fine from a host\nkernel perspective since userspace can clobber guest state any time before\nsev_launch_update_vmsa().","Type":"Description","Title":"KVM: SEV: Reject attempts to sync VMSA of an already-launched/en"}]}}}