Skip to main content

Linux Kernel KVM CVE-2026-43315

| EUVDEUVD-2026-28585 MEDIUM
2026-05-08 Linux GHSA-fmhq-qfjw-fm2x
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 15, 2026 - 17:08 vuln.today
CVSS changed
May 15, 2026 - 17:07 NVD
5.5 (MEDIUM)
Patch available
May 08, 2026 - 14:33 EUVD
CVE Published
May 08, 2026 - 13:11 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

KVM: nSVM: Remove a user-triggerable WARN on nested_svm_load_cr3() succeeding

Drop the WARN in svm_set_nested_state() on nested_svm_load_cr3() failing as it is trivially easy to trigger from userspace by modifying CPUID after loading CR3. E.g. modifying the state restoration selftest like so:

--- tools/testing/selftests/kvm/x86/state_test.c +++ tools/testing/selftests/kvm/x86/state_test.c @@ -280,7 +280,16 @@ int main(int argc, char *argv[])

/* Restore state in a new VM. */ vcpu = vm_recreate_with_one_vcpu(vm);

  • vcpu_load_state(vcpu, state);

+ + if (stage == 4) { + state->sregs.cr3 = BIT(44); + vcpu_load_state(vcpu, state); + + vcpu_set_cpuid_property(vcpu, X86_PROPERTY_MAX_PHY_ADDR, 36); + __vcpu_nested_state_set(vcpu, &state->nested); + } else { + vcpu_load_state(vcpu, state); + }

/*

  • Restore XSAVE state in a dummy vCPU, first without doing

generates:

WARNING: CPU: 30 PID: 938 at arch/x86/kvm/svm/nested.c:1877 svm_set_nested_state+0x34a/0x360 [kvm_amd] Modules linked in: kvm_amd kvm irqbypass [last unloaded: kvm] CPU: 30 UID: 1000 PID: 938 Comm: state_test Tainted: G W 6.18.0-rc7-58e10b63777d-next-vm Tainted: [W]=WARN Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 RIP: 0010:svm_set_nested_state+0x34a/0x360 [kvm_amd] Call Trace: <TASK> kvm_arch_vcpu_ioctl+0xf33/0x1700 [kvm] kvm_vcpu_ioctl+0x4e6/0x8f0 [kvm] __x64_sys_ioctl+0x8f/0xd0 do_syscall_64+0x61/0xad0 entry_SYSCALL_64_after_hwframe+0x4b/0x53

Simply delete the WARN instead of trying to prevent userspace from shoving "illegal" state into CR3. For better or worse, KVM's ABI allows userspace to set CPUID after SREGS, and vice versa, and KVM is very permissive when it comes to guest CPUID. I.e. attempting to enforce the virtual CPU model when setting CPUID could break userspace. Given that the WARN doesn't provide any meaningful protection for KVM or benefit for userspace, simply drop it even though the odds of breaking userspace are minuscule.

Opportunistically delete a spurious newline.

AnalysisAI

Local users with low privileges can trigger a denial of service in Linux kernel KVM (Kernel-based Virtual Machine) by manipulating nested virtualization state on AMD SVM systems. The vulnerability allows unprivileged users to cause a kernel warning and potential system instability by modifying CPUID after loading CR3 register state in nested SVM configurations. With CVSS 5.5 (AV:L/AC:L/PR:L) and low EPSS (0.02%), this represents a localized availability risk rather than a critical remote threat. Vendor patches are available across multiple kernel versions (5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0).

Technical ContextAI

This vulnerability affects the KVM (Kernel-based Virtual Machine) subsystem in the Linux kernel, specifically the nested SVM (Secure Virtual Machine) implementation for AMD processors. The issue resides in the svm_set_nested_state() function in arch/x86/kvm/svm/nested.c, where a WARN condition can be triggered by userspace through the KVM_SET_NESTED_STATE ioctl. The root cause stems from KVM's permissive ABI that allows userspace to set CPUID and SREGS (special registers including CR3) in any order, creating a race condition where CR3 state loaded with one physical address size limit can become invalid after CPUID modification reduces the maximum physical address bits. The nested_svm_load_cr3() function validates CR3 against CPUID-derived physical address constraints, and the WARN fires when this validation fails after userspace-initiated state changes. CPE data confirms this affects the general Linux kernel codebase (cpe:2.3:a:linux:linux) across multiple stable branches starting from kernel 5.14 where the problematic code path was introduced in commit b222b0b88162.

RemediationAI

Apply vendor-released patches immediately to affected systems. Upgrade to fixed kernel versions: 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, or 7.0 and later. Patches are available from the Linux kernel stable tree at git.kernel.org/stable with specific fix commits listed in references (commit IDs 155ec243ef72, 580ea5784086, deb8f6dfd31d, ce904c8a5bbe, 969e5e13ff5c, ebb2ab4f1c87, fc3ba56385d0). The fix removes the user-triggerable WARN statement without changing functional behavior, preventing unprivileged users from causing kernel warnings through the KVM ioctl interface. For environments where immediate patching is not feasible, implement compensating controls: restrict /dev/kvm access to trusted administrative users only by modifying udev rules or group membership (default kvm group), or disable nested virtualization support by setting kvm-amd.nested=0 kernel parameter at boot (trade-off: breaks legitimate nested VM use cases). Monitor for unusual patterns of KVM ioctl calls in audit logs. In multi-tenant environments, consider namespace isolation or seccomp filters to restrict KVM_SET_NESTED_STATE ioctl access (trade-off: increased configuration complexity and potential breakage of VM management tools). Full remediation details at https://git.kernel.org/stable and distribution-specific security advisories.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43315 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy