Skip to main content

Linux Kernel KVM CVE-2026-43351

| EUVDEUVD-2026-28657 MEDIUM
2026-05-08 Linux GHSA-r4j8-j92h-3745
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Analysis Generated
May 15, 2026 - 19:40 vuln.today
CVSS changed
May 15, 2026 - 19:37 NVD
5.5 (MEDIUM)
CVE Published
May 08, 2026 - 14:21 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

KVM: arm64: Eagerly init vgic dist/redist on vgic creation

If vgic_allocate_private_irqs_locked() fails for any odd reason, we exit kvm_vgic_create() early, leaving dist->rd_regions uninitialised.

kvm_vgic_dist_destroy() then comes along and walks into the weeds trying to free the RDs. Got to love this stuff.

Solve it by moving all the static initialisation early, and make sure that if we fail halfway, we're in a reasonable shape to perform the rest of the teardown. While at it, reset the vgic model on failure, just in case...

AnalysisAI

Denial of service in Linux kernel KVM/arm64 vGIC subsystem allows local authenticated users with low privileges to crash the hypervisor via use-after-free during virtual interrupt controller teardown. CVSS rates this 5.5 (medium severity, local vector), but EPSS exploitation probability is very low at 0.02% (4th percentile). Patches available across multiple stable kernel versions (6.18.19, 6.19.9, 7.0). No active exploitation confirmed per CISA KEV, and the local-only attack vector with specific KVM/ARM64 deployment requirements limits real-world impact to environments running ARM64 virtualization workloads.

Technical ContextAI

This vulnerability affects the Virtual Generic Interrupt Controller (vGIC) implementation in KVM for ARM64 architectures. The vGIC emulates ARM's interrupt controller hardware for virtual machines. During vGIC creation via kvm_vgic_create(), if the private IRQ allocation function vgic_allocate_private_irqs_locked() fails, the code exits early without initializing the dist->rd_regions (redistributor regions) data structure. Subsequently, when kvm_vgic_dist_destroy() attempts cleanup, it traverses the uninitialized rd_regions structure, causing a use-after-free or null pointer dereference condition. The affected CPE strings (cpe:2.3:a:linux:linux) indicate broad Linux kernel impact, specifically the ARM64 KVM subsystem introduced in commit b3aa9283c0c505b5cfd25f7d6cfd720de2adc807. The fix refactors initialization order to ensure data structures are in a consistent state even during partial initialization failures, and resets the vgic model on error paths to prevent teardown code from operating on corrupted state.

RemediationAI

Upgrade to patched Linux kernel versions: 7.0 or later for mainline users, 6.19.9+ for 6.19.x stable branch users, or 6.18.19+ for 6.18.x stable branch users. Patches are available via kernel.org stable tree at the reference URLs provided. For systems unable to immediately patch, implement compensating controls: (1) Restrict local user access to ARM64 KVM hosts using mandatory access controls (SELinux/AppArmor policies) to prevent untrusted users from creating KVM virtual machines - trade-off is reduced multi-tenancy flexibility, (2) Deploy resource limits via cgroups to prevent memory exhaustion conditions that could trigger vgic_allocate_private_irqs_locked() failures - may impact VM density and performance under legitimate load, (3) Monitor kernel logs for vGIC allocation failures and implement automated VM restart policies to recover from crash conditions - does not prevent exploitation but reduces availability impact. Note that disabling KVM entirely eliminates risk but removes virtualization capabilities. Upstream fix commits: ac6769c8f948 (mainline), b7493f48c3db and a24f1d80fbcd (stable). Validate patch application by checking kernel version post-upgrade and reviewing git log for the specific commit hashes.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43351 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy