Description
In the Linux kernel, the following vulnerability has been resolved:

KVM: SEV: Drop WARN on large size for KVM_MEMORY_ENCRYPT_REG_REGION

Drop the WARN in sev_pin_memory() on npages overflowing an int, as the
WARN is comically trivially to trigger from userspace, e.g. by doing:

struct kvm_enc_region range = {
.addr = 0,
.size = -1ul,
};

__vm_ioctl(vm, KVM_MEMORY_ENCRYPT_REG_REGION, &range);

Note, the checks in sev_mem_enc_register_region() that presumably exist to
verify the incoming address+size are completely worthless, as both "addr"
and "size" are u64s and SEV is 64-bit only, i.e. they _can't_ be greater
than ULONG_MAX. That wart will be cleaned up in the near future.

if (range->addr > ULONG_MAX || range->size > ULONG_MAX)
return -EINVAL;

Opportunistically add a comment to explain why the code calculates the
number of pages the "hard" way, e.g. instead of just shifting @ulen.
Published: 2026-04-24
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Integer Overflow / Improper Input Validation
Action: Apply Patch
AI Analysis

Impact

In the Linux kernel’s KVM Secure Encrypted Virtualization subsystem, an integer overflow occurs when the number of pages that a memory region will occupy is calculated. The kernel emits a warning if the computed page count exceeds the size of a signed 32‑bit integer. A user with the ability to invoke the KVM_MEMORY_ENCRYPT_REG_REGION ioctl can deliberately trigger this condition by passing a negative size value. The overflow itself does not provide arbitrary code execution, privilege escalation, or direct data disclosure; it merely results in a warning message.

Affected Systems

All Linux kernel releases that include the KVM SEV implementation and contain the vulnerable code path are affected. No version range is specified in the CNA data, so any kernel older than the release that introduced the fix for CVE‑2026‑31590 is potentially impacted.

Risk and Exploitability

The CVSS base score of 5.5 indicates a moderate impact. The EPSS score of < 1 % suggests a very low probability that the flaw will be actively exploited. The vulnerability is not listed in CISA’s KEV catalog. To exploit the flaw an attacker must have privileged (root or equivalent) access to the host to issue the ioctl; non‑privileged users cannot trigger it. Consequently, the overall risk is moderate but the likelihood of successful exploitation remains low.

Generated by OpenCVE AI on April 29, 2026 at 01:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that includes the CVE‑2026‑31590 fix
  • Add input validation on the address and size fields of the KVM_MEMORY_ENCRYPT_REG_REGION ioctl before registration
  • Audit and monitor the host for anomalous KVM_MEMORY_ENCRYPT_REG_REGION calls, restricting execution to trusted privileged processes

Generated by OpenCVE AI on April 29, 2026 at 01:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6238-1 linux security update
History

Mon, 01 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
References

Tue, 28 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo

Mon, 27 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
References

Mon, 27 Apr 2026 11:30:00 +0000

Type Values Removed Values Added
References

Sat, 25 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-190
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Fri, 24 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: KVM: SEV: Drop WARN on large size for KVM_MEMORY_ENCRYPT_REG_REGION Drop the WARN in sev_pin_memory() on npages overflowing an int, as the WARN is comically trivially to trigger from userspace, e.g. by doing: struct kvm_enc_region range = { .addr = 0, .size = -1ul, }; __vm_ioctl(vm, KVM_MEMORY_ENCRYPT_REG_REGION, &range); Note, the checks in sev_mem_enc_register_region() that presumably exist to verify the incoming address+size are completely worthless, as both "addr" and "size" are u64s and SEV is 64-bit only, i.e. they _can't_ be greater than ULONG_MAX. That wart will be cleaned up in the near future. if (range->addr > ULONG_MAX || range->size > ULONG_MAX) return -EINVAL; Opportunistically add a comment to explain why the code calculates the number of pages the "hard" way, e.g. instead of just shifting @ulen.
Title KVM: SEV: Drop WARN on large size for KVM_MEMORY_ENCRYPT_REG_REGION
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-01T16:12:07.036Z

Reserved: 2026-03-09T15:48:24.120Z

Link: CVE-2026-31590

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2026-04-24T15:16:36.170

Modified: 2026-06-01T17:16:49.893

Link: CVE-2026-31590

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-24T00:00:00Z

Links: CVE-2026-31590 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T01:45:26Z

Weaknesses