Skip to main content

Linux Kernel KVM CVE-2026-43133

| EUVDEUVD-2026-27695 HIGH
Function Call with Incorrectly Specified Arguments (CWE-628)
2026-05-06 Linux GHSA-g9j5-v9rr-m845
7.9
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
7.9 HIGH
AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 08, 2026 - 13:30 vuln.today
CVSS changed
May 08, 2026 - 13:22 NVD
7.9 (HIGH)
Patch available
May 06, 2026 - 13:32 EUVD
CVE Published
May 06, 2026 - 11:27 nvd
HIGH 7.9

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

KVM: nSVM: Always use vmcb01 in VMLOAD/VMSAVE emulation

Commit cc3ed80ae69f ("KVM: nSVM: always use vmcb01 to for vmsave/vmload of guest state") made KVM always use vmcb01 for the fields controlled by VMSAVE/VMLOAD, but it missed updating the VMLOAD/VMSAVE emulation code to always use vmcb01.

As a result, if VMSAVE/VMLOAD is executed by an L2 guest and is not intercepted by L1, KVM will mistakenly use vmcb02. Always use vmcb01 instead of the current VMCB.

AnalysisAI

Nested AMD SVM virtualization in Linux kernel KVM incorrectly handles VMLOAD/VMSAVE emulation, allowing local privileged attackers in L2 guests to read and write L1 guest state, potentially escalating privileges or causing denial of service. This affects kernels since commit cc3ed80ae69f (v5.13+) and has been patched in stable releases 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, and mainline 7.0. With 7.9 CVSS (HIGH severity) but only 0.02% EPSS, this is a lower-probability threat requiring local authenticated access to nested virtualization environments. No public exploit or active exploitation (KEV) identified at time of analysis.

Technical ContextAI

This vulnerability affects the Linux kernel's KVM (Kernel-based Virtual Machine) subsystem, specifically the nested SVM (AMD Secure Virtual Machine) implementation. Nested virtualization allows a guest VM (L1) to run its own guest VMs (L2). The VMLOAD and VMSAVE instructions are AMD-specific CPU instructions that save and restore guest processor state. The kernel maintains two VMCB (Virtual Machine Control Block) structures: vmcb01 for L1 guest state and vmcb02 for L2 guest state. A previous fix (commit cc3ed80ae69f) correctly isolated these structures for security, but the emulation code path for VMLOAD/VMSAVE instructions executed by L2 guests was not updated. When L1 does not intercept these instructions from L2, KVM's emulation mistakenly operates on vmcb02 instead of vmcb01, allowing L2 to access L1's state. This represents a virtualization boundary violation, a critical security property for cloud and multi-tenant environments. The affected CPE strings indicate this impacts all Linux kernel configurations with KVM and nested SVM support enabled.

RemediationAI

Upgrade to patched Linux kernel versions: 5.15.202+ for 5.15.x series, 6.1.165+ for 6.1.x, 6.6.128+ for 6.6.x, 6.12.75+ for 6.12.x, 6.18.16+ for 6.18.x, 6.19.6+ for 6.19.x, or 7.0+ for mainline kernels. Patches are available from kernel.org stable repositories via commits 10063e1251c1485034a018236080792ad083dcc5, c3b7015000988ba35ecd5648f4b2283960f00543, 3880e331b0b31d0d5d3702b124f6c93539cd478a, fce2fd4a2ca05670a91015aacccf96a1c26268fd, d464cf1ed900d47c85393d40b00017b6adfc2e6c, 0004ecb798b30e90d7ebfe74efae2d9423315a64, and 127ccae2c185f62e6ecb4bf24f9cb307e9b9c619. If immediate patching is not feasible, disable nested virtualization on AMD-based KVM hosts by setting the kvm_amd module parameter nested=0 (add 'options kvm_amd nested=0' to /etc/modprobe.d/kvm.conf and reload the module or reboot). This workaround prevents L1 guests from running their own nested guests, which may break legitimate use cases in development or testing environments but eliminates the attack surface. Alternatively, configure L1 hypervisors to always intercept VMLOAD/VMSAVE instructions from L2 guests, though this requires L1 hypervisor configuration changes and may impact performance. For multi-tenant cloud environments, prioritize patching hosts running untrusted nested workloads.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43133 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy