{
  "threat_severity" : "Moderate",
  "public_date" : "2026-05-01T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: crypto: ccp: Don't attempt to copy ID to userspace if PSP command failed",
    "id" : "2464427",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2464427"
  },
  "cvss3" : {
    "cvss3_base_score" : "4.7",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "draft"
  },
  "cwe" : "CWE-805",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\ncrypto: ccp: Don't attempt to copy ID to userspace if PSP command failed\nWhen retrieving the ID for the CPU, don't attempt to copy the ID blob to\nuserspace if the firmware command failed.  If the failure was due to an\ninvalid length, i.e. the userspace buffer+length was too small, copying\nthe number of bytes _firmware_ requires will overflow the kernel-allocated\nbuffer and leak data to userspace.\nBUG: KASAN: slab-out-of-bounds in instrument_copy_to_user ../include/linux/instrumented.h:129 [inline]\nBUG: KASAN: slab-out-of-bounds in _inline_copy_to_user ../include/linux/uaccess.h:205 [inline]\nBUG: KASAN: slab-out-of-bounds in _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26\nRead of size 64 at addr ffff8881867f5960 by task syz.0.906/24388\nCPU: 130 UID: 0 PID: 24388 Comm: syz.0.906 Tainted: G     U     O        7.0.0-smp-DEV #28 PREEMPTLAZY\nTainted: [U]=USER, [O]=OOT_MODULE\nHardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 12.62.0-0 11/19/2025\nCall Trace:\n<TASK>\ndump_stack_lvl+0xc5/0x110 ../lib/dump_stack.c:120\nprint_address_description ../mm/kasan/report.c:378 [inline]\nprint_report+0xbc/0x260 ../mm/kasan/report.c:482\nkasan_report+0xa2/0xe0 ../mm/kasan/report.c:595\ncheck_region_inline ../mm/kasan/generic.c:-1 [inline]\nkasan_check_range+0x264/0x2c0 ../mm/kasan/generic.c:200\ninstrument_copy_to_user ../include/linux/instrumented.h:129 [inline]\n_inline_copy_to_user ../include/linux/uaccess.h:205 [inline]\n_copy_to_user+0x66/0xa0 ../lib/usercopy.c:26\ncopy_to_user ../include/linux/uaccess.h:236 [inline]\nsev_ioctl_do_get_id2+0x361/0x490 ../drivers/crypto/ccp/sev-dev.c:2222\nsev_ioctl+0x25f/0x490 ../drivers/crypto/ccp/sev-dev.c:2575\nvfs_ioctl ../fs/ioctl.c:51 [inline]\n__do_sys_ioctl ../fs/ioctl.c:597 [inline]\n__se_sys_ioctl+0x11d/0x1b0 ../fs/ioctl.c:583\ndo_syscall_x64 ../arch/x86/entry/syscall_64.c:63 [inline]\ndo_syscall_64+0xe0/0x800 ../arch/x86/entry/syscall_64.c:94\nentry_SYSCALL_64_after_hwframe+0x76/0x7e\n</TASK>\nWARN if the driver says the command succeeded, but the firmware error code\nsays otherwise, as __sev_do_cmd_locked() is expected to return -EIO on any\nfirwmware error.", "A flaw was found in the Linux kernel's crypto: ccp driver. A local user could exploit this vulnerability by attempting to retrieve the CPU ID when a firmware command fails due to an invalid length. This can cause an overflow of a kernel-allocated buffer, leading to the disclosure of sensitive kernel memory to userspace." ],
  "statement" : "When AMD PSP/CCP firmware commands fail, the kernel must not copy uninitialized ID buffers to userspace. Red Hat treats this as a local information-disclosure hardening issue on systems using the CCP crypto driver. Apply patched kernels.",
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-31697\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31697\nhttps://lore.kernel.org/linux-cve-announce/2026050118-CVE-2026-31697-febc@gregkh/T" ],
  "name" : "CVE-2026-31697",
  "csaw" : false
}