Description
In the Linux kernel, the following vulnerability has been resolved:

KVM: x86/mmu: Drop/zap existing present SPTE even when creating an MMIO SPTE

When installing an emulated MMIO SPTE, do so *after* dropping/zapping the
existing SPTE (if it's shadow-present). While commit a54aa15c6bda3 was
right about it being impossible to convert a shadow-present SPTE to an
MMIO SPTE due to a _guest_ write, it failed to account for writes to guest
memory that are outside the scope of KVM.

E.g. if host userspace modifies a shadowed gPTE to switch from a memslot
to emulted MMIO and then the guest hits a relevant page fault, KVM will
install the MMIO SPTE without first zapping the shadow-present SPTE.

------------[ cut here ]------------
is_shadow_present_pte(*sptep)
WARNING: arch/x86/kvm/mmu/mmu.c:484 at mark_mmio_spte+0xb2/0xc0 [kvm], CPU#0: vmx_ept_stale_r/4292
Modules linked in: kvm_intel kvm irqbypass
CPU: 0 UID: 1000 PID: 4292 Comm: vmx_ept_stale_r Not tainted 7.0.0-rc2-eafebd2d2ab0-sink-vm #319 PREEMPT
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
RIP: 0010:mark_mmio_spte+0xb2/0xc0 [kvm]
Call Trace:
<TASK>
mmu_set_spte+0x237/0x440 [kvm]
ept_page_fault+0x535/0x7f0 [kvm]
kvm_mmu_do_page_fault+0xee/0x1f0 [kvm]
kvm_mmu_page_fault+0x8d/0x620 [kvm]
vmx_handle_exit+0x18c/0x5a0 [kvm_intel]
kvm_arch_vcpu_ioctl_run+0xc55/0x1c20 [kvm]
kvm_vcpu_ioctl+0x2d5/0x980 [kvm]
__x64_sys_ioctl+0x8a/0xd0
do_syscall_64+0xb5/0x730
entry_SYSCALL_64_after_hwframe+0x4b/0x53
RIP: 0033:0x47fa3f
</TASK>
---[ end trace 0000000000000000 ]---
Published: 2026-04-01
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Potential Remote Code Execution in KVM hypervisor
Action: Patch Immediately
AI Analysis

Impact

The vulnerability occurs when the Linux kernel’s KVM module installs a memory‑mapped I/O (MMIO) shadow page table entry (SPTE) without first removing an existing shadow‑present SPTE. This oversight can lead to stale or invalid guest page mappings, which may expose host memory corruption paths or mis‑directed guest accesses. The defect falls under CWE‑416, indicating a use‑after‑free style fault that can be exploited to disrupt isolation between guest and host, potentially enabling arbitrary code execution or denial of service on the host.

Affected Systems

Linux kernel versions affected include all releases up to the kernel snapshot that contains the unpatched code, as indicated by the generic CPE cpe:2.3:o:linux:linux_kernel:*:*. The affected products are all KVM‑enabled Linux hosts running any CPU architecture that supports the x86 MMU and EPT, specifically those compiled with the default KVM drivers kvm_intel or kvm_amd. No specific major or minor version limits are listed, so all kernels that have not incorporated the fix remain vulnerable.

Risk and Exploitability

The CVSS score of 8.1 indicates high severity, while an EPSS score of less than 1% suggests low current exploitation likelihood, possibly due to required kernel privileges or the need for a carefully crafted VM to trigger the fault. The vulnerability is not listed in the CISA KEV catalog, indicating no publicly known exploited instances. The likely attack path involves a guest VM under a KVM hypervisor that performs a page fault on a stale mapping, causing the host to create an MMIO SPTE without clearing previous entries. If leveraged, an attacker could corrupt host memory or execute code in the host context. Mitigation requires a kernel update that introduces the patch correcting the SPTE handling logic.

Generated by OpenCVE AI on April 7, 2026 at 19:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Linux kernel update that includes the commit fixing the MMIO SPTE handling bug (for example, the patch that adds proper zap before installation).
  • Verify the kernel revision after update to confirm the presence of "mark_mmio_spte" handling changes.
  • If an update is not immediately possible, consider moving virtual machines to a host running a patched kernel or disabling KVM for affected workloads until a patch is applied.

Generated by OpenCVE AI on April 7, 2026 at 19:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
References

Sat, 11 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
References

Tue, 07 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416
References
Metrics threat_severity

None

 cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H'}

threat_severity

Important

Thu, 02 Apr 2026 11:45:00 +0000

Type Values Removed Values Added
References

Wed, 01 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: KVM: x86/mmu: Drop/zap existing present SPTE even when creating an MMIO SPTE When installing an emulated MMIO SPTE, do so *after* dropping/zapping the existing SPTE (if it's shadow-present). While commit a54aa15c6bda3 was right about it being impossible to convert a shadow-present SPTE to an MMIO SPTE due to a _guest_ write, it failed to account for writes to guest memory that are outside the scope of KVM. E.g. if host userspace modifies a shadowed gPTE to switch from a memslot to emulted MMIO and then the guest hits a relevant page fault, KVM will install the MMIO SPTE without first zapping the shadow-present SPTE. ------------[ cut here ]------------ is_shadow_present_pte(*sptep) WARNING: arch/x86/kvm/mmu/mmu.c:484 at mark_mmio_spte+0xb2/0xc0 [kvm], CPU#0: vmx_ept_stale_r/4292 Modules linked in: kvm_intel kvm irqbypass CPU: 0 UID: 1000 PID: 4292 Comm: vmx_ept_stale_r Not tainted 7.0.0-rc2-eafebd2d2ab0-sink-vm #319 PREEMPT Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 RIP: 0010:mark_mmio_spte+0xb2/0xc0 [kvm] Call Trace: <TASK> mmu_set_spte+0x237/0x440 [kvm] ept_page_fault+0x535/0x7f0 [kvm] kvm_mmu_do_page_fault+0xee/0x1f0 [kvm] kvm_mmu_page_fault+0x8d/0x620 [kvm] vmx_handle_exit+0x18c/0x5a0 [kvm_intel] kvm_arch_vcpu_ioctl_run+0xc55/0x1c20 [kvm] kvm_vcpu_ioctl+0x2d5/0x980 [kvm] __x64_sys_ioctl+0x8a/0xd0 do_syscall_64+0xb5/0x730 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x47fa3f </TASK> ---[ end trace 0000000000000000 ]---
Title KVM: x86/mmu: Drop/zap existing present SPTE even when creating an MMIO SPTE
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-18T08:58:35.165Z

Reserved: 2026-01-13T15:37:46.012Z

Link: CVE-2026-23401

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-01T09:16:15.260

Modified: 2026-04-18T09:16:24.217

Link: CVE-2026-23401

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-01T00:00:00Z

Links: CVE-2026-23401 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:59:55Z

Weaknesses