HIGH Published 2026-04-22

virt QuoteBuf OOB

CVE-2026-31470

CVSS 7.1 / 10.0 NVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

KernelScan AI6.5MEDIUM

01Description

In the Linux kernel, the following vulnerability has been resolved: virt: tdx-guest: Fix handling of host controlled 'quote' buffer length Validate host controlled value `quote_buf->out_len` that determines how many bytes of the quote are copied out to guest userspace. In TDX environments with remote attestation, quotes are not considered private, and can be forwarded to an attestation server. Catch scenarios where the host specifies a response length larger than the guest's allocation, or otherwise races modifying the response while the guest consumes it. This prevents contents beyond the pages allocated for `quote_buf` (up to TSM_REPORT_OUTBLOB_MAX) from being read out to guest userspace, and possibly forwarded in attestation requests. Recall that some deployments want per-container configs-tsm-report interfaces, so the leak may cross container protection boundaries, not just local root.

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

TDX guest systems are vulnerable to kernel memory disclosure and guest denial of service when generating attestation quotes. A malicious hypervisor can specify an unbounded quote length, causing the guest kernel to read beyond the allocated shared buffer. This leaks adjacent kernel memory to guest userspace (which may be forwarded to attestation servers) and, for large lengths, will traverse unmapped pages and trigger a kernel panic. In multi-tenant and containerized deployments, the leak can cross container protection boundaries.

Affecteddrivers/virt/coco/tdx-guest/tdx-guest.c (TDX guest virtualization)

Vulnerability analysis

The vulnerability exists in the TDX guest quote generation path where the host-controlled quote_buf->out_len field is used without validation to size a kvmemdup() copy into the guest kernel. A malicious hypervisor can set this value larger than the guest's allocation (TDX_QUOTE_MAX_LEN), causing an out-of-bounds read from the shared buffer. The copied data is then exposed to guest userspace via the TSM ConfigFS report interface. Because out_len is a 32-bit value, an excessively large length will read into unmapped memory and panic the guest. The fix introduces a bounds check against TDX_QUOTE_MAX_LEN and uses READ_ONCE() to close a TOCTOU race on the host-controlled length field.

03Fix Versions

Branch	Fixed in	Patch commit
6.12	6.12.80	`a079a62883e3`
6.18	6.18.21	`6f3c8795ae9b`
6.19	6.19.11	`02ca2d9d1977`
mainline	7.0	`c3fd16c3b98e`