Skip to main content

Linux Kernel EUVDEUVD-2026-38837

| CVE-2026-52969 HIGH
Integer Overflow or Wraparound (CWE-190)
2026-06-24 Linux GHSA-gpq6-rrxf-v33x
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.0 HIGH

Local /dev/kvm access gives PR:L; the required race and non-default rmap-MMU precondition raise AC to H; kernel memory corruption yields high C/I/A with no scope change.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

8
Analysis Updated
Jul 14, 2026 - 20:31 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 14, 2026 - 20:22 vuln.today
cvss_changed
CVSS changed
Jul 14, 2026 - 20:22 NVD
7.0 (HIGH) 7.8 (HIGH)
Analysis Generated
Jun 30, 2026 - 05:30 vuln.today
CVSS changed
Jun 30, 2026 - 03:24 NVD
7.0 (HIGH)
Patch available
Jun 24, 2026 - 18:02 EUVD
CVE Published
Jun 24, 2026 - 16:28 cve.org
HIGH 7.0
CVE Published
Jun 24, 2026 - 16:28 cve.org
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

KVM: Reject wrapped offset in kvm_reset_dirty_gfn()

kvm_reset_dirty_gfn() guards the gfn range with

if (!memslot || (offset + __fls(mask)) >= memslot->npages) return;

but offset is u64 and the addition is unchecked. The check can be silently bypassed by a u64 wrap.

The dirty ring backing those entries is MAP_SHARED at KVM_DIRTY_LOG_PAGE_OFFSET of the vcpu fd, so the VMM can rewrite the slot and offset fields of any entry between when the kernel pushes them and when KVM_RESET_DIRTY_RINGS consumes them. On reset, kvm_dirty_ring_reset() re-reads the values via READ_ONCE() and feeds them straight back into this check; only the flags handshake is treated as the handover, the slot/offset payload is taken on trust.

Crafting two entries

entry[i].offset = 0xffffffffffffffc1 entry[i+1].offset = 0

makes the coalescing loop in kvm_dirty_ring_reset() compute

delta = (s64)(0 - 0xffffffffffffffc1) = 63

which falls in [0, BITS_PER_LONG), so it folds entry[i+1] into the existing mask by setting bit 63. The trailing kvm_reset_dirty_gfn() call then sees offset = 0xffffffffffffffc1 and __fls(mask) = 63; the sum is 0 in u64 and the bounds check passes.

That offset propagates into kvm_arch_mmu_enable_log_dirty_pt_masked() unchanged. On the legacy MMU path -- kvm_memslots_have_rmaps() == true, i.e. shadow paging, any VM that has allocated shadow roots, or a write-tracked slot -- it reaches gfn_to_rmap(), which indexes slot->arch.rmap[0][] with a near-U64_MAX gfn. That is an out-of-bounds load of a kvm_rmap_head, followed by a conditional clear of PT_WRITABLE_MASK in whatever the loaded pointer points at. The path is reachable from any process holding /dev/kvm.

Range-check offset on its own first, so the addition cannot wrap. memslot->npages is bounded well below U64_MAX, so once offset < npages holds, offset + __fls(mask) (with __fls(mask) < BITS_PER_LONG) stays in range.

AnalysisAI

Local privilege-relevant memory corruption in the Linux kernel's KVM subsystem (kvm_reset_dirty_gfn) lets any process holding /dev/kvm bypass a dirty-ring bounds check via a u64 integer overflow, driving a near-U64_MAX guest frame number into gfn_to_rmap() for an out-of-bounds kvm_rmap_head load and a conditional write-flag clear. Affected are kernels from 5.11 through the 7.x line running VMs on the shadow-paging (legacy/rmap) MMU path. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Open /dev/kvm and create VM
Delivery
Enable dirty-ring logging (MAP_SHARED)
Exploit
Craft wrapping offsets 0xffffffffffffffc1 and 0
Install
Race KVM_RESET_DIRTY_RINGS to bypass bounds check
C2
Drive near-U64_MAX gfn into gfn_to_rmap()
Execute
Out-of-bounds rmap load and PT_WRITABLE clear
Impact
Kernel memory corruption / privilege escalation

Vulnerability AssessmentAI

Exploitation Requires local code execution as a process that holds an open handle to /dev/kvm (PR:L - not root, but not an anonymous remote attacker). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H = 7.8) is consistent with the description: exploitation is local, requires only that the attacking process hold an open /dev/kvm handle (a low-privilege prerequisite, not root), needs no user interaction, and yields high confidentiality/integrity/availability impact through kernel memory corruption. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A low-privilege local user or container/VM-management process that can open /dev/kvm creates a VM using dirty-ring logging, then races the shared MAP_SHARED ring to craft two entries with offsets 0xffffffffffffffc1 and 0 so the reset path's bounds check wraps and passes. On the shadow-paging MMU path this drives a near-U64_MAX gfn into gfn_to_rmap(), producing an out-of-bounds kvm_rmap_head load and a conditional clear of PT_WRITABLE_MASK in attacker-influenced kernel memory, corrupting kernel state toward privilege escalation or denial of service. …
Remediation Vendor-released patch: upgrade to a fixed stable kernel - 5.15.209, 6.1.175, 6.6.141, 6.12.91, 7.0.10, or 6.18.33 (mainline 7.1) - matching your maintained series, and consume your distribution's backported build (track Red Hat's advisory at https://access.redhat.com/security/cve/CVE-2026-52969 and CSAF VEX at https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-52969.json). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, identify all Linux systems running kernel versions 5.11 through 7.x with KVM enabled, prioritizing production virtualization infrastructure. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-38837 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy