Description
In the Linux kernel, the following vulnerability has been resolved:

virt: sev-guest: Do not use host-controlled page order in cleanup path

When issuing an extended guest request (SVM_VMGEXIT_EXT_GUEST_REQUEST),
get_ext_report() allocates a buffer to retrieve a certificate blob from the
host, keeping track of its size in report_req->certs_len.

However, the host may return SNP_GUEST_VMM_ERR_INVALID_LEN, indicating
an invalid buffer size, as well as the expected length of such buffer.
get_ext_report() subsequently updates report_req->certs_len with the
host-controlled value, and cleans up the buffer by computing a page order
from such value. This is incorrect, as the host-provided length may not
match the page order of the original allocation, potentially resulting
in corruption in the page allocator.

Fix this by using alloc_pages_exact() instead, and reusing @npages to
compute the size passed to free_pages_exact(). For consistency, also
use @npages to compute the size when allocating the pages, even though
this last change has no functional effect.
Published: 2026-06-24
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

When an extended guest request is made, the kernel allocates a buffer to receive a certificate from the host, storing its size in a request structure. The host can reply with an error that also includes an invalid buffer size. The kernel then uses this host‑supplied length to calculate a page order and frees the buffer. Because the length may not correspond to the original allocation size, the calculation can be incorrect, corrupting the page allocator. This memory corruption could allow a malicious guest to trigger a kernel crash, escape to kernel privileges, or disrupt the system’s stability.

Affected Systems

Linux kernel on systems using the fan‑in of the Linux CNA. Exact patch releases are not listed, but the fix is present in later kernel versions that include the commits referenced in the advisory. Users of any Linux distribution that ships with older kernel images are potentially affected.

Risk and Exploitability

The vulnerability involves a kernel‑mode memory corruption; therefore it is classified as a high‑impact flaw. No publicly available CVSS score is provided, and the EPSS value is not available, suggesting that exploitation likelihood is unknown but the potential impact is severe. The flaw is not catalogued in the CISA KEV list. Exploitation likely requires local or guest‑persistent access to the virtual machine, making the risk moderate to high pending the presence of vulnerable kernel versions.

Generated by OpenCVE AI on June 24, 2026 at 19:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install a kernel update that contains the fix for the page order calculation bug.
  • Confirm that the virtual machine management software (SVM) is also updated to the latest version that incorporates the corrected guest request handling.
  • Monitor system logs for kernel panics or abnormal memory allocator behavior that could indicate an attempted exploitation.

Generated by OpenCVE AI on June 24, 2026 at 19:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-239
CWE-787

Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: virt: sev-guest: Do not use host-controlled page order in cleanup path When issuing an extended guest request (SVM_VMGEXIT_EXT_GUEST_REQUEST), get_ext_report() allocates a buffer to retrieve a certificate blob from the host, keeping track of its size in report_req->certs_len. However, the host may return SNP_GUEST_VMM_ERR_INVALID_LEN, indicating an invalid buffer size, as well as the expected length of such buffer. get_ext_report() subsequently updates report_req->certs_len with the host-controlled value, and cleans up the buffer by computing a page order from such value. This is incorrect, as the host-provided length may not match the page order of the original allocation, potentially resulting in corruption in the page allocator. Fix this by using alloc_pages_exact() instead, and reusing @npages to compute the size passed to free_pages_exact(). For consistency, also use @npages to compute the size when allocating the pages, even though this last change has no functional effect.
Title virt: sev-guest: Do not use host-controlled page order in cleanup path
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-24T16:28:40.391Z

Reserved: 2026-06-09T07:44:35.373Z

Link: CVE-2026-52959

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T19:15:15Z

Weaknesses
  • CWE-239

    Failure to Handle Incomplete Element

  • CWE-787

    Out-of-bounds Write