{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31470", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.097Z", "datePublished": "2026-04-22T13:53:58.925Z", "dateUpdated": "2026-04-22T13:53:58.925Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-04-22T13:53:58.925Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirt: tdx-guest: Fix handling of host controlled 'quote' buffer length\n\nValidate host controlled value `quote_buf->out_len` that determines how\nmany bytes of the quote are copied out to guest userspace. In TDX\nenvironments with remote attestation, quotes are not considered private,\nand can be forwarded to an attestation server.\n\nCatch scenarios where the host specifies a response length larger than\nthe guest's allocation, or otherwise races modifying the response while\nthe guest consumes it.\n\nThis prevents contents beyond the pages allocated for `quote_buf`\n(up to TSM_REPORT_OUTBLOB_MAX) from being read out to guest userspace,\nand possibly forwarded in attestation requests.\n\nRecall that some deployments want per-container configs-tsm-report\ninterfaces, so the leak may cross container protection boundaries, not\njust local root."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/virt/coco/tdx-guest/tdx-guest.c"], "versions": [{"version": "f4738f56d1dc62aaba69b33702a5ab098f1b8c63", "lessThan": "a079a62883e3365de592cea9f7a669d8115433b0", "status": "affected", "versionType": "git"}, {"version": "f4738f56d1dc62aaba69b33702a5ab098f1b8c63", "lessThan": "6f3c8795ae9ba74fa10fe979293d1904712d3fb1", "status": "affected", "versionType": "git"}, {"version": "f4738f56d1dc62aaba69b33702a5ab098f1b8c63", "lessThan": "02ca2d9d197723696cb9cc0cb159eb7e8bf5f89b", "status": "affected", "versionType": "git"}, {"version": "f4738f56d1dc62aaba69b33702a5ab098f1b8c63", "lessThan": "c3fd16c3b98ed726294feab2f94f876290bf7b61", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/virt/coco/tdx-guest/tdx-guest.c"], "versions": [{"version": "6.7", "status": "affected"}, {"version": "0", "lessThan": "6.7", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.80", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.21", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.11", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.12.80"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.18.21"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.19.11"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/a079a62883e3365de592cea9f7a669d8115433b0"}, {"url": "https://git.kernel.org/stable/c/6f3c8795ae9ba74fa10fe979293d1904712d3fb1"}, {"url": "https://git.kernel.org/stable/c/02ca2d9d197723696cb9cc0cb159eb7e8bf5f89b"}, {"url": "https://git.kernel.org/stable/c/c3fd16c3b98ed726294feab2f94f876290bf7b61"}], "title": "virt: tdx-guest: Fix handling of host controlled 'quote' buffer length", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirt: tdx-guest: Fix handling of host controlled 'quote' buffer length\n\nValidate host controlled value `quote_buf->out_len` that determines how\nmany bytes of the quote are copied out to guest userspace. In TDX\nenvironments with remote attestation, quotes are not considered private,\nand can be forwarded to an attestation server.\n\nCatch scenarios where the host specifies a response length larger than\nthe guest's allocation, or otherwise races modifying the response while\nthe guest consumes it.\n\nThis prevents contents beyond the pages allocated for `quote_buf`\n(up to TSM_REPORT_OUTBLOB_MAX) from being read out to guest userspace,\nand possibly forwarded in attestation requests.\n\nRecall that some deployments want per-container configs-tsm-report\ninterfaces, so the leak may cross container protection boundaries, not\njust local root."}], "id": "CVE-2026-31470", "lastModified": "2026-04-22T14:16:43.473", "metrics": {}, "published": "2026-04-22T14:16:43.473", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/02ca2d9d197723696cb9cc0cb159eb7e8bf5f89b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/6f3c8795ae9ba74fa10fe979293d1904712d3fb1"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/a079a62883e3365de592cea9f7a669d8115433b0"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/c3fd16c3b98ed726294feab2f94f876290bf7b61"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

{"bugzilla": {"description": "kernel: virt: tdx-guest: Fix handling of host controlled 'quote' buffer length", "id": "2460674", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2460674"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-125", "details": ["A flaw was found in the Linux kernel's TDX guest virtualization component. A malicious host can manipulate the 'quote' buffer length, allowing it to specify a response length larger than the guest's allocated memory. This can lead to information disclosure, where sensitive data beyond the intended buffer can be read by guest userspace and potentially forwarded in attestation requests, which are used to verify the integrity of the virtual machine."], "name": "CVE-2026-31470", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-22T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-31470\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31470\nhttps://lore.kernel.org/linux-cve-announce/2026042254-CVE-2026-31470-350c@gregkh/T"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[f4738f56d1dc62aaba69b33702a5ab098f1b8c63,a079a62883e3365de592cea9f7a669d8115433b0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[f4738f56d1dc62aaba69b33702a5ab098f1b8c63,6f3c8795ae9ba74fa10fe979293d1904712d3fb1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[f4738f56d1dc62aaba69b33702a5ab098f1b8c63,02ca2d9d197723696cb9cc0cb159eb7e8bf5f89b)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[f4738f56d1dc62aaba69b33702a5ab098f1b8c63,c3fd16c3b98ed726294feab2f94f876290bf7b61)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "6.7"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,6.7)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.80,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.21,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.11,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-22T18:59:25.966047+00:00", "value": {"mitigation_remediation": ["Upgrade the Linux kernel to a version that includes the patch for the TDX guest quote buffer length check", "If immediate kernel upgrade is not possible, restrict or disable the TDX attestation quote APIs for untrusted containers", "Apply the patch or kernel update to all hosts that run TDX guests to prevent cross\u2011container data leakage"], "summary": {"action": "Apply Patch", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "The flaw affects Linux kernel implementations that support Intel TDX guest environments. Any distribution built on the Linux kernel with TDX support is potentially impacted; the specific kernel versions are not listed in the advisory and should be identified by checking for the presence of the patch in the kernel tree.", "description_and_impact": "This vulnerability in the Linux kernel\u2019s TDX guest interface allows a host to supply a quote buffer length that exceeds the space allocated for a guest. The kernel incorrectly copies the entire host-specified length into guest user space, enabling an attacker to read data beyond the allocated pages. The leaked data could contain sensitive host or kernel information and may be forwarded to an external attestation server or read by an unprivileged process, resulting in information disclosure and potential cross\u2011container data leaks.", "risk_and_exploitability": "No CVSS or EPSS score is provided in the advisory, and the vulnerability is not listed in the CISA KEV catalog. Because the flaw enables out\u2011of\u2011bounds reads of host\u2011controlled data, it carries a high risk of information disclosure, especially in multi\u2011container environments where the content can cross protection boundaries. The lack of published metrics does not imply low risk; the attack vector requires a host that can control the quote buffer size, which is typically only possible by a privileged actor controlling the virtualization environment."}}}}, "created": "2026-04-22T19:00:08.097916+00:00", "updated": "2026-04-22T20:00:08.408411+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"], "weaknesses": ["CWE-119", "CWE-200"]}