Severity by source
AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Local guest access (AV:L) with privilege to run a VM (PR:L); a memslot race raises complexity to AC:H; host impact across the VM boundary gives S:C with high CIA from potential UAF.
Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).
CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
KVM: arm64: Take the SRCU lock for page table walks in fault injection and AT emulation
walk_s1() and kvm_walk_nested_s2() expect to be called while holding kvm->srcu to guard against memslot changes. While this is generally the case, __kvm_at_s12() and __kvm_find_s1_desc_level() call into the respective walkers without taking kvm->srcu.
Fix by acquiring kvm->srcu prior to the table walk in both instances.
AnalysisAI
Local privilege escalation / host compromise risk in the Linux kernel arm64 KVM subsystem arises because __kvm_at_s12() (AT instruction emulation) and __kvm_find_s1_desc_level() invoke the stage-1/nested stage-2 page-table walkers walk_s1() and kvm_walk_nested_s2() without holding kvm->srcu, which those walkers require to guard against concurrent memslot changes. A malicious or compromised guest on an affected arm64 host can race memslot updates against these walks, with CVSS scoring confidentiality, integrity and availability all High under a changed scope (host impact). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires local execution as a KVM guest on an arm64 host whose kernel exercises the unlocked paths - specifically AT-instruction emulation via __kvm_at_s12() or the nested stage-2 walker kvm_walk_nested_s2() (i.e., nested virtualization enabled). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mixed and lean toward lower real-world urgency than the 8.8 base score suggests. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who controls a guest VM (or a nested guest) on a vulnerable arm64 KVM host triggers AT-instruction emulation or a nested stage-2 walk while simultaneously forcing rapid memslot reconfiguration, racing the unlocked page-table walk against the memslot change. Winning the race corrupts or dereferences freed host memory, most plausibly crashing the host or, in a best case for the attacker, manipulating host memory state. … |
| Remediation | Apply the stable-kernel update that contains the SRCU fix: upgrade to a patched build such as 6.18.36, 7.0.13, or 7.1 for the corresponding series (Vendor-released patch confirmed; pull the exact stable tag matching your tree). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit production arm64 Linux systems running KVM; prioritize inventory of hosts with untrusted or multi-tenant guest workloads. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-820 – Missing Synchronization
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39228
GHSA-fgxj-vfg7-cpqq