Severity by source
AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Local guest privilege (PR:L) on an arm64 KVM host; exploitation needs nested-virt plus a CPU lacking FEAT_XNX, raising AC:H; hypervisor permission bypass crosses isolation (S:C) with high impact.
Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).
CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
KVM: arm64: nv: Fix handling of XN[0] when !FEAT_XNX
XN has already been extracted from its bitfield position so using FIELD_PREP() on the mask that clears XN[0] is completely broken, having the effect of unconditionally granting execute permissions...
Fix the obvious mistake by manipulating the right bit.
AnalysisAI
Execute-permission bypass in the Linux kernel's KVM arm64 nested-virtualization (NV) code allows a nested guest to receive unintended execute permissions on stage-2 mappings when the host CPU lacks FEAT_XNX. The root cause is a misuse of FIELD_PREP() on the XN[0] mask after XN had already been shifted out of its bitfield position, which unconditionally grants execute rights instead of conditionally clearing them. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires an arm64 host running KVM with nested virtualization (NV) enabled AND a guest under attacker control that drives the nested stage-2 permission setup, AND the host CPU must NOT implement FEAT_XNX - the buggy XN[0]-clearing path is only reached in that !FEAT_XNX case. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mixed and skew lower than the headline CVSS. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A tenant who controls a guest VM on a vulnerable arm64 KVM host configures or runs a nested guest, causing KVM to build stage-2 permissions through the broken !FEAT_XNX path. Because the XN[0] clear is skipped, pages that should be non-executable are mapped executable, letting the attacker execute memory the host intended to deny and potentially leverage that to subvert isolation. … |
| Remediation | Vendor-released patch: Linux 7.0.13 and 7.1 - upgrade affected arm64 KVM hosts to one of these (or later) stable kernels, the primary and recommended fix. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all systems running KVM with nested virtualization enabled on arm64 processors. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39291
GHSA-9vgc-pr94-c63x