{“lastseen”:””,”description”:”In the Linux kernel, the following vulnerability has been resolved:\\n\\nKVM: x86: Use scratch field in MMIO fragment to hold small write values\\n\\nWhen exiting to userspace to service an emulated MMIO write, copy the\\nto-be-written value to a scratch field in the MMIO fragment if the size\\nof the data payload is 8 bytes or less, i.e. can fit in a single chunk,\\ninstead of pointing the fragment directly at the source value.\\n\\nThis fixes a class of use-after-free bugs that occur when the emulator\\ninitiates a write using an on-stack, local variable as the source, the\\nwrite splits a page boundary, *and* both pages are MMIO pages. Because\\nKVM’s ABI only allows for physically contiguous MMIO requests, accesses\\nthat split MMIO pages are separated into two fragments, and are sent to\\nuserspace one at a time. When KVM attempts to complete userspace MMIO in\\nresponse to KVM_RUN after the first fragment, KVM will detect the second\\nfragment and generate a second userspace exit, and reference the on-stack\\nvariable.\\n\\nThe issue is most visible if the second KVM_RUN is performed by a separate\\ntask, in which case the stack of the initiating task can show up as truly\\nfreed data.\\n\\n ==================================================================\\n BUG: KASAN: use-after-free in complete_emulated_mmio+0x305\/0x420\\n Read of size 1 at addr ffff888009c378d1 by task syz-executor417\/984\\n\\n CPU: 1 PID: 984 Comm: syz-executor417 Not tainted 5.10.0-182.0.0.95.h2627.eulerosv2r13.x86_64 #3\\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04\/01\/2014 Call Trace:\\n dump_stack+0xbe\/0xfd\\n print_address_description.constprop.0+0x19\/0x170\\n __kasan_report.cold+0x6c\/0x84\\n kasan_report+0x3a\/0x50\\n check_memory_region+0xfd\/0x1f0\\n memcpy+0x20\/0x60\\n complete_emulated_mmio+0x305\/0x420\\n kvm_arch_vcpu_ioctl_run+0x63f\/0x6d0\\n kvm_vcpu_ioctl+0x413\/0xb20\\n __se_sys_ioctl+0x111\/0x160\\n do_syscall_64+0x30\/0x40\\n entry_SYSCALL_64_after_hwframe+0x67\/0xd1\\n RIP: 0033:0x42477d\\n Code: \\u003c48\\u003e 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48\\n RSP: 002b:00007faa8e6890e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\\n RAX: ffffffffffffffda RBX: 00000000004d7338 RCX: 000000000042477d\\n RDX: 0000000000000000 RSI: 000000000000ae80 RDI: 0000000000000005\\n RBP: 00000000004d7330 R08: 00007fff28d546df R09: 0000000000000000\\n R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004d733c\\n R13: 0000000000000000 R14: 000000000040a200 R15: 00007fff28d54720\\n\\n The buggy address belongs to the page:\\n page:0000000029f6a428 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x9c37\\n flags: 0xfffffc0000000(node=0|zone=1|lastcpupid=0x1fffff)\\n raw: 000fffffc0000000 0000000000000000 ffffea0000270dc8 0000000000000000\\n raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected\\n\\n Memory state around the buggy address:\\n ffff888009c37780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\\n ffff888009c37800: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\\n \\u003effff888009c37880: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\\n ^\\n ffff888009c37900: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\\n ffff888009c37980: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\\n ==================================================================\\n\\nThe bug can also be reproduced with a targeted KVM-Unit-Test by hacking\\nKVM to fill a large on-stack variable in complete_emulated_mmio(), i.e. by\\noverwrite the data value with garbage.\\n\\nLimit the use of the scratch fields to 8-byte or smaller accesses, and to\\njust writes, as larger accesses and reads are not affected thanks to\\nimplementation details in the emulator, but add a sanity check to ensure\\nthose details don’t change in the future. Specifically, KVM never uses\\non-stack variables for accesses larger that 8 bytes, e.g. uses an operand\\nin the emulator context, and *al\\n—truncated—“,”published”:”2026-04-24T14:42:16.288Z”,”modified”:”2026-04-27T14:04:13.501Z”,”type”:”cve”,”title”:”KVM: x86: Use scratch field in MMIO fragment to hold small write values”,”source”:”Linux”,”references”:”https:\/\/git.kernel.org\/stable\/c\/dc6a6c3db3a4eca7e747cfc46e22c08d016c68f7\\nhttps:\/\/git.kernel.org\/stable\/c\/b5a02d37eb0739f462fa12df449ab9b3480c783b\\nhttps:\/\/git.kernel.org\/stable\/c\/22d2ff69d487a32a8b88f9c970120fc2daa08a77\\nhttps:\/\/git.kernel.org\/stable\/c\/2b83d91e9ae92fe1258d7040a32430bbb3bb7d6e\\nhttps:\/\/git.kernel.org\/stable\/c\/3a7b6d75c8f85b09dea893f64a85a356bcf6c3fe\\nhttps:\/\/git.kernel.org\/stable\/c\/0b16e69d17d8c35c5c9d5918bf596c75a44655d3″,”id”:”CVE-2026-31588″,”bulletinFamily”:””,”cwe”:null,”cvelist”:null,”sourceData”:”Linux Linux f78146b0f9230765c6315b2e14f56112513389ad\\nLinux Linux f78146b0f9230765c6315b2e14f56112513389ad\\nLinux Linux f78146b0f9230765c6315b2e14f56112513389ad\\nLinux Linux f78146b0f9230765c6315b2e14f56112513389ad\\nLinux Linux f78146b0f9230765c6315b2e14f56112513389ad\\nLinux Linux f78146b0f9230765c6315b2e14f56112513389ad\\nLinux Linux 3.5″,”sourceHref”:””,”cvss”:{“score”:8.8,”severity”:”HIGH”,”vector”:”CVSS:3.1\/AV:L\/AC:L\/PR:L\/UI:N\/S:C\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:””,”category_name”:”CVE”,”post_link”:””,”product”:”Linux”,”version”:”f78146b0f9230765c6315b2e14f56112513389ad”,”vendor”:”Linux”,”ai_description”:”AI processing failed – no valid JSON found”,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:””,”description”:”In the Linux kernel, the following vulnerability has been resolved:\\n\\nKVM: x86: Use scratch field in MMIO fragment to hold small write values\\n\\nWhen exiting to userspace…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[6,8,41,12,15,13,7,11,5],"class_list":["post-49579","post","type-post","status-publish","format-standard","hentry","category-category_cve","tag-cve","tag-cvss","tag-cvss-88","tag-exploit","tag-high","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n