Skip to main content

Linux Kernel KVM EUVDEUVD-2026-30019

| CVE-2026-43483 MEDIUM
2026-05-13 Linux GHSA-8rg3-3364-c6fh
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local hypervisor management access (AV:L, PR:L) triggers Windows guest crash via AVIC state mismatch; no confidentiality or integrity impact, scope unchanged.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative
Red Hat
5.5 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 26, 2026 - 22:33 vuln.today
CVSS changed
Jun 26, 2026 - 20:22 NVD
5.5 (MEDIUM)
Patch available
May 13, 2026 - 16:33 EUVD
CVE Published
May 13, 2026 - 15:08 nvd
MEDIUM 5.5
CVE Published
May 13, 2026 - 15:08 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

KVM: SVM: Set/clear CR8 write interception when AVIC is (de)activated

Explicitly set/clear CR8 write interception when AVIC is (de)activated to fix a bug where KVM leaves the interception enabled after AVIC is activated. E.g. if KVM emulates INIT=>WFS while AVIC is deactivated, CR8 will remain intercepted in perpetuity.

On its own, the dangling CR8 intercept is "just" a performance issue, but combined with the TPR sync bug fixed by commit d02e48830e3f ("KVM: SVM: Sync TPR from LAPIC into VMCB::V_TPR even if AVIC is active"), the danging intercept is fatal to Windows guests as the TPR seen by hardware gets wildly out of sync with reality.

Note, VMX isn't affected by the bug as TPR_THRESHOLD is explicitly ignored when Virtual Interrupt Delivery is enabled, i.e. when APICv is active in KVM's world. I.e. there's no need to trigger update_cr8_intercept(), this is firmly an SVM implementation flaw/detail.

WARN if KVM gets a CR8 write #VMEXIT while AVIC is active, as KVM should never enter the guest with AVIC enabled and CR8 writes intercepted.

[Squash fix to avic_deactivate_vmcb. - Paolo]

AnalysisAI

CR8 write interception mismanagement in KVM's AMD SVM implementation crashes Windows guests on AMD hypervisors with AVIC enabled. When KVM emulates INIT→WFS sequences while AVIC is temporarily deactivated, the CR8 write intercept flag is not cleared upon AVIC reactivation, leaving it permanently enabled. In isolation this is a performance regression, but combined with the TPR synchronization flaw addressed by commit d02e48830e3f, the divergence between hardware-visible and guest-visible TPR values becomes fatal to Windows guests. No public exploit identified at time of analysis; EPSS is 0.02% (7th percentile) and no CISA KEV listing exists.

Technical ContextAI

This affects the Linux kernel's KVM subsystem on AMD processors utilizing SVM (Secure Virtual Machine) extensions with AVIC (Advanced Virtual Interrupt Controller) enabled. AVIC is AMD's hardware mechanism for accelerating APIC interrupt virtualization, bypassing hypervisor software for interrupt delivery. CR8 is the x86 Task Priority Register (TPR), which controls which interrupt priority levels are delivered to a CPU. KVM normally intercepts CR8 writes in software when AVIC is inactive, then clears that interception when AVIC handles TPR in hardware. The bug is a state management flaw: when AVIC is deactivated during INIT→WFS emulation and subsequently reactivated, the CR8 write interception bit is not explicitly cleared, causing KVM to continue handling TPR writes in software even though AVIC is now managing them in hardware. This dual-path TPR management causes the hardware-visible TPR to diverge from the guest's expected state. The fix adds explicit set/clear of CR8 write interception on AVIC (de)activation transitions. Intel VMX is architecturally immune because TPR_THRESHOLD is ignored whenever Virtual Interrupt Delivery (APICv) is active. CWE is not classified in the input data, but this represents a control flow state management flaw (analogous to CWE-664). Affected CPE: cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*.

RemediationAI

The primary fix is upgrading to a patched kernel version: 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, or 7.0, as documented in EUVD-2026-30019. Upstream stable-tree patch commits are available at https://git.kernel.org/stable/c/a4123fe5d9122eef9852e4921f7cc463420f30d4, https://git.kernel.org/stable/c/816fa1dfae4532e851b1fe6b2434c753ecbd86c7, https://git.kernel.org/stable/c/01651e7751edbbc0fb4598f8367a3dabcfc8c182, and three additional commits (ba3bca40, 737410b3, 87d0f901). As a compensating control pending kernel upgrade, disabling AVIC on the KVM host via 'modprobe kvm_amd avic=0' or the kernel boot parameter 'kvm_amd.avic=0' eliminates the vulnerable code path entirely; the trade-off is reduced interrupt virtualization performance and increased vCPU overhead for interrupt delivery. Ensuring commit d02e48830e3f (TPR sync fix) is also present is critical, as the fatal Windows guest crash behavior requires both bugs to be simultaneously present. Distribution-specific kernel packages from major Linux vendors (RHEL, SLES, Ubuntu) should be monitored for backported fixes.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
Container suse/sl-micro/6.0/base-os-container:2.1.3-7.158 Container suse/sl-micro/6.1/base-os-container:2.2.1-5.144 Image SL-Micro-Azure Image SL-Micro-BYOS-Azure Image SL-Micro-BYOS-EC2 Image SL-Micro-BYOS-GCE Image SL-Micro-EC2 Image SLE-Micro Image SLE-Micro-Azure Image SLE-Micro-BYOS Image SLE-Micro-BYOS-Azure Image SLE-Micro-BYOS-EC2 Image SLE-Micro-BYOS-GCE Image SLE-Micro-EC2 Image SLE-Micro-GCE Image SUSE-Multi-Linux-Manager-Proxy-BYOS-Azure Image SUSE-Multi-Linux-Manager-Proxy-BYOS-EC2 Image SUSE-Multi-Linux-Manager-Proxy-BYOS-GCE Image SUSE-Multi-Linux-Manager-Server-BYOS-Azure Image SUSE-Multi-Linux-Manager-Server-BYOS-EC2 Image SUSE-Multi-Linux-Manager-Server-BYOS-GCE Image SUSE-Multi-Linux-Manager-Server-EC2-llc Image SUSE-Multi-Linux-Manager-Server-EC2-ltd Affected
Container suse/sl-micro/6.0/kvm-os-container:2.1.3-6.173 Container suse/sl-micro/6.1/kvm-os-container:2.2.1-5.144 Affected
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-30019 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy