Skip to main content

Linux Kernel CVE-2026-53200

| EUVDEUVD-2026-39291 HIGH
2026-06-25 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-9vgc-pr94-c63x
8.8
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
8.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
7.8 HIGH

Local guest privilege (PR:L) on an arm64 KVM host; exploitation needs nested-virt plus a CPU lacking FEAT_XNX, raising AC:H; hypervisor permission bypass crosses isolation (S:C) with high impact.

3.1 AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 09:31 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
8.8 (HIGH)
Patch available
Jun 25, 2026 - 10:32 EUVD
CVE Published
Jun 25, 2026 - 09:16 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 25, 2026 - 09:16 cve.org
HIGH 8.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

KVM: arm64: nv: Fix handling of XN[0] when !FEAT_XNX

XN has already been extracted from its bitfield position so using FIELD_PREP() on the mask that clears XN[0] is completely broken, having the effect of unconditionally granting execute permissions...

Fix the obvious mistake by manipulating the right bit.

AnalysisAI

Execute-permission bypass in the Linux kernel's KVM arm64 nested-virtualization (NV) code allows a nested guest to receive unintended execute permissions on stage-2 mappings when the host CPU lacks FEAT_XNX. The root cause is a misuse of FIELD_PREP() on the XN[0] mask after XN had already been shifted out of its bitfield position, which unconditionally grants execute rights instead of conditionally clearing them. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Run as guest on arm64 KVM host
Delivery
Enable/drive nested guest stage-2 mapping
Exploit
Hit broken XN[0] path on !FEAT_XNX CPU
Execution
Receive unintended execute permission
Impact
Execute non-executable memory to subvert isolation

Vulnerability AssessmentAI

Exploitation Requires an arm64 host running KVM with nested virtualization (NV) enabled AND a guest under attacker control that drives the nested stage-2 permission setup, AND the host CPU must NOT implement FEAT_XNX - the buggy XN[0]-clearing path is only reached in that !FEAT_XNX case. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed and skew lower than the headline CVSS. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A tenant who controls a guest VM on a vulnerable arm64 KVM host configures or runs a nested guest, causing KVM to build stage-2 permissions through the broken !FEAT_XNX path. Because the XN[0] clear is skipped, pages that should be non-executable are mapped executable, letting the attacker execute memory the host intended to deny and potentially leverage that to subvert isolation. …
Remediation Vendor-released patch: Linux 7.0.13 and 7.1 - upgrade affected arm64 KVM hosts to one of these (or later) stable kernels, the primary and recommended fix. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all systems running KVM with nested virtualization enabled on arm64 processors. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53200 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy