Skip to main content

Linux Kernel CVE-2026-45987

| EUVDEUVD-2026-32283 MEDIUM
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-x4f8-qj9g-g99w
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local access and VMM-level privileges required (AV:L, PR:L); ioctl ordering condition is reproducible once present (AC:L); only L2 guest availability impacted, no confidentiality or integrity effect.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative
Red Hat
5.5 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 16, 2026 - 14:10 vuln.today
CVSS changed
Jun 16, 2026 - 14:07 NVD
5.5 (MEDIUM)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
MEDIUM 5.5
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

KVM: nSVM: Sync interrupt shadow to cached vmcb12 after VMRUN of L2

After VMRUN in guest mode, nested_sync_control_from_vmcb02() syncs fields written by the CPU from vmcb02 to the cached vmcb12. This is because the cached vmcb12 is used as the authoritative copy of some of the controls, and is the payload when saving/restoring nested state.

int_state is also written by the CPU, specifically bit 0 (i.e. SVM_INTERRUPT_SHADOW_MASK) for nested VMs, but it is not sync'd to cached vmcb12. This does not cause a problem if KVM_SET_NESTED_STATE preceeds KVM_SET_VCPU_EVENTS in the restore path, as an interrupt shadow would be correctly restored to vmcb02 (KVM_SET_VCPU_EVENTS overwrites what KVM_SET_NESTED_STATE restored in int_state).

However, if KVM_SET_VCPU_EVENTS preceeds KVM_SET_NESTED_STATE, an interrupt shadow would be restored into vmcb01 instead of vmcb02. This would mostly be benign for L1 (delays an interrupt), but not for L2. For L2, the vCPU could hang (e.g. if a wakeup interrupt is delivered before a HLT that should have been in an interrupt shadow).

Sync int_state to the cached vmcb12 in nested_sync_control_from_vmcb02() to avoid this problem. With that, KVM_SET_NESTED_STATE restores the correct interrupt shadow state, and if KVM_SET_VCPU_EVENTS follows it would overwrite it with the same value.

AnalysisAI

Interrupt shadow state desynchronization in the Linux kernel KVM nSVM subsystem can hang L2 nested virtual machines on AMD-V hosts when VM state is restored in a specific ioctl ordering. Systems using KVM nested virtualization (kvm_amd with nested=1) are affected when a live migration or checkpoint-restore operation calls KVM_SET_VCPU_EVENTS before KVM_SET_NESTED_STATE, causing the interrupt shadow to be written into vmcb01 (L1 context) instead of vmcb02 (L2 context). No public exploit has been identified and EPSS is 0.02% (5th percentile), placing this squarely as a correctness and operational availability issue for nested virtualization deployments rather than a broadly exploitable security threat.

Technical ContextAI

This flaw resides in the KVM nSVM (Nested Secure Virtual Machine) layer of the Linux kernel, which implements AMD-V nested virtualization. In this architecture, vmcb01 is the VMCB for L1 (the hypervisor guest), vmcb02 is the hardware VMCB used when running L2 (a guest-of-a-guest), and vmcb12 is the kernel's cached copy of L2's control area as presented by L1. The function nested_sync_control_from_vmcb02() is responsible for syncing CPU-written fields from vmcb02 back to vmcb12 after L2 exits - vmcb12 is the authoritative copy used for state save/restore via KVM_GET/SET_NESTED_STATE. The interrupt shadow (bit 0 of int_state, SVM_INTERRUPT_SHADOW_MASK) inhibits interrupt delivery for one instruction following MOV-to-SS or POP-SS, a CPU-enforced protection. Because this bit is not synced to vmcb12, the KVM_SET_NESTED_STATE ioctl lacks the correct interrupt shadow value, and a subsequent KVM_SET_VCPU_EVENTS call (which overwrites int_state) will only produce correct results if it executes after KVM_SET_NESTED_STATE. CWE is unassigned by NVD; the root cause is a state synchronization omission most analogous to CWE-664 (improper control of a resource through its lifetime). Affected CPE: cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*, introduced at commit cc440cdad5b7a4c1de12dace725209eb3e0cf663 (Linux 5.8).

RemediationAI

The primary fix is to upgrade to a patched kernel release: 6.6.140, 6.12.86, 6.18.27, 7.0.4, or 7.1-rc1 (or any later release in those series). Fix commits are upstream at https://git.kernel.org/stable/c/03bee264f8ebfd39e0254c98e112d033a7aa9055 (and backports listed in references). For systems that cannot be patched immediately, two compensating controls are available. First, ensure VM state restore tooling always issues KVM_SET_NESTED_STATE before KVM_SET_VCPU_EVENTS - this is the documented correct ordering and eliminates the triggering condition with no functional trade-off. Second, disabling nested virtualization entirely by removing the nested=1 parameter from the kvm_amd module (rmmod kvm_amd followed by modprobe kvm_amd nested=0) eliminates the attack surface at the cost of all nested VM functionality. No confidentiality or integrity risk exists; urgency is proportional to the operator's reliance on nested virtualization live migration or checkpoint-restore workflows.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected

Share

CVE-2026-45987 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy