HIGH
kvm DescSwap OOB
CVE-2026-31553
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
KernelScan AI8.2HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Fix the descriptor address in __kvm_at_swap_desc() Using "(u64 __user *)hva + offset" to get the virtual addresses of S1/S2 descriptors looks really wrong, if offset is not zero. What we want to get for swapping is hva + offset, not hva + offset*8. ;-) Fix it.
02KernelScan AI Analysis
Risk summary
ARM64 systems running KVM hypervisors with nested virtualization are at risk of memory corruption. An attacker with hypervisor management privileges could trigger out-of-bounds memory access, potentially compromising guest VMs or the host system.
Vulnerability analysis
The vulnerability stems from incorrect pointer arithmetic in __kvm_at_swap_desc() where casting to u64* before adding an offset causes the offset to be multiplied by 8, leading to out-of-bounds memory access when swapping guest page table descriptors. The fix changes the cast to void* to ensure byte-level arithmetic. This affects KVM's nested virtualization functionality on ARM64 systems and requires hypervisor management privileges to exploit.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.19 | 6.19.11 | 4307e05e5687 |
| mainline | 7.0 | 0496acc42fb5 |