Hi Greg, On 24.03.26 13:31, Greg KH wrote:
On Tue, Mar 24, 2026 at 01:16:08PM +0100, Greg KH wrote:On Tue, Mar 24, 2026 at 12:05:44PM +0000, Xen.org security team wrote:-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256Xen Security Advisory XSA-482 version 2 Linux privcmd driver can circumvent kernel lockdown UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= The Linux kernel's privcmd driver can be abused to circumvent kernel lockdown (secure boot), e.g. by modifying page tables to enable user mode to modify kernel memory. The CNA covering Linux has refused to assign a CVE at this juncture.This is now assigned to CVE-2026-31788And, to be more clear, the kernel CNA should have given you a CVE earlier, sorry about that, that was my fault. We had been "burned" by other groups/companies asking for CVEs "ahead of time" for Linux for things that turned out to be wrong or not needing a CVE at all at the same time you all asked for one, so I reacted much harsher here than you all deserved by saying we would assign one once the issue was public. I should have trusted you as obviously you know what you are doing here and should have gotten a CVE for your accounting earlier. Again, my fault, sorry about that, if you all need one in the future for any issue, we will assign it ahead of time.
Thanks for the notice. Such things happen as nobody is perfect. Stay tuned for future CVE requests. :-) Juergen
OpenPGP_0xB0DE9DD628BF132F.asc
Description: OpenPGP public key
OpenPGP_signature.asc
Description: OpenPGP digital signature
