HIGH
loongarch KVM CPUID OOB
CVE-2026-31558
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
KernelScan AI8.8HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: LoongArch: KVM: Make kvm_get_vcpu_by_cpuid() more robust kvm_get_vcpu_by_cpuid() takes a cpuid parameter whose type is int, so cpuid can be negative. Let kvm_get_vcpu_by_cpuid() return NULL for this case so as to make it more robust. This fix an out-of-bounds access to kvm_arch::phyid_map::phys_map[].
02KernelScan AI Analysis
Risk summary
An attacker with local access to KVM interfaces on LoongArch systems could trigger out-of-bounds memory reads by passing negative CPU ID values. This could potentially lead to information disclosure or system instability, though exploitation requires virtualization privileges.
Vulnerability analysis
Root Cause: The kvm_get_vcpu_by_cpuid() function accepts an int parameter 'cpuid' but only validates that it's less than KVM_MAX_PHYID (256). It fails to check for negative values, allowing negative integers to be used as array indices into kvm_arch::phyid_map::phys_map[], causing out-of-bounds memory access.
Attack Surface: This vulnerability affects LoongArch KVM hypervisor functionality and requires local access with sufficient privileges to interact with KVM interfaces. The attack surface is limited to systems running LoongArch architecture with KVM virtualization enabled.
Fix Mechanism: The patch adds a bounds check 'if (cpuid < 0) return NULL;' before the existing upper bound check, ensuring that negative cpuid values are rejected and the function returns NULL instead of attempting array access with a negative index.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.12 | 6.12.80 | 596c3f8069c4 |
| 6.18 | 6.18.21 | 878cf6acb4fd |
| 6.19 | 6.19.11 | 47857b05bd50 |
| mainline | 7.0 | 2db06c15d8c7 |