Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2026-31697— crypto: ccp: Don't attempt to copy ID to userspace if PSP command failed

CVSS 7.1 · High EPSS 0.01% · P2
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-31697

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
crypto: ccp: Don't attempt to copy ID to userspace if PSP command failed
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: crypto: ccp: Don't attempt to copy ID to userspace if PSP command failed When retrieving the ID for the CPU, don't attempt to copy the ID blob to userspace if the firmware command failed. If the failure was due to an invalid length, i.e. the userspace buffer+length was too small, copying the number of bytes _firmware_ requires will overflow the kernel-allocated buffer and leak data to userspace. BUG: KASAN: slab-out-of-bounds in instrument_copy_to_user ../include/linux/instrumented.h:129 [inline] BUG: KASAN: slab-out-of-bounds in _inline_copy_to_user ../include/linux/uaccess.h:205 [inline] BUG: KASAN: slab-out-of-bounds in _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26 Read of size 64 at addr ffff8881867f5960 by task syz.0.906/24388 CPU: 130 UID: 0 PID: 24388 Comm: syz.0.906 Tainted: G U O 7.0.0-smp-DEV #28 PREEMPTLAZY Tainted: [U]=USER, [O]=OOT_MODULE Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 12.62.0-0 11/19/2025 Call Trace: <TASK> dump_stack_lvl+0xc5/0x110 ../lib/dump_stack.c:120 print_address_description ../mm/kasan/report.c:378 [inline] print_report+0xbc/0x260 ../mm/kasan/report.c:482 kasan_report+0xa2/0xe0 ../mm/kasan/report.c:595 check_region_inline ../mm/kasan/generic.c:-1 [inline] kasan_check_range+0x264/0x2c0 ../mm/kasan/generic.c:200 instrument_copy_to_user ../include/linux/instrumented.h:129 [inline] _inline_copy_to_user ../include/linux/uaccess.h:205 [inline] _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26 copy_to_user ../include/linux/uaccess.h:236 [inline] sev_ioctl_do_get_id2+0x361/0x490 ../drivers/crypto/ccp/sev-dev.c:2222 sev_ioctl+0x25f/0x490 ../drivers/crypto/ccp/sev-dev.c:2575 vfs_ioctl ../fs/ioctl.c:51 [inline] __do_sys_ioctl ../fs/ioctl.c:597 [inline] __se_sys_ioctl+0x11d/0x1b0 ../fs/ioctl.c:583 do_syscall_x64 ../arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xe0/0x800 ../arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x76/0x7e </TASK> WARN if the driver says the command succeeded, but the firmware error code says otherwise, as __sev_do_cmd_locked() is expected to return -EIO on any firwmware error.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于PSP命令失败后仍尝试将ID复制到用户空间,可能导致内核分配缓冲区溢出并泄露数据。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
LinuxLinux d6112ea0cb344d6f5ed519991e24f69ba4b43d0e ~ 09427bcb1715fb20a80b6acd5156dbf15ab5c363 -
LinuxLinux 5.2 -

II. Public POCs for CVE-2026-31697

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-31697

登录查看更多情报信息。

Same Patch Batch · Linux · 2026-05-01 · 146 CVEs total

CVE-2026-430119.8 CRITICALnet/x25: Fix potential double free of skb
CVE-2026-430379.8 CRITICALip6_tunnel: clear skb2->cb[] in ip4ip6_err()
CVE-2026-317059.8 CRITICALksmbd: fix out-of-bounds write in smb2_get_ea() EA alignment
CVE-2026-430389.8 CRITICALipv6: icmp: clear skb2->cb[] in ip6_err_gen_icmpv6_unreach()
CVE-2026-430399.8 CRITICALnet: ti: icssg-prueth: fix missing data copy and wrong recycle in ZC RX dispatch
CVE-2026-317189.8 CRITICALksmbd: fix use-after-free in __ksmbd_close_fd() via durable scavenger
CVE-2026-430188.8 HIGHBluetooth: hci_event: fix potential UAF in hci_le_remote_conn_param_req_evt
CVE-2026-317738.8 HIGHBluetooth: SMP: derive legacy responder STK authentication from MITM state
CVE-2026-317398.8 HIGHcrypto: tegra - Add missing CRYPTO_ALG_ASYNC
CVE-2026-317358.8 HIGHiommupt: Fix short gather if the unmap goes into a large mapping
CVE-2026-317178.8 HIGHksmbd: validate owner of durable handle on reconnect
CVE-2026-430488.8 HIGHHID: core: Mitigate potential OOB by removing bogus memset()
CVE-2026-317098.8 HIGHsmb: client: validate the whole DACL before rewriting it in cifsacl
CVE-2026-317068.8 HIGHksmbd: validate num_aces and harden ACE walk in smb_inherit_dacl()
CVE-2026-317128.3 HIGHksmbd: require minimum ACE size in smb_check_perm_dacl()
CVE-2026-317718.1 HIGHBluetooth: hci_event: move wake reason storage into validated event handlers
CVE-2026-317798.1 HIGHwifi: iwlwifi: mvm: fix potential out-of-bounds read in iwl_mvm_nd_match_info_handler()
CVE-2026-430518.1 HIGHHID: wacom: fix out-of-bounds read in wacom_intuos_bt_irq
CVE-2026-317088.1 HIGHsmb: client: fix OOB read in smb2_ioctl_query_info QUERY_INFO path
CVE-2026-316957.8 HIGHwifi: virt_wifi: remove SET_NETDEV_DEV to avoid use-after-free

Showing top 20 of 146 CVEs. View all on vendor page &rarr; →

IV. Related Vulnerabilities

Same product: Linux
Same vendor: Linux

V. Comments for CVE-2026-31697

No comments yet

Leave a comment