Skip to main content

Linux CVE-2026-23425

| EUVDEUVD-2026-18647 HIGH
2026-04-03 Linux GHSA-23qp-f5g5-j76h
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

8
Re-analysis Queued
Apr 27, 2026 - 14:22 vuln.today
cvss_changed
Severity Changed
Apr 27, 2026 - 14:22 NVD
MEDIUM HIGH
CVSS changed
Apr 27, 2026 - 14:22 NVD
5.5 (MEDIUM) 8.8 (HIGH)
CVSS changed
Apr 23, 2026 - 21:11 NVD
5.5 (MEDIUM)
Patch available
Apr 16, 2026 - 05:29 EUVD
7e7c2cf0024d89443a7af52e09e47b1fe634ab17,858620655c1fbff05997e162fc7d83a3293d5142
EUVD ID Assigned
Apr 03, 2026 - 13:45 euvd
EUVD-2026-18647
Analysis Generated
Apr 03, 2026 - 13:45 vuln.today
CVE Published
Apr 03, 2026 - 13:24 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

KVM: arm64: Fix ID register initialization for non-protected pKVM guests

In protected mode, the hypervisor maintains a separate instance of the kvm structure for each VM. For non-protected VMs, this structure is initialized from the host's kvm state.

Currently, pkvm_init_features_from_host() copies the KVM_ARCH_FLAG_ID_REGS_INITIALIZED flag from the host without the underlying id_regs data being initialized. This results in the hypervisor seeing the flag as set while the ID registers remain zeroed.

Consequently, kvm_has_feat() checks at EL2 fail (return 0) for non-protected VMs. This breaks logic that relies on feature detection, such as ctxt_has_tcrx() for TCR2_EL1 support. As a result, certain system registers (e.g., TCR2_EL1, PIR_EL1, POR_EL1) are not saved/restored during the world switch, which could lead to state corruption.

Fix this by explicitly copying the ID registers from the host kvm to the hypervisor kvm for non-protected VMs during initialization, since we trust the host with its non-protected guests' features. Also ensure KVM_ARCH_FLAG_ID_REGS_INITIALIZED is cleared initially in pkvm_init_features_from_host so that vm_copy_id_regs can properly initialize them and set the flag once done.

AnalysisAI

Linux kernel KVM ARM64 fails to properly initialize ID registers for non-protected pKVM guests, causing feature detection checks to incorrectly return zero and preventing proper save/restore of system registers like TCR2_EL1 during world switches, potentially leading to state corruption. The vulnerability affects the hypervisor's ability to detect CPU features in non-protected virtual machines despite the initialization flag being incorrectly set. This is a kernel-level logic error that impacts system register handling in ARM64 virtualization.

Technical ContextAI

The vulnerability exists in the ARM64 KVM hypervisor implementation, specifically in the protected mode (pKVM) guest initialization logic. The pkvm_init_features_from_host() function copies the KVM_ARCH_FLAG_ID_REGS_INITIALIZED flag from the host without ensuring the underlying ID register data is actually present in the hypervisor's kvm structure. ID registers are CPU capability registers (like MIDR, ID_AA64MMFR0_EL1, etc.) that indicate what features a CPU supports. The kvm_has_feat() function relies on these registers being initialized to determine if specific features are available. For non-protected VMs, the hypervisor should copy the ID register state from the host during initialization, but the current code incorrectly signals completion without performing this copy. This causes downstream code like ctxt_has_tcrx() to fail in feature detection, leading to incomplete save/restore of system registers (TCR2_EL1, PIR_EL1, POR_EL1) during VM world switches. The root cause is a flag-data synchronization issue in the initialization path specific to ARM64's KVM protected mode virtualization.

RemediationAI

Apply the upstream kernel fix by updating to a kernel version containing commit bce3847f7c51b86332bf2e554c9e80ca3820f16c or later from the stable kernel branch. The fix involves modifying pkvm_init_features_from_host() to clear the KVM_ARCH_FLAG_ID_REGS_INITIALIZED flag initially and ensuring vm_copy_id_regs() is called to properly initialize ID registers from the host for non-protected guests before the flag is set. Distributions should backport these changes to their supported kernel versions if not already present. The fix is minimal and focused on the ARM64 KVM protected mode initialization path, so cherry-picking into stable branches is low-risk. Refer to git.kernel.org stable tree references for the exact patches: https://git.kernel.org/stable/c/bce3847f7c51b86332bf2e554c9e80ca3820f16c and related commits.

Vendor StatusVendor

SUSE

Severity: High
Product Status
Image SLES-CHOST-BYOS-GDC Image SLES-CHOST-BYOS-SAP-CCloud Image SLES-GCE-3P Affected
SUSE Linux Micro 6.2 Fixed
openSUSE Leap 16.0 Fixed
SUSE Linux Enterprise Server 16.0 Affected
SUSE Linux Enterprise Desktop 15 SP7 Fixed

Share

CVE-2026-23425 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy