CVE-2026-31470

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> virt: tdx-guest: Fix handling of host controlled &amp;#39;quote&amp;#39; buffer length<br /> <br /> Validate host controlled value `quote_buf-&gt;out_len` that determines how<br /> many bytes of the quote are copied out to guest userspace. In TDX<br /> environments with remote attestation, quotes are not considered private,<br /> and can be forwarded to an attestation server.<br /> <br /> Catch scenarios where the host specifies a response length larger than<br /> the guest&amp;#39;s allocation, or otherwise races modifying the response while<br /> the guest consumes it.<br /> <br /> This prevents contents beyond the pages allocated for `quote_buf`<br /> (up to TSM_REPORT_OUTBLOB_MAX) from being read out to guest userspace,<br /> and possibly forwarded in attestation requests.<br /> <br /> Recall that some deployments want per-container configs-tsm-report<br /> interfaces, so the leak may cross container protection boundaries, not<br /> just local root.