HOMEVULNERABILITIESCVE-2026-31588
HIGH

CVE-2026-31588

Published: April 24, 2026· Updated: Apr 28, 2026

8.8
CVSS v3.1
EPSS:0.02%probability of exploitation in 30 daysPercentile:4.8th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

KVM: x86: Use scratch field in MMIO fragment to hold small write values

When exiting to userspace to service an emulated MMIO write, copy the

to-be-written value to a scratch field in the MMIO fragment if the size

of the data payload is 8 bytes or less, i.e. can fit in a single chunk,

instead of pointing the fragment directly at the source value.

This fixes a class of use-after-free bugs that occur when the emulator

initiates a write using an on-stack, local variable as the source, the

write splits a page boundary, *and* both pages are MMIO pages. Because

KVM's ABI only allows for physically contiguous MMIO requests, accesses

that split MMIO pages are separated into two fragments, and are sent to

userspace one at a time. When KVM attempts to complete userspace MMIO in

response to KVM_RUN after the first fragment, KVM will detect the second

fragment and generate a second userspace exit, and reference the on-stack

variable.

The issue is most visible if the second KVM_RUN is performed by a separate

task, in which case the stack of the initiating task can show up as truly

freed data.

==================================================================

BUG: KASAN: use-after-free in complete_emulated_mmio+0x305/0x420

Read of size 1 at addr ffff888009c378d1 by task syz-executor417/984

CPU: 1 PID: 984 Comm: syz-executor417 Not tainted 5.10.0-182.0.0.95.h2627.eulerosv2r13.x86_64 #3

Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014 Call Trace:

dump_stack+0xbe/0xfd

print_address_description.constprop.0+0x19/0x170

__kasan_report.cold+0x6c/0x84

kasan_report+0x3a/0x50

check_memory_region+0xfd/0x1f0

memcpy+0x20/0x60

complete_emulated_mmio+0x305/0x420

kvm_arch_vcpu_ioctl_run+0x63f/0x6d0

kvm_vcpu_ioctl+0x413/0xb20

__se_sys_ioctl+0x111/0x160

do_syscall_64+0x30/0x40

entry_SYSCALL_64_after_hwframe+0x67/0xd1

RIP: 0033:0x42477d

Code: <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48

RSP: 002b:00007faa8e6890e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010

RAX: ffffffffffffffda RBX: 00000000004d7338 RCX: 000000000042477d

RDX: 0000000000000000 RSI: 000000000000ae80 RDI: 0000000000000005

RBP: 00000000004d7330 R08: 00007fff28d546df R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004d733c

R13: 0000000000000000 R14: 000000000040a200 R15: 00007fff28d54720

The buggy address belongs to the page:

page:0000000029f6a428 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x9c37

flags: 0xfffffc0000000(node=0|zone=1|lastcpupid=0x1fffff)

raw: 000fffffc0000000 0000000000000000 ffffea0000270dc8 0000000000000000

raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected

Memory state around the buggy address:

ffff888009c37780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff

ffff888009c37800: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff

>ffff888009c37880: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff

^

ffff888009c37900: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff

ffff888009c37980: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff

==================================================================

The bug can also be reproduced with a targeted KVM-Unit-Test by hacking

KVM to fill a large on-stack variable in complete_emulated_mmio(), i.e. by

overwrite the data value with garbage.

Limit the use of the scratch fields to 8-byte or smaller accesses, and to

just writes, as larger accesses and reads are not affected thanks to

implementation details in the emulator, but add a sanity check to ensure

those details don't change in the future. Specifically, KVM never uses

on-stack variables for accesses larger that 8 bytes, e.g. uses an operand

in the emulator context, and *al

---truncated---

NVD Source

Technical Analysis

CVE-2026-31588 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires low privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

A successful exploit results in complete confidentiality breach (data exposure), full integrity compromise (data manipulation), availability disruption (denial of service), with a CVSS base score of 8.8.

The vulnerability has a "Changed" scope, meaning successful exploitation can impact components beyond the vulnerable component itself — such as the host operating system or adjacent services.

CVSS v3.1 Vector Breakdown

Exploitability
Attack VectorLocal
Attack ComplexityLow
Privileges Req.Low
User InteractionNone
ScopeChanged
Impact
ConfidentialityHigh
IntegrityHigh
AvailabilityHigh
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Affected Vendors & Products

Linux1 product
linux kernel
Source: NVD CPE · 1 total CPE entries

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

Official Patches & Advisories

All References (6)

Quick Facts

CVE IDCVE-2026-31588
CVSS Score8.8 / 10
SeverityHIGH
CISA KEVNo
EPSS (30d)0.02%
Affected1 vendor
PublishedApr 24, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-31588 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.