Skip to main content

Linux Kernel KVM CVE-2026-46032

| EUVDEUVD-2026-32413 MEDIUM
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-rgj9-vx7j-x86j
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local-only exploitation requiring nested VM control (PR:L, AV:L); impact is host crash only, no confidentiality or integrity components (C:N/I:N/A:H).

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative
Red Hat
7.0 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 16, 2026 - 19:46 vuln.today
CVSS changed
Jun 16, 2026 - 17:37 NVD
5.5 (MEDIUM)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
MEDIUM 5.5
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

KVM: nSVM: Triple fault if restore host CR3 fails on nested #VMEXIT

If loading L1's CR3 fails on a nested #VMEXIT, nested_svm_vmexit() returns an error code that is ignored by most callers, and continues to run L1 with corrupted state. A sane recovery is not possible in this case, and HW behavior is to cause a shutdown. Inject a triple fault instead, and do not return early from nested_svm_vmexit(). Continue cleaning up the vCPU state (e.g. clear pending exceptions), to handle the failure as gracefully as possible.

From the APM:

Upon #VMEXIT, the processor performs the following actions in order to return to the host execution context:

...

if (illegal host state loaded, or exception while loading host state) shutdown else execute first host instruction following the VMRUN

Remove the return value of nested_svm_vmexit(), which is mostly unchecked anyway.

AnalysisAI

Nested SVM virtualization in the Linux kernel KVM subsystem can leave the host hypervisor (L1) running with corrupted page-table state when CR3 restoration fails during a nested #VMEXIT. The root function nested_svm_vmexit() returns an error code that most callers silently ignore, meaning the host continues executing against corrupt address-space mappings rather than triggering the shutdown behavior mandated by the AMD Architecture Programmer's Manual. The fix injects a triple fault - mirroring real hardware behavior - and continues cleanup to avoid leaving vCPU state partially torn down. No public exploit exists and EPSS is 0.02%, but the availability impact is high for any host running nested AMD virtualization.

Technical ContextAI

The affected subsystem is Linux KVM's nested SVM implementation (nSVM), which enables a guest hypervisor (L1) to host its own guests (L2) using AMD-V hardware extensions. During a nested #VMEXIT - the transition that returns control from an L2 guest back to L1 - the processor must restore the host's CR3 register, which holds the physical base address of the page-directory hierarchy and is critical for correct virtual-to-physical address translation. If this load fails (e.g., due to an illegal or inaccessible host-state area), the AMD APM mandates a processor shutdown. The kernel code at nested_svm_vmexit() returned an error code for this condition, but most of its callers in the nSVM path discarded the return value, so execution continued with a corrupted L1 address space. The CWE field is listed as N/A, but this maps most closely to CWE-252 (Unchecked Return Value) compounded by CWE-755 (Improper Handling of Exceptional Conditions). The 'Code Injection' tag from the intelligence source appears misapplied - the CVSS impact metrics (C:N/I:N/A:H) confirm this is an availability-only issue with no integrity or confidentiality components. Affected product: cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* starting from the introduction of nested SVM support through the relevant stable branches prior to the fix commits.

RemediationAI

Upgrade to Linux kernel 7.0.4 (stable) or 7.1-rc1 or later, which include fix commits 5d291ef0585ed880ed4dd71ea1a5965e0a65fb53 and 9a738cf170a4a2332ea3a15e23ec65b5757fe4a1 available at https://git.kernel.org/stable/c/5d291ef0585ed880ed4dd71ea1a5965e0a65fb53 and https://git.kernel.org/stable/c/9a738cf170a4a2332ea3a15e23ec65b5757fe4a1. For systems that cannot be immediately patched, the most effective compensating control is disabling nested virtualization entirely by ensuring the 'nested' module parameter for kvm_amd is set to 0 (e.g., options kvm_amd nested=0 in /etc/modprobe.d/); this eliminates the vulnerable code path entirely but prevents any L1 guest from running its own hypervisor, impacting workloads that rely on nested VMs such as VM-in-VM dev/test environments or nested cloud instances. Restarting the kvm_amd module or rebooting is required for the parameter change to take effect. No vendor advisory URL beyond the upstream stable kernel commits is confirmed at this time.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected

Share

CVE-2026-46032 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy