{ "threat_severity" : "Moderate", "public_date" : "2026-04-22T00:00:00Z", "bugzilla" : { "description" : "kernel: virt: tdx-guest: Fix handling of host controlled 'quote' buffer length", "id" : "2460674", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2460674" }, "cvss3" : { "cvss3_base_score" : "6.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:H", "status" : "draft" }, "cwe" : "CWE-125", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nvirt: tdx-guest: Fix handling of host controlled 'quote' buffer length\nValidate host controlled value `quote_buf->out_len` that determines how\nmany bytes of the quote are copied out to guest userspace. In TDX\nenvironments with remote attestation, quotes are not considered private,\nand can be forwarded to an attestation server.\nCatch scenarios where the host specifies a response length larger than\nthe guest's allocation, or otherwise races modifying the response while\nthe guest consumes it.\nThis prevents contents beyond the pages allocated for `quote_buf`\n(up to TSM_REPORT_OUTBLOB_MAX) from being read out to guest userspace,\nand possibly forwarded in attestation requests.\nRecall that some deployments want per-container configs-tsm-report\ninterfaces, so the leak may cross container protection boundaries, not\njust local root.", "A flaw was found in the Linux kernel's TDX guest virtualization component. A malicious host can manipulate the 'quote' buffer length, allowing it to specify a response length larger than the guest's allocated memory. This can lead to information disclosure, where sensitive data beyond the intended buffer can be read by guest userspace and potentially forwarded in attestation requests, which are used to verify the integrity of the virtual machine." ], "statement" : "Upstream validates `quote_buf->out_len` so the host cannot drive reads past the guest allocation into userspace attestation flows. Red Hat emphasizes the trust boundary: impact presumes a misbehaving TDX host. Guest-only mitigations are insufficient; firmware/host stacks must be trusted. Kernel errata carries the guest-side clamp.", "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-31470\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31470\nhttps://lore.kernel.org/linux-cve-announce/2026042254-CVE-2026-31470-350c@gregkh/T" ], "name" : "CVE-2026-31470", "csaw" : false }