Description
In the Linux kernel, the following vulnerability has been resolved:

virt: tdx-guest: Fix handling of host controlled 'quote' buffer length

Validate host controlled value `quote_buf->out_len` that determines how
many bytes of the quote are copied out to guest userspace. In TDX
environments with remote attestation, quotes are not considered private,
and can be forwarded to an attestation server.

Catch scenarios where the host specifies a response length larger than
the guest's allocation, or otherwise races modifying the response while
the guest consumes it.

This prevents contents beyond the pages allocated for `quote_buf`
(up to TSM_REPORT_OUTBLOB_MAX) from being read out to guest userspace,
and possibly forwarded in attestation requests.

Recall that some deployments want per-container configs-tsm-report
interfaces, so the leak may cross container protection boundaries, not
just local root.
Published: 2026-04-22
Score: 7.0 High
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Apply Patch
AI Analysis

Impact

This vulnerability in the Linux kernel’s TDX guest interface allows a host to supply a quote buffer length that exceeds the space allocated for a guest. The kernel incorrectly copies the entire host-specified length into guest user space, enabling an attacker to read data beyond the allocated pages. The leaked data could contain sensitive host or kernel information and may be forwarded to an external attestation server or read by an unprivileged process, resulting in information disclosure and potential cross‑container data leaks.

Affected Systems

The flaw affects Linux kernel implementations that support Intel TDX guest environments. Any distribution built on the Linux kernel with TDX support is potentially impacted; the specific kernel versions are not listed in the advisory and should be identified by checking for the presence of the patch in the kernel tree.

Risk and Exploitability

No CVSS or EPSS score is provided in the advisory, and the vulnerability is not listed in the CISA KEV catalog. Because the flaw enables out‑of‑bounds reads of host‑controlled data, it carries a high risk of information disclosure, especially in multi‑container environments where the content can cross protection boundaries. The lack of published metrics does not imply low risk; the attack vector requires a host that can control the quote buffer size, which is typically only possible by a privileged actor controlling the virtualization environment.

Generated by OpenCVE AI on April 22, 2026 at 18:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that includes the patch for the TDX guest quote buffer length check
  • If immediate kernel upgrade is not possible, restrict or disable the TDX attestation quote APIs for untrusted containers
  • Apply the patch or kernel update to all hosts that run TDX guests to prevent cross‑container data leakage

Generated by OpenCVE AI on April 22, 2026 at 18:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Wed, 22 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-200

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: virt: tdx-guest: Fix handling of host controlled 'quote' buffer length Validate host controlled value `quote_buf->out_len` that determines how many bytes of the quote are copied out to guest userspace. In TDX environments with remote attestation, quotes are not considered private, and can be forwarded to an attestation server. Catch scenarios where the host specifies a response length larger than the guest's allocation, or otherwise races modifying the response while the guest consumes it. This prevents contents beyond the pages allocated for `quote_buf` (up to TSM_REPORT_OUTBLOB_MAX) from being read out to guest userspace, and possibly forwarded in attestation requests. Recall that some deployments want per-container configs-tsm-report interfaces, so the leak may cross container protection boundaries, not just local root.
Title virt: tdx-guest: Fix handling of host controlled 'quote' buffer length
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-22T13:53:58.925Z

Reserved: 2026-03-09T15:48:24.097Z

Link: CVE-2026-31470

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-22T14:16:43.473

Modified: 2026-04-22T14:16:43.473

Link: CVE-2026-31470

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-22T00:00:00Z

Links: CVE-2026-31470 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T20:00:08Z

Weaknesses