CVE-2026-31558 - Vulnerability Details

- LoongArch: KVM: Make kvm_get_vcpu_by_cpuid() more robust

Description

In the Linux kernel, the following vulnerability has been resolved:

LoongArch: KVM: Make kvm_get_vcpu_by_cpuid() more robust

kvm_get_vcpu_by_cpuid() takes a cpuid parameter whose type is int, so
cpuid can be negative. Let kvm_get_vcpu_by_cpuid() return NULL for this
case so as to make it more robust.

This fix an out-of-bounds access to kvm_arch::phyid_map::phys_map[].

Published: 2026-04-24

Score: 8.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability exists in the LoongArch implementation of the Linux kernel’s KVM hypervisor. The function kvm_get_vcpu_by_cpuid() accepts a signed integer cpuid argument, and a negative value causes the routine to index the phyid_map::phys_map[] array outside its bounds. This out‑of‑bounds access can trigger a kernel panic or expose sensitive kernel memory, resulting in a denial of service or information leakage for a local attacker.

Affected Systems

The flaw affects Linux kernel releases 6.10 and all 7.0 release candidates (rc1 through rc7). It is present in the standard Linux kernel distribution and therefore impacts any system running one of those kernel versions, regardless of vendor. The CPE identifier confirms its reach across all Linux kernel builds.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity. With an EPSS score of less than 1%, the current data suggests a very low exploitation probability under normal conditions. The weakness is not listed in CISA’s KEV catalog. Exploitation would require local kernel access or control over a virtual machine executing KVM, implying a privileged or sophisticated adversary. The attack vector is likely local or confined to virtual machine guests, and no externally public exploits are documented at this time.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`73516e9da512adc63ba3859fbd82a21f6257348f`	affected	< 596c3f8069c4792f22fce8c4452f44410032d910
`73516e9da512adc63ba3859fbd82a21f6257348f`	affected	< 878cf6acb4fd8ab4126cf9d369a5bb0e23123418
`73516e9da512adc63ba3859fbd82a21f6257348f`	affected	< 47857b05bd50db01e211a1b6f513d57901cd3e6b
`73516e9da512adc63ba3859fbd82a21f6257348f`	affected	< 2db06c15d8c7a0ccb6108524e16cd9163753f354

Linux

affected

Version	Status	Constraints
`6.10`	affected	—
`0`	unaffected	< 6.10
`6.12.80`	unaffected	≤ 6.12.*
`6.18.21`	unaffected	≤ 6.18.*
`6.19.11`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:6.10:-::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc1::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc2::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc3::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc4::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc5::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc6::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc7::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[73516e9da512adc63ba3859fbd82a21f6257348f,596c3f8069c4792f22fce8c4452f44410032d910)`	affected	code_commit	—
`[73516e9da512adc63ba3859fbd82a21f6257348f,878cf6acb4fd8ab4126cf9d369a5bb0e23123418)`	affected	code_commit	—
`[73516e9da512adc63ba3859fbd82a21f6257348f,47857b05bd50db01e211a1b6f513d57901cd3e6b)`	affected	code_commit	—
`[73516e9da512adc63ba3859fbd82a21f6257348f,2db06c15d8c7a0ccb6108524e16cd9163753f354)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.10`	affected	semver	—
`[0,6.10)`	unaffected	semver	—
`[6.12.80,6.13.0)`	unaffected	semver	—
`[6.18.21,6.19.0)`	unaffected	semver	—
`[6.19.11,7.0.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a patched release that includes the kvm_get_vcpu_by_cpuid() fix.
Reboot or reload the affected KVM modules to apply the updated code and clear any stale mappings that could still reference the out‑of‑bounds path.
Monitor system logs for Oops or BUG reports related to KVM and apply kernel updates promptly when new patches are released for LoongArch KVM.

Generated by OpenCVE AI on April 28, 2026 at 14:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DSA	DSA-6238-1	linux security update

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00015.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/2db06c15d8c7a0ccb6108524e16cd9163753f354
https://git.kernel.org/stable/c/47857b05bd50db01e211a1b6f513d57901cd3e6b
https://git.kernel.org/stable/c/596c3f8069c4792f22fce8c4452f44410032d910
https://git.kernel.org/stable/c/878cf6acb4fd8ab4126cf9d369a5bb0e23123418
https://lore.kernel.org/linux-cve-announce/2026042457-CVE-2026-31558-1140@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-31558
https://www.cve.org/CVERecord?id=CVE-2026-31558

History

Mon, 27 Apr 2026 20:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-125
CPEs		cpe:2.3:o:linux:linux_kernel:6.10:-:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc1:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc2:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc3:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc4:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc5:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc6:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc7::::::

Mon, 27 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}`

Sat, 25 Apr 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-839
References		https://lore.kernel.org/linux-cve-announce/2026042457-CVE-2026-31558-1140@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-31558 https://www.cve.org/CVERecord?id=CVE-2026-31558

Fri, 24 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: LoongArch: KVM: Make kvm_get_vcpu_by_cpuid() more robust kvm_get_vcpu_by_cpuid() takes a cpuid parameter whose type is int, so cpuid can be negative. Let kvm_get_vcpu_by_cpuid() return NULL for this case so as to make it more robust. This fix an out-of-bounds access to kvm_arch::phyid_map::phys_map[].
Title		LoongArch: KVM: Make kvm_get_vcpu_by_cpuid() more robust
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/2db06c15d8c7a0ccb6108524e16cd9163753f354 https://git.kernel.org/stable/c/47857b05bd50db01e211a1b6f513d57901cd3e6b https://git.kernel.org/stable/c/596c3f8069c4792f22fce8c4452f44410032d910 https://git.kernel.org/stable/c/878cf6acb4fd8ab4126cf9d369a5bb0e23123418

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-04-24T14:35:41.209Z

Updated: 2026-05-11T22:11:06.540Z

Reserved: 2026-03-09T15:48:24.116Z

Link: CVE-2026-31558

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-04-24T15:16:30.200

Modified: 2026-04-27T20:13:55.210

Link: CVE-2026-31558

Redhat

Severity :

Publid Date: 2026-04-24T00:00:00Z

Links: CVE-2026-31558 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-28T14:15:34Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object