Security Vulnerability Report
中文
CVE-2026-31569 CVSS 7.3 HIGH

CVE-2026-31569

Published: 2026-04-24 15:16:31
Last Modified: 2026-04-27 20:33:04
Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

Description

In the Linux kernel, the following vulnerability has been resolved: LoongArch: KVM: Handle the case that EIOINTC's coremap is empty EIOINTC's coremap in eiointc_update_sw_coremap() can be empty, currently we get a cpuid with -1 in this case, but we actually need 0 because it's similar as the case that cpuid >= 4. This fix an out-of-bounds access to kvm_arch::phyid_map::phys_map[].

CVSS Details

CVSS Score
7.3
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:6.13:-:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:* - VULNERABLE
Linux Kernel (LoongArch架构) < 6.x (具体修复版本见参考链接中的Git提交)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
/* * PoC Concept for CVE-2026-31569 * This is a conceptual representation demonstrating the vulnerability logic. * Triggering this requires a LoongArch system with KVM enabled. */ #include <stdio.h> #include <stdlib.h> // Mocking the kernel structure for demonstration struct phyid_map_entry { int state; }; struct kvm_arch_mock { struct phyid_map_entry phys_map[4]; // Assuming size is 4 based on cpuid >= 4 check }; // Vulnerable function logic simulation void eiointc_update_sw_coremap_vulnerable(struct kvm_arch_mock *arch, int coremap_is_empty) { int cpuid; if (coremap_is_empty) { // The bug: assigning -1 when coremap is empty cpuid = -1; printf("[+] Trigger condition met: coremap is empty. cpuid set to -1.\n"); } else { cpuid = 0; } printf("[+] Attempting to access phys_map at index: %d\n", cpuid); // Out-of-bounds access happens here // If cpuid is -1, this accesses memory before phys_map arch->phys_map[cpuid].state = 1; printf("[!] Access completed. System may crash or data leaked.\n"); } int main() { struct kvm_arch_mock mock_arch; // Initialize mock memory for(int i=0; i<4; i++) { mock_arch.phys_map[i].state = 0; } printf("Starting PoC for CVE-2026-31569...\n"); // Simulate the scenario where EIOINTC coremap is empty eiointc_update_sw_coremap_vulnerable(&mock_arch, 1); return 0; }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-31569", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-04-24T15:16:31.420", "lastModified": "2026-04-27T20:33:04.393", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nLoongArch: KVM: Handle the case that EIOINTC's coremap is empty\n\nEIOINTC's coremap in eiointc_update_sw_coremap() can be empty, currently\nwe get a cpuid with -1 in this case, but we actually need 0 because it's\nsimilar as the case that cpuid >= 4.\n\nThis fix an out-of-bounds access to kvm_arch::phyid_map::phys_map[]."}], "metrics": {"cvssMetricV31": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:H", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.0, "impactScore": 4.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-125"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13.1", "versionEndExcluding": "6.18.21", "matchCriteriaId": "539740A6-2448-4C77-8279-4E64A6FD93E4"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.11", "matchCriteriaId": "4CA2E747-A9EC-4518-9AA2-B4247FC748B7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.13:-:*:*:*:*:*:*", "matchCriteriaId": "5A3F9505-6B98-4269-8B81-127E55A1BF00"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*", "matchCriteriaId": "512EE3A8-A590-4501-9A94-5D4B268D6138"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/126053d0a685bf1f2e98db8966386f38b2336338", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/2a0cbcd28ecf6e0b88fa498bebb94bd1be61a7c3", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/b97bd69eb0f67b5f961b304d28e9ba45e202d841", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.