{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-31590","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-03-09T15:48:24.120Z","datePublished":"2026-04-24T14:42:17.629Z","dateUpdated":"2026-05-11T22:11:43.972Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T22:11:43.972Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: SEV: Drop WARN on large size for KVM_MEMORY_ENCRYPT_REG_REGION\n\nDrop the WARN in sev_pin_memory() on npages overflowing an int, as the\nWARN is comically trivially to trigger from userspace, e.g. by doing:\n\n  struct kvm_enc_region range = {\n          .addr = 0,\n          .size = -1ul,\n  };\n\n  __vm_ioctl(vm, KVM_MEMORY_ENCRYPT_REG_REGION, &range);\n\nNote, the checks in sev_mem_enc_register_region() that presumably exist to\nverify the incoming address+size are completely worthless, as both \"addr\"\nand \"size\" are u64s and SEV is 64-bit only, i.e. they _can't_ be greater\nthan ULONG_MAX.  That wart will be cleaned up in the near future.\n\n\tif (range->addr > ULONG_MAX || range->size > ULONG_MAX)\n\t\treturn -EINVAL;\n\nOpportunistically add a comment to explain why the code calculates the\nnumber of pages the \"hard\" way, e.g. instead of just shifting @ulen."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["arch/x86/kvm/svm/sev.c"],"versions":[{"version":"78824fabc72e5e37d51e6e567fde70a4fc41a6d7","lessThan":"b670833749ffd8681361db2bb047c6f2e3075f3a","status":"affected","versionType":"git"},{"version":"78824fabc72e5e37d51e6e567fde70a4fc41a6d7","lessThan":"ab423e5892826202a660b5ac85d1125b0e8301a5","status":"affected","versionType":"git"},{"version":"78824fabc72e5e37d51e6e567fde70a4fc41a6d7","lessThan":"28cc13ca20431b127d42d84ba10898d03e2c8267","status":"affected","versionType":"git"},{"version":"78824fabc72e5e37d51e6e567fde70a4fc41a6d7","lessThan":"c29ff288a2d97a6f4640a498a367cf0eb91312eb","status":"affected","versionType":"git"},{"version":"78824fabc72e5e37d51e6e567fde70a4fc41a6d7","lessThan":"1cba4dcd795daf6d257122779fb6a349edf03914","status":"affected","versionType":"git"},{"version":"78824fabc72e5e37d51e6e567fde70a4fc41a6d7","lessThan":"8acffeef5ef720c35e513e322ab08e32683f32f2","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["arch/x86/kvm/svm/sev.c"],"versions":[{"version":"5.9","status":"affected"},{"version":"0","lessThan":"5.9","status":"unaffected","versionType":"semver"},{"version":"6.6.136","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.83","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.18.24","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"6.19.14","lessThanOrEqual":"6.19.*","status":"unaffected","versionType":"semver"},{"version":"7.0.1","lessThanOrEqual":"7.0.*","status":"unaffected","versionType":"semver"},{"version":"7.1-rc1","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.9","versionEndExcluding":"6.6.136"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.9","versionEndExcluding":"6.12.83"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.9","versionEndExcluding":"6.18.24"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.9","versionEndExcluding":"6.19.14"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.9","versionEndExcluding":"7.0.1"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.9","versionEndExcluding":"7.1-rc1"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/b670833749ffd8681361db2bb047c6f2e3075f3a"},{"url":"https://git.kernel.org/stable/c/ab423e5892826202a660b5ac85d1125b0e8301a5"},{"url":"https://git.kernel.org/stable/c/28cc13ca20431b127d42d84ba10898d03e2c8267"},{"url":"https://git.kernel.org/stable/c/c29ff288a2d97a6f4640a498a367cf0eb91312eb"},{"url":"https://git.kernel.org/stable/c/1cba4dcd795daf6d257122779fb6a349edf03914"},{"url":"https://git.kernel.org/stable/c/8acffeef5ef720c35e513e322ab08e32683f32f2"}],"title":"KVM: SEV: Drop WARN on large size for KVM_MEMORY_ENCRYPT_REG_REGION","x_generator":{"engine":"bippy-1.2.0"}}}}