CVE-2026-31788

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description The Xen privcmd driver allows user space processes to issue arbitrary hypercalls. Normally, access is limited to root and the hypervisor denies hypercalls affecting other domains. However, when a guest is booted using secure boot, an unprivileged domU process could potentially modify kernel memory contents, breaking the secure boot feature. The issue arises because the privcmd driver can be used to issue hypercalls from user space, even in unprivileged domUs. The driver can be locked down to allow only hypercalls targeting a specific domain, but this mode can be activated from user land. The target domain can be obtained from Xenstore. PV, PVH and HVM guests running Linux using secure boot are vulnerable.

Recommendations Restrict the privcmd driver to a specific target domain from the beginning, obtained from Xenstore, when not running in dom0.