CVE-2026-31591 - Vulnerability Details

- KVM: SEV: Lock all vCPUs when synchronzing VMSAs for SNP launch finish

Description

In the Linux kernel, the following vulnerability has been resolved:

KVM: SEV: Lock all vCPUs when synchronzing VMSAs for SNP launch finish

Lock all vCPUs when synchronizing and encrypting VMSAs for SNP guests, as
allowing userspace to manipulate and/or run a vCPU while its state is being
synchronized would at best corrupt vCPU state, and at worst crash the host
kernel.

Opportunistically assert that vcpu->mutex is held when synchronizing its
VMSA (the SEV-ES path already locks vCPUs).

Published: 2026-04-24

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The flaw in the Linux kernel’s KVM implementation allows a userspace process that manages a virtual machine to manipulate or run a vCPU while its state is being synchronized and encrypted for SEV (Secure Encrypted Virtualization) guests. This unsynchronized access can corrupt the vCPU’s state or, in the worst case, crash the host kernel. The flaw is classified under CWE‑820, indicating improper handling of shared state during synchronization.

Affected Systems

Linux kernel systems running KVM are affected. No specific affected kernel version is listed; any kernel that has not incorporated the recent lock‑insertion patch is potentially vulnerable.

Risk and Exploitability

The CVSS score of 5.5 reflects a likely crash scenario and moderate exploitation complexity. The EPSS score is under 1%, indicating a low current probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. Exploitation would require the ability to control the execution of a KVM guest on the host, suggesting a privileged or compromised userspace process as the attack vector. Once accessed, a malicious user could trigger state corruption and cause a kernel panic, effectively denying service to the host and any other VMs running on it.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`ad27ce155566f2b4400fa865859834592bd18777`	affected	< 30fd9d8c82087742168db779929d8be0459b0716
`ad27ce155566f2b4400fa865859834592bd18777`	affected	< 4df77742e8b9a6b935bdf46f02fd0aca4d4ee7f5
`ad27ce155566f2b4400fa865859834592bd18777`	affected	< c87938fc7d99a06a7e5477c45b4e5a4148f85d66
`ad27ce155566f2b4400fa865859834592bd18777`	affected	< cb923ee6a80f4e604e6242a4702b59251e61a380

Linux

affected

Version	Status	Constraints
`6.11`	affected	—
`0`	unaffected	< 6.11
`6.18.24`	unaffected	≤ 6.18.*
`6.19.14`	unaffected	≤ 6.19.*
`7.0.1`	unaffected	≤ 7.0.*
`7.1-rc1`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[ad27ce155566f2b4400fa865859834592bd18777,30fd9d8c82087742168db779929d8be0459b0716)`	affected	code_commit	—
`[ad27ce155566f2b4400fa865859834592bd18777,4df77742e8b9a6b935bdf46f02fd0aca4d4ee7f5)`	affected	code_commit	—
`[ad27ce155566f2b4400fa865859834592bd18777,c87938fc7d99a06a7e5477c45b4e5a4148f85d66)`	affected	code_commit	—
`[ad27ce155566f2b4400fa865859834592bd18777,cb923ee6a80f4e604e6242a4702b59251e61a380)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.11`	affected	generic	—
`[0,6.11)`	unaffected	semver	—
`[6.18.24,6.19.0)`	unaffected	semver	—
`[6.19.14,6.20.0)`	unaffected	semver	—
`[7.0.1,7.1.0)`	unaffected	semver	—
`[7.1-rc1,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Linux kernel to a version that includes the patch which locks all vCPUs when synchronizing VMSAs as referenced by commits 30fd9d8c82087742168db779929d8be0459b0716 and 4df77742e8b9a6b935bdf46f02fd0aca4d4ee7f5
Restrict KVM access to trusted users and avoid running untrusted or elevated userspace processes that can interact with vCPU state
Review and harden host configuration so that only authenticated and authorized guests can interact with the KVM driver

Generated by OpenCVE AI on April 28, 2026 at 23:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00015.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/30fd9d8c82087742168db779929d8be0459b0716
https://git.kernel.org/stable/c/4df77742e8b9a6b935bdf46f02fd0aca4d4ee7f5
https://git.kernel.org/stable/c/c87938fc7d99a06a7e5477c45b4e5a4148f85d66
https://git.kernel.org/stable/c/cb923ee6a80f4e604e6242a4702b59251e61a380
https://lore.kernel.org/linux-cve-announce/2026042415-CVE-2026-31591-4148@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-31591
https://www.cve.org/CVERecord?id=CVE-2026-31591

History

Tue, 28 Apr 2026 20:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		NVD-CWE-noinfo
Metrics	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`

Mon, 27 Apr 2026 11:30:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/cb923ee6a80f4e604e6242a4702b59251e61a380

Sat, 25 Apr 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-820
References		https://lore.kernel.org/linux-cve-announce/2026042415-CVE-2026-31591-4148@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-31591 https://www.cve.org/CVERecord?id=CVE-2026-31591
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}` threat_severity `Moderate`

Fri, 24 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: KVM: SEV: Lock all vCPUs when synchronzing VMSAs for SNP launch finish Lock all vCPUs when synchronizing and encrypting VMSAs for SNP guests, as allowing userspace to manipulate and/or run a vCPU while its state is being synchronized would at best corrupt vCPU state, and at worst crash the host kernel. Opportunistically assert that vcpu->mutex is held when synchronizing its VMSA (the SEV-ES path already locks vCPUs).
Title		KVM: SEV: Lock all vCPUs when synchronzing VMSAs for SNP launch finish
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/30fd9d8c82087742168db779929d8be0459b0716 https://git.kernel.org/stable/c/4df77742e8b9a6b935bdf46f02fd0aca4d4ee7f5 https://git.kernel.org/stable/c/c87938fc7d99a06a7e5477c45b4e5a4148f85d66

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-04-24T14:42:18.276Z

Updated: 2026-05-11T22:11:45.160Z

Reserved: 2026-03-09T15:48:24.120Z

Link: CVE-2026-31591

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-04-24T15:16:36.480

Modified: 2026-04-28T20:34:54.953

Link: CVE-2026-31591

Redhat

Severity : Moderate

Publid Date: 2026-04-24T00:00:00Z

Links: CVE-2026-31591 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-28T23:45:16Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object