UBUNTU-CVE-2026-31699
Vulnerability Summary
Timeline
Description
In the Linux kernel, the following vulnerability has been resolved: crypto: ccp: Don't attempt to copy CSR to userspace if PSP command failed When retrieving the PEK CSR, don't attempt to copy the blob to userspace if the firmware command failed. If the failure was due to an invalid length, i.e. the userspace buffer+length was too small, copying the number of bytes _firmware_ requires will overflow the kernel-allocated buffer and leak data to userspace. BUG: KASAN: slab-out-of-bounds in instrument_copy_to_user ../include/linux/instrumented.h:129 [inline] BUG: KASAN: slab-out-of-bounds in _inline_copy_to_user ../include/linux/uaccess.h:205 [inline] BUG: KASAN: slab-out-of-bounds in _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26 Read of size 2084 at addr ffff898144612e20 by task syz.9.219/21405 CPU: 14 UID: 0 PID: 21405 Comm: syz.9.219 Tainted: G U O 7.0.0-smp-DEV #28 PREEMPTLAZY Tainted: [U]=USER, [O]=OOT_MODULE Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 12.62.0-0 11/19/2025 Call Trace: <TASK> dump_stack_lvl+0xc5/0x110 ../lib/dump_stack.c:120 print_address_description ../mm/kasan/report.c:378 [inline] print_report+0xbc/0x260 ../mm/kasan/report.c:482 kasan_report+0xa2/0xe0 ../mm/kasan/report.c:595 check_region_inline ../mm/kasan/generic.c:-1 [inline] kasan_check_range+0x264/0x2c0 ../mm/kasan/generic.c:200 instrument_copy_to_user ../include/linux/instrumented.h:129 [inline] _inline_copy_to_user ../include/linux/uaccess.h:205 [inline] _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26 copy_to_user ../include/linux/uaccess.h:236 [inline] sev_ioctl_do_pek_csr+0x31f/0x590 ../drivers/crypto/ccp/sev-dev.c:1872 sev_ioctl+0x3a4/0x490 ../drivers/crypto/ccp/sev-dev.c:2562 vfs_ioctl ../fs/ioctl.c:51 [inline] __do_sys_ioctl ../fs/ioctl.c:597 [inline] __se_sys_ioctl+0x11d/0x1b0 ../fs/ioctl.c:583 do_syscall_x64 ../arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xe0/0x800 ../arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x76/0x7e </TASK> WARN if the driver says the command succeeded, but the firmware error code says otherwise, as __sev_do_cmd_locked() is expected to return -EIO on any firwmware error.
CVSS Metrics
- v3.1•HIGH•Score: 7.1CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Affected Systems
- ubuntu•linux
all | all | all | all | all
- ubuntu•linux-allwinner-5.19
all
- ubuntu•linux-aws
all | all | all | all | all
- ubuntu•linux-aws-5.0
all
- ubuntu•linux-aws-5.11
all
- ubuntu•linux-aws-5.13
all
- ubuntu•linux-aws-5.15
all
- ubuntu•linux-aws-5.19
all
- ubuntu•linux-aws-5.3
all
- ubuntu•linux-aws-5.4
all
- ubuntu•linux-aws-5.8
all
- ubuntu•linux-aws-6.14
all
- ubuntu•linux-aws-6.17
all
- ubuntu•linux-aws-6.2
all
- ubuntu•linux-aws-6.5
all
- ubuntu•linux-aws-6.8
all
- ubuntu•linux-aws-fips
all
- ubuntu•linux-aws-hwe
all
- ubuntu•linux-azure
all | all | all | all | all | all
- ubuntu•linux-azure-4.15
all
- ubuntu•linux-azure-5.11
all
- ubuntu•linux-azure-5.13
all
- ubuntu•linux-azure-5.15
all
- ubuntu•linux-azure-5.19
all
- ubuntu•linux-azure-5.3
all
- ubuntu•linux-azure-5.4
all
- ubuntu•linux-azure-5.8
all
- ubuntu•linux-azure-6.11
all
- ubuntu•linux-azure-6.14
all
- ubuntu•linux-azure-6.17
all
- ubuntu•linux-azure-6.2
all
- ubuntu•linux-azure-6.5
all
- ubuntu•linux-azure-6.8
all
- ubuntu•linux-azure-edge
all
- ubuntu•linux-azure-fde
all | all | all | all | all
- ubuntu•linux-azure-fde-5.15
all
- ubuntu•linux-azure-fde-5.19
all
- ubuntu•linux-azure-fde-6.14
all
- ubuntu•linux-azure-fde-6.17
all
- ubuntu•linux-azure-fde-6.2
all
- ubuntu•linux-azure-fde-6.8
all
- ubuntu•linux-azure-fips
all
- ubuntu•linux-azure-nvidia
all
- ubuntu•linux-azure-nvidia-6.14
all
- ubuntu•linux-bluefield
all | all
- ubuntu•linux-fips
all
- ubuntu•linux-gcp
all | all | all | all | all | all
- ubuntu•linux-gcp-4.15
all
- ubuntu•linux-gcp-5.11
all
- ubuntu•linux-gcp-5.13
all
Showing first 50 affected entries in server-rendered view.