Skip to main content

Linux Kernel KVM CVE-2026-46014

| EUVDEUVD-2026-32395 MEDIUM
Improper Locking (CWE-667)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-866w-999j-pr8g
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local attack vector and low privilege reflect required hypervisor access; no confirmed confidentiality or integrity impact - availability only from broken MSR restore.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative
Red Hat
5.5 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 16, 2026 - 15:58 vuln.today
CVSS changed
Jun 16, 2026 - 15:37 NVD
5.5 (MEDIUM)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
MEDIUM 5.5
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

KVM: SVM: Add missing save/restore handling of LBR MSRs

MSR_IA32_DEBUGCTLMSR and LBR MSRs are currently not enumerated by KVM_GET_MSR_INDEX_LIST, and LBR MSRs cannot be set with KVM_SET_MSRS. So save/restore is completely broken.

Fix it by adding the MSRs to msrs_to_save_base, and allowing writes to LBR MSRs from userspace only (as they are read-only MSRs) if LBR virtualization is enabled. Additionally, to correctly restore L1's LBRs while L2 is running, make sure the LBRs are copied from the captured VMCB01 save area in svm_copy_vmrun_state().

Note, for VMX, this also fixes a flaw where MSR_IA32_DEBUGCTLMSR isn't reported as an MSR to save/restore.

Note #2, over-reporting MSR_IA32_LASTxxx on Intel is ok, as KVM already handles unsupported reads and writes thanks to commit b5e2fec0ebc3 ("KVM: Ignore DEBUGCTL MSRs with no effect") (kvm_do_msr_access() will morph the unsupported userspace write into a nop).

[sean: guard with lbrv checks, massage changelog]

AnalysisAI

Broken LBR MSR save/restore in the Linux kernel KVM/SVM subsystem allows a low-privileged local attacker to cause high-impact availability failures in virtualized environments running on AMD SVM hardware. MSR_IA32_DEBUGCTLMSR and Last Branch Record (LBR) MSRs are not enumerated by KVM_GET_MSR_INDEX_LIST and cannot be set via KVM_SET_MSRS, meaning VM state is not correctly preserved across save/restore or live migration cycles, particularly when L2 guests are running. No public exploit has been identified at time of analysis, and EPSS of 0.02% indicates very low exploitation probability, but the flaw affects a foundational hypervisor state management path on production AMD virtualization infrastructure.

Technical ContextAI

The vulnerable component is KVM's AMD SVM (Secure Virtual Machine) backend in the Linux kernel, identified by CPE cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*. LBR (Last Branch Record) MSRs are hardware performance monitoring registers that track recent control-flow transfers; when LBR virtualization (LBRV) is enabled in SVM, the hypervisor is responsible for saving and restoring these MSRs on context switches and VM entry/exit. The root cause class is CWE-667 (Improper Locking / resource management), reflecting failure to properly account for LBR MSR state in the VMCB01 save area during nested virtualization (L1/L2 transitions). Because KVM_GET_MSR_INDEX_LIST omits these MSRs, VMM userspace (e.g., QEMU) cannot correctly snapshot or restore LBR state, making live migration and VM snapshot semantics incorrect. A secondary impact also affects the VMX (Intel) path, where MSR_IA32_DEBUGCTLMSR is similarly not reported for save/restore, though the commit notes that over-reporting MSR_IA32_LASTxxx on Intel is benign due to prior commit b5e2fec0ebc3.

RemediationAI

Upgrade to a patched Linux kernel version: 6.18.27, 7.0.4, or 7.1-rc1, which incorporate fix commits 13a89ada5dcfc2539514c83ba5a2c61157f1ec6c, 2b922a42b531a82d7881add14a7698dcdc5e1f0a, and 3700f0788da6acf73b2df56690f4b201aa4aefd2 respectively (see https://git.kernel.org/stable/c/13a89ada5dcfc2539514c83ba5a2c61157f1ec6c, https://git.kernel.org/stable/c/2b922a42b531a82d7881add14a7698dcdc5e1f0a, https://git.kernel.org/stable/c/3700f0788da6acf73b2df56690f4b201aa4aefd2). If patching immediately is not feasible, a targeted workaround is to disable LBR virtualization (LBRV) in the KVM SVM module, which prevents the broken MSR paths from being exercised and eliminates the availability risk from LBR state corruption - the trade-off is loss of guest LBR profiling capability. Live migration of AMD SVM guests with LBRV enabled should be suspended on unpatched hosts, as this is the most likely trigger for state-corruption availability impact. No compensating control exists for the MSR_IA32_DEBUGCTLMSR reporting gap on VMX beyond patching.

More in Intel

View all
CVE-2017-5689 CRITICAL POC
9.8 May 02

An unprivileged network attacker could gain system privileges to provisioned Intel manageability SKUs: Intel Active Mana

CVE-2012-5958 CRITICAL POC
10.0 Jan 31

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable

CVE-2012-0217 HIGH POC
7.2 Jun 12

The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as used in Citrix XenServer 6.0.2 and earlier and

CVE-2012-5959 CRITICAL POC
10.0 Jan 31

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable

CVE-2012-5964 CRITICAL POC
10.0 Jan 31

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable

CVE-2012-5963 CRITICAL POC
10.0 Jan 31

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable

CVE-2012-5961 CRITICAL POC
10.0 Jan 31

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable

CVE-2012-5965 CRITICAL POC
10.0 Jan 31

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable

CVE-2012-5962 CRITICAL POC
10.0 Jan 31

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable

CVE-2012-5960 CRITICAL POC
10.0 Jan 31

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable

CVE-2015-2291 HIGH POC
7.8 Aug 09

Local privilege escalation to SYSTEM in Intel Ethernet diagnostics driver (IQVW32.sys/IQVW64.sys versions before 1.3.1.0

CVE-2024-44308 HIGH
8.8 Nov 20

Arbitrary code execution in Apple Safari, iOS/iPadOS, macOS Sequoia, and visionOS occurs when processing maliciously cra

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected

Share

CVE-2026-46014 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy