{"id":"CVE-2026-31593","summary":"KVM: SEV: Reject attempts to sync VMSA of an already-launched/encrypted vCPU","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: SEV: Reject attempts to sync VMSA of an already-launched/encrypted vCPU\n\nReject synchronizing vCPU state to its associated VMSA if the vCPU has\nalready been launched, i.e. if the VMSA has already been encrypted.  On a\nhost with SNP enabled, accessing guest-private memory generates an RMP #PF\nand panics the host.\n\n  BUG: unable to handle page fault for address: ff1276cbfdf36000\n  #PF: supervisor write access in kernel mode\n  #PF: error_code(0x80000003) - RMP violation\n  PGD 5a31801067 P4D 5a31802067 PUD 40ccfb5063 PMD 40e5954063 PTE 80000040fdf36163\n  SEV-SNP: PFN 0x40fdf36, RMP entry: [0x6010fffffffff001 - 0x000000000000001f]\n  Oops: Oops: 0003 [#1] SMP NOPTI\n  CPU: 33 UID: 0 PID: 996180 Comm: qemu-system-x86 Tainted: G           OE\n  Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE\n  Hardware name: Dell Inc. PowerEdge R7625/0H1TJT, BIOS 1.5.8 07/21/2023\n  RIP: 0010:sev_es_sync_vmsa+0x54/0x4c0 [kvm_amd]\n  Call Trace:\n   \u003cTASK\u003e\n   snp_launch_update_vmsa+0x19d/0x290 [kvm_amd]\n   snp_launch_finish+0xb6/0x380 [kvm_amd]\n   sev_mem_enc_ioctl+0x14e/0x720 [kvm_amd]\n   kvm_arch_vm_ioctl+0x837/0xcf0 [kvm]\n   kvm_vm_ioctl+0x3fd/0xcc0 [kvm]\n   __x64_sys_ioctl+0xa3/0x100\n   x64_sys_call+0xfe0/0x2350\n   do_syscall_64+0x81/0x10f0\n   entry_SYSCALL_64_after_hwframe+0x76/0x7e\n  RIP: 0033:0x7ffff673287d\n   \u003c/TASK\u003e\n\nNote, the KVM flaw has been present since commit ad73109ae7ec (\"KVM: SVM:\nProvide support to launch and run an SEV-ES guest\"), but has only been\nactively dangerous for the host since SNP support was added.  With SEV-ES,\nKVM would \"just\" clobber guest state, which is totally fine from a host\nkernel perspective since userspace can clobber guest state any time before\nsev_launch_update_vmsa().","modified":"2026-07-02T09:29:14.271521893Z","published":"2026-04-24T14:42:19.567Z","related":["CGA-rp9p-xhgq-4j2m","SUSE-SU-2026:2722-1","openSUSE-SU-2026:10703-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31593.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/692fdf05e55fa03960a1278afdc2478c12daea13"},{"type":"WEB","url":"https://git.kernel.org/stable/c/6ef109e01e1d35199e1a97ea68bdfd3cf3fbf9ab"},{"type":"WEB","url":"https://git.kernel.org/stable/c/8f85a4885eee8cb495961ffa371a91828afb9445"},{"type":"WEB","url":"https://git.kernel.org/stable/c/9b9f7962e3e879d12da2bf47e02a24ec51690e3d"},{"type":"WEB","url":"https://git.kernel.org/stable/c/c9609847ae65ca36233077c2b6cb2bc0fb37c77a"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31593.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31593"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"ad27ce155566f2b4400fa865859834592bd18777"},{"fixed":"c9609847ae65ca36233077c2b6cb2bc0fb37c77a"},{"fixed":"692fdf05e55fa03960a1278afdc2478c12daea13"},{"fixed":"6ef109e01e1d35199e1a97ea68bdfd3cf3fbf9ab"},{"fixed":"8f85a4885eee8cb495961ffa371a91828afb9445"},{"fixed":"9b9f7962e3e879d12da2bf47e02a24ec51690e3d"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31593.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"6.11.0"},{"fixed":"6.12.83"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.24"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"6.19.14"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.20.0"},{"fixed":"7.0.1"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31593.json"}}],"schema_version":"1.7.5"}