In the Linux kernel, the following vulnerability has been resolved:
virt: sev-guest: Do not use host-controlled page order in cleanup path
When issuing an extended guest request (SVMVMGEXITEXTGUESTREQUEST), getextreport() allocates a buffer to retrieve a certificate blob from the host, keeping track of its size in reportreq->certslen.
However, the host may return SNPGUESTVMMERRINVALIDLEN, indicating an invalid buffer size, as well as the expected length of such buffer. getextreport() subsequently updates reportreq->certs_len with the host-controlled value, and cleans up the buffer by computing a page order from such value. This is incorrect, as the host-provided length may not match the page order of the original allocation, potentially resulting in corruption in the page allocator.
Fix this by using allocpagesexact() instead, and reusing @npages to compute the size passed to freepagesexact(). For consistency, also use @npages to compute the size when allocating the pages, even though this last change has no functional effect.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/52xxx/CVE-2026-52959.json",
"cna_assigner": "Linux"
}