Skip to main content

Linux EUVDEUVD-2026-17830

| CVE-2026-23402 MEDIUM
2026-04-01 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-r3ww-97x6-6h4v
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
5.2 MEDIUM
qualitative
Red Hat
5.5 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
CVSS changed
Apr 24, 2026 - 15:22 NVD
5.5 (MEDIUM)
Patch released
Apr 01, 2026 - 14:30 nvd
Patch available
EUVD ID Assigned
Apr 01, 2026 - 09:22 euvd
EUVD-2026-17830
Analysis Generated
Apr 01, 2026 - 09:22 vuln.today
CVE Published
Apr 01, 2026 - 09:16 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

KVM: x86/mmu: Only WARN in direct MMUs when overwriting shadow-present SPTE

Adjust KVM's sanity check against overwriting a shadow-present SPTE with a another SPTE with a different target PFN to only apply to direct MMUs, i.e. only to MMUs without shadowed gPTEs. While it's impossible for KVM to overwrite a shadow-present SPTE in response to a guest write, writes from outside the scope of KVM, e.g. from host userspace, aren't detected by KVM's write tracking and so can break KVM's shadow paging rules.

------------[ cut here ]------------ pfn != spte_to_pfn(*sptep) WARNING: arch/x86/kvm/mmu/mmu.c:3069 at mmu_set_spte+0x1e4/0x440 [kvm], CPU#0: vmx_ept_stale_r/872 Modules linked in: kvm_intel kvm irqbypass CPU: 0 UID: 1000 PID: 872 Comm: vmx_ept_stale_r Not tainted 7.0.0-rc2-eafebd2d2ab0-sink-vm #319 PREEMPT Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 RIP: 0010:mmu_set_spte+0x1e4/0x440 [kvm] Call Trace: <TASK> ept_page_fault+0x535/0x7f0 [kvm] kvm_mmu_do_page_fault+0xee/0x1f0 [kvm] kvm_mmu_page_fault+0x8d/0x620 [kvm] vmx_handle_exit+0x18c/0x5a0 [kvm_intel] kvm_arch_vcpu_ioctl_run+0xc55/0x1c20 [kvm] kvm_vcpu_ioctl+0x2d5/0x980 [kvm] __x64_sys_ioctl+0x8a/0xd0 do_syscall_64+0xb5/0x730 entry_SYSCALL_64_after_hwframe+0x4b/0x53 </TASK> ---[ end trace 0000000000000000 ]---

AnalysisAI

Linux kernel KVM x86/mmu module improperly validates shadow page table entries (SPTEs) in indirect MMUs, allowing host userspace writes to bypass KVM's write-tracking detection and corrupt shadow paging state. The vulnerability affects KVM implementations on x86 systems with nested or indirect MMU configurations where writes originating outside KVM's scope (e.g., from host userspace via memory access) are not detected, potentially leading to memory corruption or VM escape. No CVSS score, EPSS data, or KEV status is available; this appears to be an internal kernel consistency issue addressed via upstream patch rather than a directly exploitable security boundary.

Technical ContextAI

The vulnerability exists in the Linux kernel's KVM (Kernel-based Virtual Machine) x86/mmu subsystem, specifically in the mmu_set_spte() function at arch/x86/kvm/mmu/mmu.c:3069. KVM maintains shadow page tables that mirror guest page tables; each shadow page table entry (SPTE) maps to a host physical frame number (PFN). The code enforces a sanity check that prevents overwriting an existing shadow-present SPTE with a new SPTE pointing to a different PFN. However, this check was applied to both direct MMUs (which have no shadowed guest page table entries and are used in nested virtualization or EPT scenarios) and indirect MMUs. The root cause is that KVM's write-tracking mechanism only detects guest-initiated writes; writes from external sources like host userspace are untracked. In indirect MMU configurations, such untracked external writes can violate KVM's shadow paging invariants, causing the SPTE overwrite check to trigger incorrectly. The fix restricts the warning to direct MMUs only, where such external writes cannot occur.

RemediationAI

Apply the upstream kernel patch from commit df83746075778958954aa0460cca55f4b3fc9c02 (https://git.kernel.org/stable/c/df83746075778958954aa0460cca55f4b3fc9c02) to restrict the SPTE overwrite sanity check to direct MMUs only. For end users, update to a kernel version that includes this commit. Distribution maintainers should backport the fix to supported kernel series. No workaround is available for unpatched kernels; systems using nested virtualization or indirect MMU configurations with shared memory access between host and guest should prioritize patching to eliminate spurious kernel warnings and prevent potential undefined behavior. The fix is minimal and low-risk, modifying only the condition for the warning trigger.

Vendor StatusVendor

Debian

linux
Release Status Fixed Version Urgency
bullseye not-affected - -
bullseye (security) fixed 5.10.251-1 -
bookworm not-affected - -
bookworm (security) fixed 6.1.164-1 -
trixie not-affected - -
trixie (security) fixed 6.12.74-2 -
forky vulnerable 6.19.8-1 -
sid vulnerable 6.19.10-1 -
(unstable) fixed (unfixed) -

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-17830 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy