CVE-2026-31588HIGH 8.8EPSS p2.8%
CVE-2026-31588CVE-2026-31588
linux / linux_kernel
Description
In the Linux kernel, the following vulnerability has been resolved:
KVM: x86: Use scratch field in MMIO fragment to hold small write values
When exiting to userspace to service an emulated MMIO write, copy the
to-be-written value to a scratch field in the MMIO fragment if the size
of the data payload is 8 bytes or less, i.e. can fit in a single chunk,
instead of pointing the fragment directly at the source value.
This fixes a class of use-after-free bugs that occur when the emulator
initiates a write using an on-stack, local variable as the source, the
write splits a page boundary, *and* both pages are MMIO pages. Because
KVM's ABI only allows for physically contiguous MMIO requests, accesses
that split MMIO pages are separated into two fragments, and are sent to
userspace one at a time. When KVM attempts to complete userspace MMIO in
response to KVM_RUN after the first fragment, KVM will detect the second
fragment and generate a second userspace exit, and reference the on-stack
v
Scoring
| CVSS 3.1 | 8.8 (HIGH) |
| Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
| EPSS | 0.13% probability of exploitation · percentile 2.8% · 2026-06-18T12:00:27Z |
| Published | 2026-04-24 |
| Last modified | 2026-06-01 |
Underlying weaknesses· 1
References
- https://git.kernel.org/stable/c/0b16e69d17d8c35c5c9d5918bf596c75a44655d3
- https://git.kernel.org/stable/c/22d2ff69d487a32a8b88f9c970120fc2daa08a77
- https://git.kernel.org/stable/c/2b83d91e9ae92fe1258d7040a32430bbb3bb7d6e
- https://git.kernel.org/stable/c/3a7b6d75c8f85b09dea893f64a85a356bcf6c3fe
- https://git.kernel.org/stable/c/b5a02d37eb0739f462fa12df449ab9b3480c783b
- https://git.kernel.org/stable/c/dc6a6c3db3a4eca7e747cfc46e22c08d016c68f7
1
| Type | Target | Confidence | Tier |
|---|---|---|---|
| Weakness | Use After Freecwe-416 | 0% | live |
Related by meaning· 6
Nearest entities by semantic similarity across the cs-graph corpus.