Skip to main content

Linux Kernel CVE-2026-53277

| EUVDEUVD-2026-39228 HIGH
Missing Synchronization (CWE-820)
2026-06-25 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-fgxj-vfg7-cpqq
8.8
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
8.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
7.8 HIGH

Local guest access (AV:L) with privilege to run a VM (PR:L); a memslot race raises complexity to AC:H; host impact across the VM boundary gives S:C with high CIA from potential UAF.

3.1 AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 09:52 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
8.8 (HIGH)
Patch available
Jun 25, 2026 - 10:32 EUVD
CVE Published
Jun 25, 2026 - 09:16 cve.org
HIGH 8.8
CVE Published
Jun 25, 2026 - 09:16 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

KVM: arm64: Take the SRCU lock for page table walks in fault injection and AT emulation

walk_s1() and kvm_walk_nested_s2() expect to be called while holding kvm->srcu to guard against memslot changes. While this is generally the case, __kvm_at_s12() and __kvm_find_s1_desc_level() call into the respective walkers without taking kvm->srcu.

Fix by acquiring kvm->srcu prior to the table walk in both instances.

AnalysisAI

Local privilege escalation / host compromise risk in the Linux kernel arm64 KVM subsystem arises because __kvm_at_s12() (AT instruction emulation) and __kvm_find_s1_desc_level() invoke the stage-1/nested stage-2 page-table walkers walk_s1() and kvm_walk_nested_s2() without holding kvm->srcu, which those walkers require to guard against concurrent memslot changes. A malicious or compromised guest on an affected arm64 host can race memslot updates against these walks, with CVSS scoring confidentiality, integrity and availability all High under a changed scope (host impact). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Run malicious guest on arm64 KVM host
Delivery
Invoke AT emulation or nested stage-2 walk
Exploit
Concurrently force memslot reconfiguration
Execution
Win race against unlocked SRCU walk
Persist
Trigger host use-after-free / corruption
Impact
Crash host or influence host memory

Vulnerability AssessmentAI

Exploitation Exploitation requires local execution as a KVM guest on an arm64 host whose kernel exercises the unlocked paths - specifically AT-instruction emulation via __kvm_at_s12() or the nested stage-2 walker kvm_walk_nested_s2() (i.e., nested virtualization enabled). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed and lean toward lower real-world urgency than the 8.8 base score suggests. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who controls a guest VM (or a nested guest) on a vulnerable arm64 KVM host triggers AT-instruction emulation or a nested stage-2 walk while simultaneously forcing rapid memslot reconfiguration, racing the unlocked page-table walk against the memslot change. Winning the race corrupts or dereferences freed host memory, most plausibly crashing the host or, in a best case for the attacker, manipulating host memory state. …
Remediation Apply the stable-kernel update that contains the SRCU fix: upgrade to a patched build such as 6.18.36, 7.0.13, or 7.1 for the corresponding series (Vendor-released patch confirmed; pull the exact stable tag matching your tree). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit production arm64 Linux systems running KVM; prioritize inventory of hosts with untrusted or multi-tenant guest workloads. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53277 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy