Description
In the Linux kernel, the following vulnerability has been resolved:

virt: sev-guest: Do not use host-controlled page order in cleanup path

When issuing an extended guest request (SVM_VMGEXIT_EXT_GUEST_REQUEST),
get_ext_report() allocates a buffer to retrieve a certificate blob from the
host, keeping track of its size in report_req->certs_len.

However, the host may return SNP_GUEST_VMM_ERR_INVALID_LEN, indicating
an invalid buffer size, as well as the expected length of such buffer.
get_ext_report() subsequently updates report_req->certs_len with the
host-controlled value, and cleans up the buffer by computing a page order
from such value. This is incorrect, as the host-provided length may not
match the page order of the original allocation, potentially resulting
in corruption in the page allocator.

Fix this by using alloc_pages_exact() instead, and reusing @npages to
compute the size passed to free_pages_exact(). For consistency, also
use @npages to compute the size when allocating the pages, even though
this last change has no functional effect.
Published: 2026-06-24
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability occurs when the kernel handles an extended guest request. The host can return an error containing an invalid buffer size. The kernel then uses that length to compute a page order for freeing memory, which may not match the original allocation. This can corrupt the page allocator, leading to kernel memory corruption that could allow an attacker to crash the system, gain higher privileges, or cause denial of service.

Affected Systems

Vulnerable configurations exist in the Linux kernel across all variants before the fix. The affected sources are under the Linux kernel CNA; any distribution shipping an older kernel image that has not incorporated the commit references is potentially impacted. Users should verify whether their distribution’s kernel version includes the updates for the sev‑guest cleanup path.

Risk and Exploitability

The flaw is a classic kernel‑mode memory corruption. The CVSS score of 7.8 indicates high severity, while the EPSS score is < 1%, indicating low probability of exploitation. The issue is not listed in CISA KEV. Exploitation requires a guest that can trigger the extended request, so it is limited to virtual machines with the vulnerable kernel. Despite the low probability, the potential impact is severe, warranting prompt attention.

Generated by OpenCVE AI on June 28, 2026 at 13:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the kernel update that includes the fix for the page order calculation bug.
  • Update the SVM hypervisor to a version that incorporates the corrected guest request handling.
  • Monitor kernel logs for panics, abnormal memory allocator activity, or other signs of exploitation attempts.

Generated by OpenCVE AI on June 28, 2026 at 13:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 28 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}


Fri, 26 Jun 2026 04:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-239
CWE-787

Fri, 26 Jun 2026 00:15:00 +0000


Wed, 24 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-239
CWE-787

Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: virt: sev-guest: Do not use host-controlled page order in cleanup path When issuing an extended guest request (SVM_VMGEXIT_EXT_GUEST_REQUEST), get_ext_report() allocates a buffer to retrieve a certificate blob from the host, keeping track of its size in report_req->certs_len. However, the host may return SNP_GUEST_VMM_ERR_INVALID_LEN, indicating an invalid buffer size, as well as the expected length of such buffer. get_ext_report() subsequently updates report_req->certs_len with the host-controlled value, and cleans up the buffer by computing a page order from such value. This is incorrect, as the host-provided length may not match the page order of the original allocation, potentially resulting in corruption in the page allocator. Fix this by using alloc_pages_exact() instead, and reusing @npages to compute the size passed to free_pages_exact(). For consistency, also use @npages to compute the size when allocating the pages, even though this last change has no functional effect.
Title virt: sev-guest: Do not use host-controlled page order in cleanup path
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-28T06:37:21.090Z

Reserved: 2026-06-09T07:44:35.373Z

Link: CVE-2026-52959

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity :

Publid Date: 2026-06-24T00:00:00Z

Links: CVE-2026-52959 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-28T13:45:06Z

Weaknesses
  • CWE-131

    Incorrect Calculation of Buffer Size