CVE-2026-31553

HIGH8.8

KVM: arm64: Fix the descriptor address in __kvm_at_swap_desc()

Published Apr 24, 2026

Modified 6 days ago

Details

In the Linux kernel, the following vulnerability has been resolved:

KVM: arm64: Fix the descriptor address in __kvm_at_swap_desc()

Using "(u64 __user )hva + offset" to get the virtual addresses of S1/S2 descriptors looks really wrong, if offset is not zero. What we want to get for swapping is hva + offset, not hva + offset8. ;-)

Fix it.

References

WEB

https://git.kernel.org/stable/c/0496acc42fb51eee040b5170cec05cec41385540

WEB

https://git.kernel.org/stable/c/4307e05e568782fc92eff651b09ee5dee88a058d

ADVISORY

https://www.cve.org/CVERecord?id=CVE-2026-31553

CVSS Analysis

CVSS v3.1

8.8

Exploitability

Attack Vector

LocalAV:L

Attack Complexity

LowAC:L

Privileges Required

LowPR:L

User Interaction

NoneUI:N

Scope

ChangedS:C

Impact

Confidentiality

HighC:H

Integrity

HighI:H

Availability

HighA:H

8.8/CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Ecosystems

Timeline

PublishedApr 24, 2026

ModifiedMay 11, 2026