Skip to main content

Linux Kernel CVE-2026-46071

| EUVDEUVD-2026-32453 MEDIUM
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-h9fc-vq2v-qf62
Medium
Disputed · 5.5 NVD
Share

Severity by source

Sources disagree (Low–High)
NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local access inside nested guest required (AV:L, PR:L); no confidentiality or integrity impact confirmed; crash impact is high availability loss.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
8.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Red Hat
5.5 LOW
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 24, 2026 - 17:08 vuln.today
CVSS changed
Jun 24, 2026 - 17:07 NVD
5.5 (MEDIUM)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
MEDIUM 5.5
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

KVM: nSVM: Avoid clearing VMCB_LBR in vmcb12

svm_copy_lbrs() always marks VMCB_LBR dirty in the destination VMCB. However, nested_svm_vmexit() uses it to copy LBRs to vmcb12, and clearing clean bits in vmcb12 is not architecturally defined.

Move vmcb_mark_dirty() to callers and drop it for vmcb12.

This also facilitates incoming refactoring that does not pass the entire VMCB to svm_copy_lbrs().

AnalysisAI

KVM nested SVM (AMD virtualization) in the Linux kernel incorrectly marks VMCB_LBR dirty in the guest's vmcb12 during nested VM exit processing, triggering architecturally undefined behavior that results in hypervisor availability loss. Affected are Linux kernels from 5.19 through versions preceding the stable-branch patches at 6.18.27 and 7.0.4. A low-privileged local attacker operating within a nested virtual machine on an AMD SVM-capable host can exploit this to crash or destabilize the host KVM layer. No public exploit and no CISA KEV listing exist; EPSS sits at 0.02% (4th percentile), confirming negligible opportunistic exploitation probability.

Technical ContextAI

The vulnerability resides in the KVM nested-SVM subsystem (AMD hardware virtualization), specifically in the interaction between svm_copy_lbrs() and nested_svm_vmexit() within arch/x86/kvm/svm/. The VMCB (Virtual Machine Control Block) is AMD's per-VM state structure; vmcb12 is the L1 hypervisor's software representation of the L2 guest VMCB. LBR (Last Branch Record) state is CPU branch-tracing data managed via VMCB_LBR clean/dirty tracking bits. svm_copy_lbrs() unconditionally invokes vmcb_mark_dirty(VMCB_LBR) on its destination argument. When nested_svm_vmexit() passes vmcb12 as the destination, this incorrectly clears clean bits in a structure where doing so carries no architecturally defined meaning per the AMD SVM specification, potentially corrupting KVM's internal state machine for the nested guest. The CPE identifier is cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* with the regression introduced at commit d20c796ca3709801f8a7fa36e8770a3dd8ebd34e (Linux 5.19). The absence of a formal CWE assignment suggests the issue was classified as an implementation logic error rather than a canonical weakness class.

RemediationAI

Upgrade to the patched kernel versions: Linux 6.18.27, Linux 7.0.4, or Linux 7.1-rc1 or later. The specific upstream fix commits are 9efe23568806d1cd06f7d146f9b3037b8d585a9f (mainline), a3f0981a5a0e0bd51ad74cc7d9eed32294b24002 (6.18.x stable), and b53ab5167a81537777ac780bbd93d32613aa3bda (7.0.x stable), available via https://git.kernel.org/stable/. Downstream distributions (RHEL, Ubuntu, SUSE, Debian) should be monitored for their respective stable kernel updates incorporating these commits. As a compensating control where patching is not immediately possible, disabling nested virtualization on the host eliminates the attack surface entirely: set 'options kvm_amd nested=0' in /etc/modprobe.d/ and reload the kvm_amd module. This disables L2 guest support and prevents vmcb12 from being exercised; the trade-off is loss of nested VM functionality such as running hypervisors inside VMs.

Vendor StatusVendor

SUSE

Severity: Important
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected

Share

CVE-2026-46071 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy