CVE-2026-31470 | virt: tdx-guest: Fix handling of host controlled 'quote' buffer length

In the Linux kernel, the following vulnerability has been resolved: virt: tdx-guest: Fix handling of host controlled 'quote' buffer length Validate host controlled value `quote_buf->out_len` that determines how many bytes of the quote are copied out to guest userspace. In TDX environments with remote attestation, quotes are not considered private, and can be forwarded to an attestation server. Catch scenarios where the host specifies a response length larger than the guest's allocation, or otherwise races modifying the response while the guest consumes it. This prevents contents beyond the pages allocated for `quote_buf` (up to TSM_REPORT_OUTBLOB_MAX) from being read out to guest userspace, and possibly forwarded in attestation requests. Recall that some deployments want per-container configs-tsm-report interfaces, so the leak may cross container protection boundaries, not just local root.

Published: 2026-04-22 Last update: 2026-05-07 Assigner: 416baaa9-dc9f-4396-8d5f-8c081fb06d67 Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

NVD Status：Analyzed，CVE State: published

View at NVD, CVE.org, EUVD

Threat Intelligence & Risk Assessment for CVE-2026-31470

EPSS CVSS CWE GHSA Affected OS Tracker

Conclusion & alert: CVE-2026-31470 is rated Low Risk (29.4/100): CVSS High severity, with low exploitation likelihood (EPSS 0.12%). Mandatory action: Monitor for updates and reassess as exploit intelligence or EPSS changes.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2026-31470

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2026-06-15	0.02%	0.12%	+0.11%
2	2026-04-23	—	0.02%	—

Full EPSS history (2 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2026-31470

CVSS metrics for this CVE.

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
7.1	3.1	HIGH	`CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H` Click to expand Attack vector (AV:L) They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:L) A normal user session is enough; they don’t have to be admin. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:H) Serious risk that confidential data gets exposed in a big way. Integrity (I:N) Data isn’t meaningfully altered or forged. Availability (A:H) Could take the service down hard or make it unusable for people who depend on it.	1.8	5.2	416baaa9-dc9f-4396-8d5f-8c081fb06d67

Weakness enumeration for CVE-2026-31470

CWE-787 MITRE ↗

GitHub Security Advisory for CVE-2026-31470

GHSA-86qf-jwhq-f4jq · Severity: high — In the Linux kernel, the following vulnerability has been resolved: virt: tdx-guest: Fix...

OS Trackers for CVE-2026-31470

vendor	priority	summary	link
`debian`	unimportant	CVE-2026-31470 unimportant priority: Debian including 1 source packages (linux), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5.	https://security-tracker.debian.org/tracker/CVE-2026-31470
`redhat`	medium	—	https://access.redhat.com/security/cve/CVE-2026-31470
`suse`	high	CVE-2026-31470 severity important: SUSE including 18 source package names (cluster-md-kmp-default, dlm-kmp-default, …), 92 product×package rows across 19 product lines (SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS, SUSE Linux Enterprise Live Patching 12 SP5, … (19 product lines)): Known Not Affected 92.	https://www.suse.com/security/cve/CVE-2026-31470/
`ubuntu`	medium	CVE-2026-31470 medium priority: Ubuntu including 161 source packages (linux, linux-allwinner-5.19, …), 1449 status rows across 9 suites (bionic, focal, jammy, noble, questing, resolute, trusty, upstream, xenial): DNE 1048, ignored 169, not-affected 90, released 83, needed 55, needs-triage 4.	https://ubuntu.com/security/CVE-2026-31470

Affected software / configurations for CVE-2026-31470

Vendor	Product	Version	Raw CPE
linux	linux_kernel	>= 6.7, < 6.12.80	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 6.13, < 6.18.21	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 6.19, < 6.19.11	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	7.0	cpe:2.3:o:linux:linux_kernel:7.0:rc1::::::
linux	linux_kernel	7.0	cpe:2.3:o:linux:linux_kernel:7.0:rc2::::::
linux	linux_kernel	7.0	cpe:2.3:o:linux:linux_kernel:7.0:rc3::::::
linux	linux_kernel	7.0	cpe:2.3:o:linux:linux_kernel:7.0:rc4::::::
linux	linux_kernel	7.0	cpe:2.3:o:linux:linux_kernel:7.0:rc5::::::

References for CVE-2026-31470

URL	Tags
https://git.kernel.org/stable/c/02ca2d9d197723696cb9cc0cb159eb7e8bf5f89b	Patch
https://git.kernel.org/stable/c/6f3c8795ae9ba74fa10fe979293d1904712d3fb1	Patch
https://git.kernel.org/stable/c/a079a62883e3365de592cea9f7a669d8115433b0	Patch
https://git.kernel.org/stable/c/c3fd16c3b98ed726294feab2f94f876290bf7b61	Patch

cvelogic Threat Intelligence