Skip to main content

Linux Kernel EUVDEUVD-2026-32890

| CVE-2026-46131 MEDIUM
2026-05-28 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-3wqm-qqw5-qr42
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
4.7 MEDIUM

AC:H reflects the specific nested virtualization configuration required (L2 running without nEPT/nNPT); all other metrics align with local low-privilege execution causing availability impact only.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative
Red Hat
5.5 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 24, 2026 - 20:24 vuln.today
CVSS changed
Jun 24, 2026 - 18:07 NVD
5.5 (MEDIUM)
Patch available
May 28, 2026 - 12:31 EUVD
CVE Published
May 28, 2026 - 10:16 nvd
MEDIUM 5.5
CVE Published
May 28, 2026 - 10:16 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

KVM: x86: check for nEPT/nNPT in slow flush hypercalls

Checking is_guest_mode(vcpu) is incorrect, because translate_nested_gpa() is only valid if an L2 guest is running *with nested EPT/NPT enabled*. Instead use the same condition as translate_nested_gpa() itself.

AnalysisAI

Availability impact in Linux Kernel KVM's x86 nested virtualization subsystem allows a low-privileged user operating within an L2 (nested) guest to trigger a host kernel denial-of-service via incorrect hypercall handling. The root cause is an incorrect guard condition in slow-flush hypercall paths: KVM checks is_guest_mode(vcpu) before calling translate_nested_gpa(), but that translation function is only valid when the L2 guest is running with nested EPT/NPT actually enabled - not merely when guest mode is active. No public exploit has been identified at time of analysis, and EPSS exploitation probability is 0.02% (5th percentile). Vendor-released patches are available across multiple stable branches.

Technical ContextAI

KVM (Kernel-based Virtual Machine) supports nested virtualization, where an L1 hypervisor (running on bare metal with KVM) can itself host L2 guest VMs. Intel Extended Page Tables (EPT) and AMD Nested Page Tables (NPT) are hardware-assisted memory virtualization features that, when enabled in nested mode (nEPT/nNPT), allow two-level GPA-to-HPA address translation. The function translate_nested_gpa() performs nested guest physical address translation and is only semantically valid when an L2 guest is active *and* nEPT/nNPT is enabled. The vulnerable code path - slow TLB flush hypercalls - guarded this call with only is_guest_mode(vcpu), which returns true whenever the vCPU is executing in L2 mode regardless of whether nested paging is active. When nEPT/nNPT is not enabled but the L2 guest is running, invoking translate_nested_gpa() operates on invalid state, leading to undefined behavior and potential host kernel crash. The CWE is not formally assigned in the input data, but this maps to CWE-754 (Improper Check for Unusual or Exceptional Conditions) - a logic error in precondition validation. Affected CPE: cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*.

RemediationAI

Vendor-released patches are available. Upgrade to Linux kernel 6.6.140, 6.12.88, 6.18.30, 7.0.7, or 7.1-rc3 (or later) depending on the stable branch in use. Distribution maintainers for RHEL, Ubuntu, Debian, SUSE, and others should be consulted for backport availability to their supported kernel versions. For environments unable to patch immediately, a specific compensating control is to disable nested virtualization entirely: unload or blacklist the kvm_intel or kvm_amd module options for nested support (e.g., options kvm_intel nested=0) - note this will break any workloads that depend on L2 guest execution. Alternatively, restrict L2 guest execution to trusted workloads only; since exploitation requires code execution inside a nested guest, limiting who can launch nested VMs reduces exposure. There is no workaround that preserves nested VM functionality while eliminating the risk short of patching. References: https://git.kernel.org/stable/c/971f17f5d91045404e3914029ea57c3da90179a4 and https://nvd.nist.gov/vuln/detail/CVE-2026-46131.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected

Share

EUVD-2026-32890 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy