kernel: Linux kernel KVM: Privilege escalation or denial of service due to improper shadow page table entry handling

A flaw was found in the Linux kernel's Kernel-based Virtual Machine KVM component. A local attacker with privileges on the host system could exploit a vulnerability in how KVM handles shadow page table entries SPTEs during memory-mapped I/O MMIO operations. By manipulating guest page table entrie...

Astra Linux - уязвимость в linux, linux-5.10

In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Immediately reset the MMU context when the SMM flag is cleared The MMU context should be immediately reset when the SMM flag of the vCPU is cleared, so that the SMM flag in the MMU context is always synchronized with th...

Astra Linux - уязвимость в linux-5.10

In the Linux kernel, the following vulnerability has been resolved: KVM: x86/mmu: Write-protecting of L2 SPTEs in TDP MMU when clearing dirty status Check kvmmmupageadneedwriteprotect when deciding whether to write-protect or clear D-bits on TDP MMU SPTEs. This ensures that the TDP MMU takes into...

Astra Linux - уязвимость в linux-5.10, linux

A flaw was discovered in KVM. When updating a guest’s page table entry, vmpgoff was incorrectly used as the offset to obtain the page’s pfn. Since vaddr and vmpgoff are controllable by user-mode processes, this flaw allows unprivileged local users on the host to write outside the userspace region...

Astra Linux - уязвимость в linux-5.10

In the Linux kernel, the following vulnerability has been resolved: KVM: nSVM: Always use vmcb01 in VMSAVE/VMLOAD emulation. The commit cc3ed80ae69f states that “KVM: nSVM: always use vmcb01 for vmsave/vmload of guest state”. This commit ensured that KVM always used vmcb01 for the fields controll...

Astra Linux – Vulnerability found in Linux 5.10, Linux 6.1, and Linux 5.15

In the Linux kernel, the following vulnerability has been resolved: KVM: SVM – Flushing pages under kvm-lock to fix a Use-After-Free error in svmregisterencregion It is necessary to flush the cached pages in svmregisterencregion before releasing kvm-lock to address use-after-free issues. In such...

Unity Linux 20.1050e Security Update: kernel (UTSA-2026-021593)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-021593 advisory. In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Make ICCSGIEL1 undef in the absence of a vGICv3 On a system with a GICv3, if a guest...

kernel: KVM: x86: Load DR6 with guest value only before entering .vcpu_run() loop

In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Load DR6 with guest value only before entering .vcpurun loop Move the conditional loading of hardware DR6 with the guest's DR6 value out of the core .vcpurun loop to fix a bug where KVM can load hardware with a stale...

EUVD-2026-30019

In the Linux kernel, the following vulnerability has been resolved: KVM: SVM: Set/clear CR8 write interception when AVIC is deactivated Explicitly set/clear CR8 write interception when AVIC is deactivated to fix a bug where KVM leaves the interception enabled after AVIC is activated. E.g. if KVM...

CVE-2026-43483

In the Linux kernel, the following vulnerability has been resolved: KVM: SVM: Set/clear CR8 write interception when AVIC is deactivated Explicitly set/clear CR8 write interception when AVIC is deactivated to fix a bug where KVM leaves the interception enabled after AVIC is activated. E.g. if KVM...

CVE-2026-43483

In the Linux kernel, the following vulnerability has been resolved: KVM: SVM: Set/clear CR8 write interception when AVIC is deactivated Explicitly set/clear CR8 write interception when AVIC is deactivated to fix a bug where KVM leaves the interception enabled after AVIC is activated. E.g. if KVM...

CVE-2026-43483 KVM: SVM: Set/clear CR8 write interception when AVIC is (de)activated

In the Linux kernel, the following vulnerability has been resolved: KVM: SVM: Set/clear CR8 write interception when AVIC is deactivated Explicitly set/clear CR8 write interception when AVIC is deactivated to fix a bug where KVM leaves the interception enabled after AVIC is activated. E.g. if KVM...

PT-2026-40690

Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description An issue exists in the KVM SVM implementation where CR8 write interception remains enabled after AVIC Advanced Virtual Interrupt Controller is activated. This occurs because the...

SUSE CVE-2026-43315

In the Linux kernel, the following vulnerability has been resolved: KVM: nSVM: Remove a user-triggerable WARN on nestedsvmloadcr3 succeeding Drop the WARN in svmsetnestedstate on nestedsvmloadcr3 failing as it is trivially easy to trigger from userspace by modifying CPUID after loading CR3. E.g...

SUSE CVE-2026-43214

In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Add SRCU protection for reading PDPTRs in getsregs2 Add SRCU read-side protection when reading PDPTR registers in getsregs2. Reading PDPTRs may trigger access to guest memory: kvmpdptrread - svmcachereg - loadpdptrs -...

CVE-2026-43315 KVM: nSVM: Remove a user-triggerable WARN on nested_svm_load_cr3() succeeding

In the Linux kernel, the following vulnerability has been resolved: KVM: nSVM: Remove a user-triggerable WARN on nestedsvmloadcr3 succeeding Drop the WARN in svmsetnestedstate on nestedsvmloadcr3 failing as it is trivially easy to trigger from userspace by modifying CPUID after loading CR3. E.g...

CVE-2026-43315

CVE-2026-43315 involves the Linux kernel KVM nSVM warning path. Technical details across connected docs show that a user-triggerable WARN is raised in svm_set_nested_state() when nested_svm_load_cr3() succeeds, and the patch removes this WARN. The rationale is that userspace can easily trigger th...

PT-2026-38957

Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description An issue exists in the KVM nSVM component where a user-triggerable warning occurs in the svm set nested state function when nested svm load cr3 fails. This condition can be easily...

kernel: Linux kernel KVM: Privilege escalation or denial of service due to improper shadow page table entry handling

A flaw was found in the Linux kernel's Kernel-based Virtual Machine KVM component. A local attacker with privileges on the host system could exploit a vulnerability in how KVM handles shadow page table entries SPTEs during memory-mapped I/O MMIO operations. By manipulating guest page table entrie...

EUVD-2026-27695

In the Linux kernel, the following vulnerability has been resolved: KVM: nSVM: Always use vmcb01 in VMLOAD/VMSAVE emulation Commit cc3ed80ae69f "KVM: nSVM: always use vmcb01 to for vmsave/vmload of guest state" made KVM always use vmcb01 for the fields controlled by VMSAVE/VMLOAD, but it missed...