Skip to main content

Linux EUVDEUVD-2026-17828

| CVE-2026-23401 MEDIUM
Use After Free (CWE-416)
2026-04-01 416baaa9-dc9f-4396-8d5f-8c081fb06d67
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
8.1 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
CVSS changed
Apr 24, 2026 - 15:22 NVD
5.5 (MEDIUM)
Patch released
Apr 01, 2026 - 14:30 nvd
Patch available
EUVD ID Assigned
Apr 01, 2026 - 09:22 euvd
EUVD-2026-17828
Analysis Generated
Apr 01, 2026 - 09:22 vuln.today
CVE Published
Apr 01, 2026 - 09:16 nvd
N/A

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

KVM: x86/mmu: Drop/zap existing present SPTE even when creating an MMIO SPTE

When installing an emulated MMIO SPTE, do so *after* dropping/zapping the existing SPTE (if it's shadow-present). While commit a54aa15c6bda3 was right about it being impossible to convert a shadow-present SPTE to an MMIO SPTE due to a _guest_ write, it failed to account for writes to guest memory that are outside the scope of KVM.

E.g. if host userspace modifies a shadowed gPTE to switch from a memslot to emulted MMIO and then the guest hits a relevant page fault, KVM will install the MMIO SPTE without first zapping the shadow-present SPTE.

------------[ cut here ]------------ is_shadow_present_pte(*sptep) WARNING: arch/x86/kvm/mmu/mmu.c:484 at mark_mmio_spte+0xb2/0xc0 [kvm], CPU#0: vmx_ept_stale_r/4292 Modules linked in: kvm_intel kvm irqbypass CPU: 0 UID: 1000 PID: 4292 Comm: vmx_ept_stale_r Not tainted 7.0.0-rc2-eafebd2d2ab0-sink-vm #319 PREEMPT Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 RIP: 0010:mark_mmio_spte+0xb2/0xc0 [kvm] Call Trace: <TASK> mmu_set_spte+0x237/0x440 [kvm] ept_page_fault+0x535/0x7f0 [kvm] kvm_mmu_do_page_fault+0xee/0x1f0 [kvm] kvm_mmu_page_fault+0x8d/0x620 [kvm] vmx_handle_exit+0x18c/0x5a0 [kvm_intel] kvm_arch_vcpu_ioctl_run+0xc55/0x1c20 [kvm] kvm_vcpu_ioctl+0x2d5/0x980 [kvm] __x64_sys_ioctl+0x8a/0xd0 do_syscall_64+0xb5/0x730 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x47fa3f </TASK> ---[ end trace 0000000000000000 ]---

AnalysisAI

Linux kernel KVM x86/MMU incorrectly installs emulated MMIO shadow page table entries (SPTEs) without first zapping existing shadow-present SPTEs when host userspace modifies guest page tables outside KVM's scope, causing kernel warnings and potential memory consistency issues. The vulnerability affects KVM on x86 systems running vulnerable kernel versions and can be triggered by a local attacker with ability to manipulate guest memory or run guest VMs, though the practical impact beyond kernel instability remains limited.

Technical ContextAI

The vulnerability exists in the KVM (Kernel-based Virtual Machine) hypervisor's memory management unit (MMU) implementation for x86 architecture, specifically in the shadow page table (SPT) mechanism. SPTEs are used to track translations between guest physical addresses and host physical addresses. When KVM needs to handle emulated memory-mapped I/O (MMIO), it installs special MMIO SPTEs. The bug occurs in the mark_mmio_spte() function (arch/x86/kvm/mmu/mmu.c) which is called during page fault handling in ept_page_fault(). The root cause is that the code assumes shadow-present SPTEs cannot be converted to MMIO SPTEs through guest writes, but fails to account for external modifications to guest page tables by host userspace (e.g., QEMU modifying guest memory directly). This violates the invariant that an existing shadow-present SPTE must be zapped before installing a new MMIO SPTE, causing the kernel to hit a BUG_ON() or WARN_ON() assertion in mark_mmio_spte().

RemediationAI

Apply the kernel patch commit aad885e774966e97b675dfe928da164214a71605 which modifies the mmu_set_spte() function to zap/drop existing shadow-present SPTEs before installing MMIO SPTEs. This fix should be included in kernel versions 7.1.0 or later, as well as stable kernel releases that have backported the fix (check kernel.org stable releases or your distribution's security advisory). Distributions should update to a patched kernel version for their supported series. In the interim, limiting the scope of guest VMs and restricting untrusted workloads on systems running vulnerable KVM versions reduces exposure. For production environments, prioritize updates to kernel versions that include commit aad885e774966e97b675dfe928da164214a71605. Verify patch application by checking kernel source or release notes against the stable commit referenced at https://git.kernel.org/stable/c/aad885e774966e97b675dfe928da164214a71605.

Vendor StatusVendor

Debian

linux
Release Status Fixed Version Urgency
bullseye not-affected - -
bullseye (security) fixed 5.10.251-1 -
bookworm vulnerable 6.1.159-1 -
bookworm (security) vulnerable 6.1.164-1 -
trixie vulnerable 6.12.73-1 -
trixie (security) vulnerable 6.12.74-2 -
forky vulnerable 6.19.8-1 -
sid vulnerable 6.19.10-1 -
(unstable) fixed (unfixed) -

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-17828 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy