CVE-2026-31788 - Vulnerability Details

- xen/privcmd: restrict usage in unprivileged domU

Description

In the Linux kernel, the following vulnerability has been resolved:

xen/privcmd: restrict usage in unprivileged domU

The Xen privcmd driver allows to issue arbitrary hypercalls from
user space processes. This is normally no problem, as access is
usually limited to root and the hypervisor will deny any hypercalls
affecting other domains.

In case the guest is booted using secure boot, however, the privcmd
driver would be enabling a root user process to modify e.g. kernel
memory contents, thus breaking the secure boot feature.

The only known case where an unprivileged domU is really needing to
use the privcmd driver is the case when it is acting as the device
model for another guest. In this case all hypercalls issued via the
privcmd driver will target that other guest.

Fortunately the privcmd driver can already be locked down to allow
only hypercalls targeting a specific domain, but this mode can be
activated from user land only today.

The target domain can be obtained from Xenstore, so when not running
in dom0 restrict the privcmd driver to that target domain from the
beginning, resolving the potential problem of breaking secure boot.

This is XSA-482

---
V2:
- defer reading from Xenstore if Xenstore isn't ready yet (Jan Beulich)
- wait in open() if target domain isn't known yet
- issue message in case no target domain found (Jan Beulich)

Published: 2026-03-25

Score: 8.2 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The xen/privcmd driver can execute arbitrary hypercalls from user‑space processes. Normally access is restricted to root and the hypervisor blocks calls that affect other domains. When a guest boots with secure boot enabled, a root process inside that guest can use the driver to modify kernel memory, effectively bypassing the secure boot protection. This flaw only matters for an unprivileged domU that uses the privcmd driver as the device model for another guest, because the hypercalls then target that second guest.

Affected Systems

Affected systems are Linux kernels that include the xen/privcmd module, specifically hosts running XSA‑482–affected code. Version information is not explicitly listed, so any kernel that contains this driver without the lock‑down is vulnerable. The flaw is present in the Linux kernel, as indicated by the provided CPE string.

Risk and Exploitability

The vulnerability scores CVSS 8.2 and has an EPSS probability below 1 %. It is not listed in the CISA KEV catalog, but its high severity and the ability to compromise the hypervisor or other guests make it a significant risk. The likely attack vector is a local or privileged process inside an unprivileged domU that can issue hypercalls after secure boot is enabled; this is inferred from the description. Exploitation would allow unauthorized modification of kernel or guest memory, yielding privilege escalation and possible remote code execution at the host or second‑guest level.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`1c5de1939c204bde9cce87f4eb3d26e9f9eb732b`	affected	< 4eb245ff0d33b618e097a2c23de5df56d4ad6969
`1c5de1939c204bde9cce87f4eb3d26e9f9eb732b`	affected	< 3ee5b9e3de4b8bdd74183d83205481c91a9effc8
`1c5de1939c204bde9cce87f4eb3d26e9f9eb732b`	affected	< 87a803edb2ded911cb587c53bff179d2a2ed2a28
`1c5de1939c204bde9cce87f4eb3d26e9f9eb732b`	affected	< 1879319d790f7d57622cdc22807b60ea78b56b6d
`1c5de1939c204bde9cce87f4eb3d26e9f9eb732b`	affected	< 78432d8f0372c71c518096395537fa12be7ff24e
`1c5de1939c204bde9cce87f4eb3d26e9f9eb732b`	affected	< 389bae9a4409934e8b8d4dbdaaf02a3ae71cf8e4
`1c5de1939c204bde9cce87f4eb3d26e9f9eb732b`	affected	< cbede2e833da1893afbea9b3ff29b5dda23a4a91
`1c5de1939c204bde9cce87f4eb3d26e9f9eb732b`	affected	< 453b8fb68f3641fea970db88b7d9a153ed2a37e8

Linux

affected

Version	Status	Constraints
`2.6.37`	affected	—
`0`	unaffected	< 2.6.37
`5.10.253`	unaffected	≤ 5.10.*
`5.15.203`	unaffected	≤ 5.15.*
`6.1.167`	unaffected	≤ 6.1.*
`6.6.130`	unaffected	≤ 6.6.*
`6.12.78`	unaffected	≤ 6.12.*
`6.18.20`	unaffected	≤ 6.18.*
`6.19.10`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,87a803edb2ded911cb587c53bff179d2a2ed2a28)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,1879319d790f7d57622cdc22807b60ea78b56b6d)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,78432d8f0372c71c518096395537fa12be7ff24e)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,389bae9a4409934e8b8d4dbdaaf02a3ae71cf8e4)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,cbede2e833da1893afbea9b3ff29b5dda23a4a91)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[6.1.167,6.2.0)`	unaffected	semver	—
`[6.6.130,6.7.0)`	unaffected	semver	—
`[6.12.78,6.13.0)`	unaffected	semver	—
`[6.18.20,6.19.0)`	unaffected	semver	—
`[6.19.10,6.20.0)`	unaffected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the vendor‑supplied kernel update that includes the XSA‑482 fix for the privcmd driver.
If no update is available, configure each unprivileged domU to set the privcmd target domain through Xenstore before it opens the driver.
For domUs that do not require privcmd as a device model, disable the driver entirely.
Verify that secure boot remains active and that privileged processes on the guest cannot access the privcmd interface.

Generated by OpenCVE AI on April 2, 2026 at 17:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00015.

Key SSVC decision points have not yet been added.

References

Link	Providers
http://www.openwall.com/lists/oss-security/2026/03/24/2
http://www.openwall.com/lists/oss-security/2026/03/24/3
http://www.openwall.com/lists/oss-security/2026/03/24/4
http://www.openwall.com/lists/oss-security/2026/03/24/5
http://www.openwall.com/lists/oss-security/2026/03/26/4
http://xenbits.xen.org/xsa/advisory-482.html
https://git.kernel.org/stable/c/1879319d790f7d57622cdc22807b60ea78b56b6d
https://git.kernel.org/stable/c/389bae9a4409934e8b8d4dbdaaf02a3ae71cf8e4
https://git.kernel.org/stable/c/3ee5b9e3de4b8bdd74183d83205481c91a9effc8
https://git.kernel.org/stable/c/453b8fb68f3641fea970db88b7d9a153ed2a37e8
https://git.kernel.org/stable/c/4eb245ff0d33b618e097a2c23de5df56d4ad6969
https://git.kernel.org/stable/c/78432d8f0372c71c518096395537fa12be7ff24e
https://git.kernel.org/stable/c/87a803edb2ded911cb587c53bff179d2a2ed2a28
https://git.kernel.org/stable/c/cbede2e833da1893afbea9b3ff29b5dda23a4a91
https://lore.kernel.org/linux-cve-announce/2026032548-CVE-2026-31788-032c@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-31788
https://www.cve.org/CVERecord?id=CVE-2026-31788

History

Sat, 18 Apr 2026 09:15:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/3ee5b9e3de4b8bdd74183d83205481c91a9effc8 https://git.kernel.org/stable/c/4eb245ff0d33b618e097a2c23de5df56d4ad6969

Thu, 02 Apr 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 6.7, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}`	cvssV3_1 `{'score': 8.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}`

Mon, 30 Mar 2026 07:30:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/453b8fb68f3641fea970db88b7d9a153ed2a37e8

Thu, 26 Mar 2026 17:30:00 +0000

Type	Values Removed	Values Added
References		http://www.openwall.com/lists/oss-security/2026/03/26/4

Thu, 26 Mar 2026 12:30:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-269 CWE-284

Thu, 26 Mar 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-266
References		https://lore.kernel.org/linux-cve-announce/2026032548-CVE-2026-31788-032c@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-31788 https://www.cve.org/CVERecord?id=CVE-2026-31788
Metrics	threat_severity `None`	cvssV3_1 `{'score': 6.7, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}` threat_severity `Moderate`

Wed, 25 Mar 2026 22:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-269 CWE-284

Wed, 25 Mar 2026 12:30:00 +0000

Type	Values Removed	Values Added
References		http://www.openwall.com/lists/oss-security/2026/03/24/2 http://www.openwall.com/lists/oss-security/2026/03/24/3 http://www.openwall.com/lists/oss-security/2026/03/24/4 http://www.openwall.com/lists/oss-security/2026/03/24/5 http://xenbits.xen.org/xsa/advisory-482.html

Wed, 25 Mar 2026 10:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: xen/privcmd: restrict usage in unprivileged domU The Xen privcmd driver allows to issue arbitrary hypercalls from user space processes. This is normally no problem, as access is usually limited to root and the hypervisor will deny any hypercalls affecting other domains. In case the guest is booted using secure boot, however, the privcmd driver would be enabling a root user process to modify e.g. kernel memory contents, thus breaking the secure boot feature. The only known case where an unprivileged domU is really needing to use the privcmd driver is the case when it is acting as the device model for another guest. In this case all hypercalls issued via the privcmd driver will target that other guest. Fortunately the privcmd driver can already be locked down to allow only hypercalls targeting a specific domain, but this mode can be activated from user land only today. The target domain can be obtained from Xenstore, so when not running in dom0 restrict the privcmd driver to that target domain from the beginning, resolving the potential problem of breaking secure boot. This is XSA-482 --- V2: - defer reading from Xenstore if Xenstore isn't ready yet (Jan Beulich) - wait in open() if target domain isn't known yet - issue message in case no target domain found (Jan Beulich)
Title		xen/privcmd: restrict usage in unprivileged domU
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/1879319d790f7d57622cdc22807b60ea78b56b6d https://git.kernel.org/stable/c/389bae9a4409934e8b8d4dbdaaf02a3ae71cf8e4 https://git.kernel.org/stable/c/78432d8f0372c71c518096395537fa12be7ff24e https://git.kernel.org/stable/c/87a803edb2ded911cb587c53bff179d2a2ed2a28 https://git.kernel.org/stable/c/cbede2e833da1893afbea9b3ff29b5dda23a4a91

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-03-25T10:25:05.542Z

Updated: 2026-04-18T08:59:47.134Z

Reserved: 2026-03-09T15:48:24.141Z

Link: CVE-2026-31788

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-03-25T11:16:40.513

Modified: 2026-04-18T09:16:33.170

Link: CVE-2026-31788

Redhat

Severity : Moderate

Publid Date: 2026-03-25T00:00:00Z

Links: CVE-2026-31788 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-02T20:23:12Z

Weaknesses

CWE-266

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object