CVE-2026-31564 Overview
CVE-2026-31564 is a kernel vulnerability in the Linux kernel's LoongArch Kernel-based Virtual Machine (KVM) subsystem. The flaw resides in the kvm_eiointc_regs_access() function, where the register base address is calculated incorrectly. The implementation adds an offset to an array base address declared as u64, instead of first converting the base to a void * pointer. This pointer-arithmetic error produces incorrect memory addresses when accessing Extended I/O Interrupt Controller (EIOINTC) registers, leading to availability impact on the host system running LoongArch KVM guests.
Critical Impact
A local authenticated user interacting with the LoongArch KVM EIOINTC interface can trigger incorrect memory access, causing high availability impact on the host kernel.
Affected Products
- Linux Kernel 6.19
- Linux Kernel 7.0 release candidates rc1 through rc7
- Linux Kernel builds with LoongArch KVM support enabled
Discovery Timeline
- 2026-04-24 - CVE-2026-31564 published to NVD
- 2026-04-27 - Last updated in NVD database
Technical Details for CVE-2026-31564
Vulnerability Analysis
The vulnerability exists in the LoongArch KVM EIOINTC register access path. The function kvm_eiointc_regs_access() computes the address of a target register by combining an array base address with a byte offset. The byte offset is intended to be measured in bytes relative to the start of the register region.
In C, pointer arithmetic on a u64 * increments the address in 8-byte units rather than single bytes. Because the base pointer is typed as u64, adding the offset scales it incorrectly, producing an address far outside the intended register layout. This is a classic kernel pointer-arithmetic flaw categorized under improper input validation and out-of-bounds access.
Root Cause
The root cause is incorrect C pointer arithmetic. The array base address was used as a u64 pointer, so adding the absolute byte offset advanced the pointer by offset * sizeof(u64) bytes instead of offset bytes. The fix casts the base to void * before adding the offset, ensuring byte-level pointer arithmetic.
Attack Vector
Exploitation requires local access with low privileges on a host running an affected LoongArch kernel with KVM enabled. An attacker with permission to interact with the KVM device interface, typically through /dev/kvm ioctls against a virtual machine's EIOINTC, can trigger the faulty calculation. The result is a kernel-side out-of-bounds memory access that can crash the host, producing a denial-of-service condition. No remote vector, user interaction, or memory confidentiality or integrity compromise is indicated by the CVSS vector.
The vulnerability is described in prose only; no proof-of-concept code is published. Refer to the upstream commits at git.kernel.org commit 6bcfb7f4 and git.kernel.org commit c4f0a948 for the corrective patches.
Detection Methods for CVE-2026-31564
Indicators of Compromise
- Unexpected kernel oops or panic traces referencing kvm_eiointc_regs_access in dmesg or /var/log/kern.log on LoongArch hosts.
- Repeated KVM ioctl failures from unprivileged or low-privileged virtualization processes targeting EIOINTC registers.
- Sudden termination or hang of qemu-kvm or other KVM-based guest processes on LoongArch systems.
Detection Strategies
- Inventory all LoongArch systems and identify kernel versions 6.19 and 7.0-rc1 through 7.0-rc7 with KVM support enabled.
- Monitor kernel logs for out-of-bounds memory access warnings, KASAN reports, or page faults originating in the arch/loongarch/kvm/ code paths.
- Audit which local users and service accounts have permission to open /dev/kvm and issue KVM ioctls.
Monitoring Recommendations
- Forward kernel logs from LoongArch hosts to a centralized log analysis platform and alert on KVM-related stack traces.
- Track process-level access to /dev/kvm and correlate with unexpected host reboots or kernel crashes.
- Review host availability metrics for unexplained downtime on LoongArch virtualization hosts.
How to Mitigate CVE-2026-31564
Immediate Actions Required
- Update affected LoongArch hosts to a kernel build that includes the upstream fix commits referenced in the vendor advisory.
- Restrict access to /dev/kvm to trusted virtualization service accounts only, using group ownership and file permissions.
- Disable KVM on LoongArch hosts where virtualization is not required until patches are applied.
Patch Information
The Linux kernel maintainers fixed the issue by casting the array base address to void * prior to adding the byte offset in kvm_eiointc_regs_access(). The corrective changes are available in the upstream Linux kernel tree at Linux Kernel commit 6bcfb7f4 and Linux Kernel commit c4f0a948. Distributors shipping LoongArch builds should backport both commits to maintained kernel branches.
Workarounds
- Limit local shell and SSH access on LoongArch hosts to administrators only, reducing the pool of users able to invoke KVM ioctls.
- Disable the LoongArch KVM module (modprobe -r kvm) on hosts that do not run virtualized workloads.
- Apply mandatory access controls such as SELinux or AppArmor profiles to restrict /dev/kvm access from unprivileged processes.
# Configuration example: restrict /dev/kvm access to the kvm group only
sudo chown root:kvm /dev/kvm
sudo chmod 0660 /dev/kvm
# Verify running kernel version on a LoongArch host
uname -r
# Unload the KVM module on hosts that do not require virtualization
sudo modprobe -r kvm
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
