Skip to main content

Linux Kernel mshv CVE-2026-43096

| EUVDEUVD-2026-27602 MEDIUM
Loop with Unreachable Exit Condition (Infinite Loop) (CWE-835)
2026-05-06 Linux
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Analysis Generated
May 19, 2026 - 22:32 vuln.today
CVSS changed
May 19, 2026 - 20:22 NVD
5.5 (MEDIUM)
Patch available
May 06, 2026 - 11:31 EUVD

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

mshv: Fix infinite fault loop on permission-denied GPA intercepts

Prevent infinite fault loops when guests access memory regions without proper permissions. Currently, mshv_handle_gpa_intercept() attempts to remap pages for all faults on movable memory regions, regardless of whether the access type is permitted. When a guest writes to a read-only region, the remap succeeds but the region remains read-only, causing immediate re-fault and spinning the vCPU indefinitely.

Validate intercept access type against region permissions before attempting remaps. Reject writes to non-writable regions and executes to non-executable regions early, returning false to let the VMM handle the intercept appropriately.

This also closes a potential DoS vector where malicious guests could intentionally trigger these fault loops to consume host resources.

AnalysisAI

Infinite vCPU fault loop in the Linux kernel's mshv (Microsoft Hypervisor) subsystem allows a local guest VM process to permanently spin a host vCPU thread, exhausting host CPU resources. The flaw exists in mshv_handle_gpa_intercept(), which unconditionally attempts page remaps on all movable-memory faults regardless of access permission - when a guest writes to a read-only Guest Physical Address region, the remap succeeds but the region retains its read-only designation, causing an immediate re-fault in a tight loop. Affected kernel versions run from commit b9a66cd5ccbb9fade15d0e427e19470d8ad35b75 through the fix commits; patched releases 6.19.14 and 7.0 are available. No public exploit has been identified and EPSS is 0.01%, consistent with the local, hypervisor-specific attack surface.

Technical ContextAI

The mshv subsystem is the Linux kernel component enabling Linux to operate as a hypervisor atop Microsoft's Hypervisor (Hyper-V) interface, managing Guest Physical Address (GPA) intercepts - traps raised when a guest VM accesses memory in a way the hypervisor must handle. The vulnerable function mshv_handle_gpa_intercept() processes these traps for movable memory regions but fails to validate the intercept access type (read/write/execute) against the region's permission flags before attempting a page remap. This is classified as CWE-835 (Loop with Unreachable Exit Condition): the loop exit condition - a successful remap that satisfies the access - can never be reached when the access type is inherently forbidden by region permissions, making termination structurally impossible without external intervention. CPE data confirms this is specific to the Linux kernel package (cpe:2.3:a:linux:linux). The bug is triggered via the hypervisor's GPA intercept delivery path and is not reachable through standard POSIX syscall interfaces.

RemediationAI

The primary fix is upgrading to Linux kernel 6.19.14 or Linux 7.0, which include the validated access-type check in mshv_handle_gpa_intercept() before any remap is attempted. Patch commits are available at https://git.kernel.org/stable/c/02226839079ccc558820a3b25c4c46812927b4ba (6.19.x branch) and https://git.kernel.org/stable/c/16cbec24897624051b324aa3a85859c38ca65fde (mainline branch). For environments that cannot immediately update, compensating controls include restricting guest VM privilege levels so untrusted workloads cannot trigger targeted memory access patterns, and enforcing vCPU scheduling limits or watchdog timeouts at the hypervisor layer to bound the duration any single vCPU can spin - note that such throttling introduces latency for legitimate fault handling. Disabling movable memory regions in guest configurations, if operationally feasible, eliminates the code path entirely but may impact memory hot-plug functionality.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43096 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy