Skip to main content

Linux Kernel KVM CVE-2026-31553

| EUVDEUVD-2026-25446 HIGH
2026-04-24 Linux GHSA-6xvj-cpww-rx88
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

8
Re-analysis Queued
Apr 27, 2026 - 20:22 vuln.today
cvss_changed
Patch released
Apr 27, 2026 - 20:15 nvd
Patch available
Analysis Generated
Apr 27, 2026 - 15:28 vuln.today
CVSS changed
Apr 27, 2026 - 15:22 NVD
8.8 (HIGH)
Patch available
Apr 24, 2026 - 16:01 EUVD
EUVD ID Assigned
Apr 24, 2026 - 15:00 euvd
EUVD-2026-25446
Analysis Generated
Apr 24, 2026 - 15:00 vuln.today
CVE Published
Apr 24, 2026 - 14:35 nvd
HIGH 8.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

KVM: arm64: Fix the descriptor address in __kvm_at_swap_desc()

Using "(u64 __user *)hva + offset" to get the virtual addresses of S1/S2 descriptors looks really wrong, if offset is not zero. What we want to get for swapping is hva + offset, not hva + offset*8. ;-)

Fix it.

AnalysisAI

Address calculation error in Linux kernel KVM on ARM64 allows local authenticated attackers with low privileges to corrupt memory descriptors, potentially enabling container escape or privilege escalation to compromise host integrity and confidentiality. The vulnerability affects KVM's stage-1/stage-2 page table descriptor swapping logic where pointer arithmetic incorrectly multiplies the offset by 8, causing writes to unintended memory locations. Vendor patches available for Linux 6.19.11 and mainline with EPSS exploitation probability at 5th percentile, indicating low observed exploitation despite high CVSS severity.

Technical ContextAI

This vulnerability resides in KVM (Kernel-based Virtual Machine) for ARM64 architecture, specifically in the __kvm_at_swap_desc() function responsible for swapping stage-1 and stage-2 page table descriptors during virtualization operations. The CPE data identifies this as affecting the Linux kernel's KVM implementation. The bug is a classic pointer arithmetic error: the code uses '(u64 __user *)hva + offset' which, because u64 pointers advance by 8 bytes per increment in C, incorrectly calculates the target address as hva + (offset * 8) instead of the intended hva + offset. This causes descriptor operations to target wrong memory addresses. Stage-1 and stage-2 page tables are critical to ARM64 virtualization's two-stage address translation, where stage-1 handles guest virtual-to-intermediate physical addresses and stage-2 maps intermediate physical to host physical addresses. Corrupting these descriptors can break memory isolation between virtual machines or between guest and host.

RemediationAI

Upgrade to patched Linux kernel versions: 6.19.11 or later for the 6.19 stable branch, version 7.0 or later for mainline. Upstream fixes are available in commits 4307e05e568782fc92eff651b09ee5dee88a058d and 0496acc42fb51eee040b5170cec05cec41385540 as documented at https://git.kernel.org/stable/c/4307e05e568782fc92eff651b09ee5dee88a058d and https://git.kernel.org/stable/c/0496acc42fb51eee040b5170cec05cec41385540. For environments unable to immediately patch, consider compensating controls: disable nested virtualization on ARM64 KVM hosts if not required for business operations (eliminates attack surface but impacts functionality for workloads requiring nested VMs); implement strict access controls and monitoring on guest VM access to limit exposure to trusted users only (reduces likelihood but does not prevent exploitation by compromised or malicious insiders); deploy intrusion detection monitoring for abnormal KVM memory access patterns (detection-focused, does not prevent initial exploitation). Note that disabling KVM entirely is impractical for virtualization infrastructure. Prioritize patching for multi-tenant ARM64 environments and systems hosting untrusted guest workloads. Testing kernel updates in non-production environments before production deployment is recommended to avoid stability issues.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31553 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy