{
  "threat_severity" : "Moderate",
  "public_date" : "2026-05-01T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: crypto: ccp: Don't attempt to copy CSR to userspace if PSP command failed",
    "id" : "2464372",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2464372"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.0",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
    "status" : "draft"
  },
  "cwe" : "CWE-787",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\ncrypto: ccp: Don't attempt to copy CSR to userspace if PSP command failed\nWhen retrieving the PEK CSR, don't attempt to copy the blob to userspace\nif the firmware command failed.  If the failure was due to an invalid\nlength, i.e. the userspace buffer+length was too small, copying the number\nof bytes _firmware_ requires will overflow the kernel-allocated buffer and\nleak data to userspace.\nBUG: KASAN: slab-out-of-bounds in instrument_copy_to_user ../include/linux/instrumented.h:129 [inline]\nBUG: KASAN: slab-out-of-bounds in _inline_copy_to_user ../include/linux/uaccess.h:205 [inline]\nBUG: KASAN: slab-out-of-bounds in _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26\nRead of size 2084 at addr ffff898144612e20 by task syz.9.219/21405\nCPU: 14 UID: 0 PID: 21405 Comm: syz.9.219 Tainted: G     U     O        7.0.0-smp-DEV #28 PREEMPTLAZY\nTainted: [U]=USER, [O]=OOT_MODULE\nHardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 12.62.0-0 11/19/2025\nCall Trace:\n<TASK>\ndump_stack_lvl+0xc5/0x110 ../lib/dump_stack.c:120\nprint_address_description ../mm/kasan/report.c:378 [inline]\nprint_report+0xbc/0x260 ../mm/kasan/report.c:482\nkasan_report+0xa2/0xe0 ../mm/kasan/report.c:595\ncheck_region_inline ../mm/kasan/generic.c:-1 [inline]\nkasan_check_range+0x264/0x2c0 ../mm/kasan/generic.c:200\ninstrument_copy_to_user ../include/linux/instrumented.h:129 [inline]\n_inline_copy_to_user ../include/linux/uaccess.h:205 [inline]\n_copy_to_user+0x66/0xa0 ../lib/usercopy.c:26\ncopy_to_user ../include/linux/uaccess.h:236 [inline]\nsev_ioctl_do_pek_csr+0x31f/0x590 ../drivers/crypto/ccp/sev-dev.c:1872\nsev_ioctl+0x3a4/0x490 ../drivers/crypto/ccp/sev-dev.c:2562\nvfs_ioctl ../fs/ioctl.c:51 [inline]\n__do_sys_ioctl ../fs/ioctl.c:597 [inline]\n__se_sys_ioctl+0x11d/0x1b0 ../fs/ioctl.c:583\ndo_syscall_x64 ../arch/x86/entry/syscall_64.c:63 [inline]\ndo_syscall_64+0xe0/0x800 ../arch/x86/entry/syscall_64.c:94\nentry_SYSCALL_64_after_hwframe+0x76/0x7e\n</TASK>\nWARN if the driver says the command succeeded, but the firmware error code\nsays otherwise, as __sev_do_cmd_locked() is expected to return -EIO on any\nfirwmware error.", "A flaw was found in the Linux kernel's crypto: ccp module. A local user could exploit a vulnerability where the system attempts to copy a Certificate Signing Request (CSR) to userspace even after a Platform Security Processor (PSP) command has failed. This can lead to a slab-out-of-bounds write, causing an overflow of the kernel-allocated buffer and potentially leaking sensitive kernel data to the user." ],
  "statement" : "CSR buffers must not be copied to userspace when the underlying PSP CSR command did not succeed; upstream blocks the copy on failure. Red Hat classifies this as confidentiality hardening for the AMD CCP interface.",
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-31699\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31699\nhttps://lore.kernel.org/linux-cve-announce/2026050119-CVE-2026-31699-5ba8@gregkh/T" ],
  "name" : "CVE-2026-31699",
  "csaw" : false
}