{"api_version":"1","generated_at":"2026-05-03T09:22:13+00:00","cve":"CVE-2026-31697","urls":{"html":"https://cve.report/CVE-2026-31697","api":"https://cve.report/api/cve/CVE-2026-31697.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-31697","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-31697"},"summary":{"title":"crypto: ccp: Don't attempt to copy ID to userspace if PSP command failed","description":"In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: ccp: Don't attempt to copy ID to userspace if PSP command failed\n\nWhen retrieving the ID for the CPU, don't attempt to copy the ID blob to\nuserspace if the firmware command failed. If the failure was due to an\ninvalid length, i.e. the userspace buffer+length was too small, copying\nthe number of bytes _firmware_ requires will overflow the kernel-allocated\nbuffer and leak data to userspace.\n\n BUG: KASAN: slab-out-of-bounds in instrument_copy_to_user ../include/linux/instrumented.h:129 [inline]\n BUG: KASAN: slab-out-of-bounds in _inline_copy_to_user ../include/linux/uaccess.h:205 [inline]\n BUG: KASAN: slab-out-of-bounds in _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26\n Read of size 64 at addr ffff8881867f5960 by task syz.0.906/24388\n\n CPU: 130 UID: 0 PID: 24388 Comm: syz.0.906 Tainted: G U O 7.0.0-smp-DEV #28 PREEMPTLAZY\n Tainted: [U]=USER, [O]=OOT_MODULE\n Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 12.62.0-0 11/19/2025\n Call Trace:\n \n dump_stack_lvl+0xc5/0x110 ../lib/dump_stack.c:120\n print_address_description ../mm/kasan/report.c:378 [inline]\n print_report+0xbc/0x260 ../mm/kasan/report.c:482\n kasan_report+0xa2/0xe0 ../mm/kasan/report.c:595\n check_region_inline ../mm/kasan/generic.c:-1 [inline]\n kasan_check_range+0x264/0x2c0 ../mm/kasan/generic.c:200\n instrument_copy_to_user ../include/linux/instrumented.h:129 [inline]\n _inline_copy_to_user ../include/linux/uaccess.h:205 [inline]\n _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26\n copy_to_user ../include/linux/uaccess.h:236 [inline]\n sev_ioctl_do_get_id2+0x361/0x490 ../drivers/crypto/ccp/sev-dev.c:2222\n sev_ioctl+0x25f/0x490 ../drivers/crypto/ccp/sev-dev.c:2575\n vfs_ioctl ../fs/ioctl.c:51 [inline]\n __do_sys_ioctl ../fs/ioctl.c:597 [inline]\n __se_sys_ioctl+0x11d/0x1b0 ../fs/ioctl.c:583\n do_syscall_x64 ../arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xe0/0x800 ../arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n \n\nWARN if the driver says the command succeeded, but the firmware error code\nsays otherwise, as __sev_do_cmd_locked() is expected to return -EIO on any\nfirwmware error.","state":"PUBLISHED","assigner":"Linux","published_at":"2026-05-01 14:16:19","updated_at":"2026-05-03 07:16:17"},"problem_types":[],"metrics":[{"version":"3.1","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","score":"7.1","severity":"HIGH","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H","baseScore":7.1,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"HIGH"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"7.1","severity":"HIGH","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H","data":{"baseScore":7.1,"baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H","version":"3.1"}}],"references":[{"url":"https://git.kernel.org/stable/c/09427bcb1715fb20a80b6acd5156dbf15ab5c363","name":"https://git.kernel.org/stable/c/09427bcb1715fb20a80b6acd5156dbf15ab5c363","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/06f06d88c05ce176c61fff8c72c372847b0dd2b5","name":"https://git.kernel.org/stable/c/06f06d88c05ce176c61fff8c72c372847b0dd2b5","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/2937f17bbeefb8e7608ff1f78cffbeb3d0281e5e","name":"https://git.kernel.org/stable/c/2937f17bbeefb8e7608ff1f78cffbeb3d0281e5e","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/1fbac0429a42adec830491757a2b53956dd797ea","name":"https://git.kernel.org/stable/c/1fbac0429a42adec830491757a2b53956dd797ea","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/4f685dbfa87c546e51d9dc6cab379d20f275e114","name":"https://git.kernel.org/stable/c/4f685dbfa87c546e51d9dc6cab379d20f275e114","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-31697","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31697","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected d6112ea0cb344d6f5ed519991e24f69ba4b43d0e 09427bcb1715fb20a80b6acd5156dbf15ab5c363 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected d6112ea0cb344d6f5ed519991e24f69ba4b43d0e 1fbac0429a42adec830491757a2b53956dd797ea git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected d6112ea0cb344d6f5ed519991e24f69ba4b43d0e 2937f17bbeefb8e7608ff1f78cffbeb3d0281e5e git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected d6112ea0cb344d6f5ed519991e24f69ba4b43d0e 06f06d88c05ce176c61fff8c72c372847b0dd2b5 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected d6112ea0cb344d6f5ed519991e24f69ba4b43d0e 4f685dbfa87c546e51d9dc6cab379d20f275e114 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 5.2","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.2 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.6.136 6.6.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.12.84 6.12.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.18.25 6.18.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.0.2 7.0.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.1-rc1 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"31697","cve":"CVE-2026-31697","epss":"0.000180000","percentile":"0.048520000","score_date":"2026-05-02","updated_at":"2026-05-03 00:00:23"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["drivers/crypto/ccp/sev-dev.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"09427bcb1715fb20a80b6acd5156dbf15ab5c363","status":"affected","version":"d6112ea0cb344d6f5ed519991e24f69ba4b43d0e","versionType":"git"},{"lessThan":"1fbac0429a42adec830491757a2b53956dd797ea","status":"affected","version":"d6112ea0cb344d6f5ed519991e24f69ba4b43d0e","versionType":"git"},{"lessThan":"2937f17bbeefb8e7608ff1f78cffbeb3d0281e5e","status":"affected","version":"d6112ea0cb344d6f5ed519991e24f69ba4b43d0e","versionType":"git"},{"lessThan":"06f06d88c05ce176c61fff8c72c372847b0dd2b5","status":"affected","version":"d6112ea0cb344d6f5ed519991e24f69ba4b43d0e","versionType":"git"},{"lessThan":"4f685dbfa87c546e51d9dc6cab379d20f275e114","status":"affected","version":"d6112ea0cb344d6f5ed519991e24f69ba4b43d0e","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["drivers/crypto/ccp/sev-dev.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"5.2"},{"lessThan":"5.2","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"6.6.*","status":"unaffected","version":"6.6.136","versionType":"semver"},{"lessThanOrEqual":"6.12.*","status":"unaffected","version":"6.12.84","versionType":"semver"},{"lessThanOrEqual":"6.18.*","status":"unaffected","version":"6.18.25","versionType":"semver"},{"lessThanOrEqual":"7.0.*","status":"unaffected","version":"7.0.2","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"7.1-rc1","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.6.136","versionStartIncluding":"5.2","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.12.84","versionStartIncluding":"5.2","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.18.25","versionStartIncluding":"5.2","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0.2","versionStartIncluding":"5.2","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.1-rc1","versionStartIncluding":"5.2","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: ccp: Don't attempt to copy ID to userspace if PSP command failed\n\nWhen retrieving the ID for the CPU, don't attempt to copy the ID blob to\nuserspace if the firmware command failed. If the failure was due to an\ninvalid length, i.e. the userspace buffer+length was too small, copying\nthe number of bytes _firmware_ requires will overflow the kernel-allocated\nbuffer and leak data to userspace.\n\n BUG: KASAN: slab-out-of-bounds in instrument_copy_to_user ../include/linux/instrumented.h:129 [inline]\n BUG: KASAN: slab-out-of-bounds in _inline_copy_to_user ../include/linux/uaccess.h:205 [inline]\n BUG: KASAN: slab-out-of-bounds in _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26\n Read of size 64 at addr ffff8881867f5960 by task syz.0.906/24388\n\n CPU: 130 UID: 0 PID: 24388 Comm: syz.0.906 Tainted: G U O 7.0.0-smp-DEV #28 PREEMPTLAZY\n Tainted: [U]=USER, [O]=OOT_MODULE\n Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 12.62.0-0 11/19/2025\n Call Trace:\n \n dump_stack_lvl+0xc5/0x110 ../lib/dump_stack.c:120\n print_address_description ../mm/kasan/report.c:378 [inline]\n print_report+0xbc/0x260 ../mm/kasan/report.c:482\n kasan_report+0xa2/0xe0 ../mm/kasan/report.c:595\n check_region_inline ../mm/kasan/generic.c:-1 [inline]\n kasan_check_range+0x264/0x2c0 ../mm/kasan/generic.c:200\n instrument_copy_to_user ../include/linux/instrumented.h:129 [inline]\n _inline_copy_to_user ../include/linux/uaccess.h:205 [inline]\n _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26\n copy_to_user ../include/linux/uaccess.h:236 [inline]\n sev_ioctl_do_get_id2+0x361/0x490 ../drivers/crypto/ccp/sev-dev.c:2222\n sev_ioctl+0x25f/0x490 ../drivers/crypto/ccp/sev-dev.c:2575\n vfs_ioctl ../fs/ioctl.c:51 [inline]\n __do_sys_ioctl ../fs/ioctl.c:597 [inline]\n __se_sys_ioctl+0x11d/0x1b0 ../fs/ioctl.c:583\n do_syscall_x64 ../arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xe0/0x800 ../arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n \n\nWARN if the driver says the command succeeded, but the firmware error code\nsays otherwise, as __sev_do_cmd_locked() is expected to return -EIO on any\nfirwmware error."}],"metrics":[{"cvssV3_1":{"baseScore":7.1,"baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H","version":"3.1"}}],"providerMetadata":{"dateUpdated":"2026-05-03T05:45:22.235Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/09427bcb1715fb20a80b6acd5156dbf15ab5c363"},{"url":"https://git.kernel.org/stable/c/1fbac0429a42adec830491757a2b53956dd797ea"},{"url":"https://git.kernel.org/stable/c/2937f17bbeefb8e7608ff1f78cffbeb3d0281e5e"},{"url":"https://git.kernel.org/stable/c/06f06d88c05ce176c61fff8c72c372847b0dd2b5"},{"url":"https://git.kernel.org/stable/c/4f685dbfa87c546e51d9dc6cab379d20f275e114"}],"title":"crypto: ccp: Don't attempt to copy ID to userspace if PSP command failed","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-31697","datePublished":"2026-05-01T13:55:58.184Z","dateReserved":"2026-03-09T15:48:24.131Z","dateUpdated":"2026-05-03T05:45:22.235Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-05-01 14:16:19","lastModifiedDate":"2026-05-03 07:16:17","problem_types":[],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H","baseScore":7.1,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.2}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"31697","Ordinal":"1","Title":"crypto: ccp: Don't attempt to copy ID to userspace if PSP comman","CVE":"CVE-2026-31697","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"31697","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: ccp: Don't attempt to copy ID to userspace if PSP command failed\n\nWhen retrieving the ID for the CPU, don't attempt to copy the ID blob to\nuserspace if the firmware command failed. If the failure was due to an\ninvalid length, i.e. the userspace buffer+length was too small, copying\nthe number of bytes _firmware_ requires will overflow the kernel-allocated\nbuffer and leak data to userspace.\n\n BUG: KASAN: slab-out-of-bounds in instrument_copy_to_user ../include/linux/instrumented.h:129 [inline]\n BUG: KASAN: slab-out-of-bounds in _inline_copy_to_user ../include/linux/uaccess.h:205 [inline]\n BUG: KASAN: slab-out-of-bounds in _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26\n Read of size 64 at addr ffff8881867f5960 by task syz.0.906/24388\n\n CPU: 130 UID: 0 PID: 24388 Comm: syz.0.906 Tainted: G U O 7.0.0-smp-DEV #28 PREEMPTLAZY\n Tainted: [U]=USER, [O]=OOT_MODULE\n Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 12.62.0-0 11/19/2025\n Call Trace:\n \n dump_stack_lvl+0xc5/0x110 ../lib/dump_stack.c:120\n print_address_description ../mm/kasan/report.c:378 [inline]\n print_report+0xbc/0x260 ../mm/kasan/report.c:482\n kasan_report+0xa2/0xe0 ../mm/kasan/report.c:595\n check_region_inline ../mm/kasan/generic.c:-1 [inline]\n kasan_check_range+0x264/0x2c0 ../mm/kasan/generic.c:200\n instrument_copy_to_user ../include/linux/instrumented.h:129 [inline]\n _inline_copy_to_user ../include/linux/uaccess.h:205 [inline]\n _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26\n copy_to_user ../include/linux/uaccess.h:236 [inline]\n sev_ioctl_do_get_id2+0x361/0x490 ../drivers/crypto/ccp/sev-dev.c:2222\n sev_ioctl+0x25f/0x490 ../drivers/crypto/ccp/sev-dev.c:2575\n vfs_ioctl ../fs/ioctl.c:51 [inline]\n __do_sys_ioctl ../fs/ioctl.c:597 [inline]\n __se_sys_ioctl+0x11d/0x1b0 ../fs/ioctl.c:583\n do_syscall_x64 ../arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xe0/0x800 ../arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n \n\nWARN if the driver says the command succeeded, but the firmware error code\nsays otherwise, as __sev_do_cmd_locked() is expected to return -EIO on any\nfirwmware error.","Type":"Description","Title":"crypto: ccp: Don't attempt to copy ID to userspace if PSP comman"}]}}}