{
  "affected": [
    {
      "ranges": [
        {
          "events": [
            {
              "introduced": "3e385c0d6ce88ac9916dcf84267bd5855d830748"
            },
            {
              "fixed": "3f6fb0211b39aaa1b841260681dd02ca6b693ed5"
            },
            {
              "fixed": "9e48b4f813d2c3db75d522aa82ab705ce04b7e2d"
            },
            {
              "fixed": "23e6a1ca04ae44806439a5a446e62e4d42e80bb4"
            }
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0b16521f95c875e79d657cb8d6911c15080dbb80"
            }
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "6.13.8"
            },
            {
              "fixed": "6.14"
            }
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "type": "GIT"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Linux",
        "name": "Kernel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.14.0"
            },
            {
              "fixed": "6.18.33"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.19.0"
            },
            {
              "fixed": "7.0.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "database_specific": {
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/52xxx/CVE-2026-52959.json"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirt: sev-guest: Do not use host-controlled page order in cleanup path\n\nWhen issuing an extended guest request (SVM_VMGEXIT_EXT_GUEST_REQUEST),\nget_ext_report() allocates a buffer to retrieve a certificate blob from the\nhost, keeping track of its size in report_req-\u003ecerts_len.\n\nHowever, the host may return SNP_GUEST_VMM_ERR_INVALID_LEN, indicating\nan invalid buffer size, as well as the expected length of such buffer.\nget_ext_report() subsequently updates report_req-\u003ecerts_len with the\nhost-controlled value, and cleans up the buffer by computing a page order\nfrom such value. This is incorrect, as the host-provided length may not\nmatch the page order of the original allocation, potentially resulting\nin corruption in the page allocator.\n\nFix this by using alloc_pages_exact() instead, and reusing @npages to\ncompute the size passed to free_pages_exact(). For consistency, also\nuse @npages to compute the size when allocating the pages, even though\nthis last change has no functional effect.",
  "id": "CVE-2026-52959",
  "modified": "2026-07-12T03:55:01.879476707Z",
  "published": "2026-06-24T16:28:40.391Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/23e6a1ca04ae44806439a5a446e62e4d42e80bb4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3f6fb0211b39aaa1b841260681dd02ca6b693ed5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9e48b4f813d2c3db75d522aa82ab705ce04b7e2d"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/52xxx/CVE-2026-52959.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-52959"
    },
    {
      "type": "PACKAGE",
      "url": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"
    }
  ],
  "schema_version": "1.7.5",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "virt: sev-guest: Do not use host-controlled page order in cleanup path"
}