Description
In the Linux kernel, the following vulnerability has been resolved:

KVM: arm64: Fix ID register initialization for non-protected pKVM guests

In protected mode, the hypervisor maintains a separate instance of
the `kvm` structure for each VM. For non-protected VMs, this structure is
initialized from the host's `kvm` state.

Currently, `pkvm_init_features_from_host()` copies the
`KVM_ARCH_FLAG_ID_REGS_INITIALIZED` flag from the host without the
underlying `id_regs` data being initialized. This results in the
hypervisor seeing the flag as set while the ID registers remain zeroed.

Consequently, `kvm_has_feat()` checks at EL2 fail (return 0) for
non-protected VMs. This breaks logic that relies on feature detection,
such as `ctxt_has_tcrx()` for TCR2_EL1 support. As a result, certain
system registers (e.g., TCR2_EL1, PIR_EL1, POR_EL1) are not
saved/restored during the world switch, which could lead to state
corruption.

Fix this by explicitly copying the ID registers from the host `kvm` to
the hypervisor `kvm` for non-protected VMs during initialization, since
we trust the host with its non-protected guests' features. Also ensure
`KVM_ARCH_FLAG_ID_REGS_INITIALIZED` is cleared initially in
`pkvm_init_features_from_host` so that `vm_copy_id_regs` can properly
initialize them and set the flag once done.
Published: 2026-04-03
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: Integrity compromise
Action: Patch Now
AI Analysis

Impact

The vulnerability occurs when the KVM hypervisor copies a flag indicating ID registers are initialized without actually copying the register values for non‑protected VMs. This causes the hypervisor to believe ID registers are ready while they remain zeroed, leading to failed feature checks. As a result, critical system registers such as TCR2_EL1, PIR_EL1, and POR_EL1 are not saved and restored during world switches, which could corrupt the processor state and compromise VM isolation.

Affected Systems

Affected products are the Linux kernel on ARM64, specifically for non‑protected pKVM guests. The exact kernel versions impacted are not disclosed in the available data.

Risk and Exploitability

The EPSS score is below 1%, indicating a low probability of exploitation. The vulnerability is not listed in CISA’s KEV catalogue, and a CVSS score is not provided, but the reported impact suggests potential integrity compromise. Based on the description, it is inferred that the attack vector would involve a non‑protected VM or compromised host attempting to use the host‑initialized flag, but no explicit attack path or prerequisites are documented. Overall, the risk is considered moderate due to the potential for state corruption, but the low exploitation probability reduces the urgency.

Generated by OpenCVE AI on April 7, 2026 at 09:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Linux kernel to a version that includes the fix for the ID register initialization issue.
  • Monitor vendor advisories for updates on this vulnerability.

Generated by OpenCVE AI on April 7, 2026 at 09:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 08:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-665

Sat, 04 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-909
References

Fri, 03 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-665

Fri, 03 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Fix ID register initialization for non-protected pKVM guests In protected mode, the hypervisor maintains a separate instance of the `kvm` structure for each VM. For non-protected VMs, this structure is initialized from the host's `kvm` state. Currently, `pkvm_init_features_from_host()` copies the `KVM_ARCH_FLAG_ID_REGS_INITIALIZED` flag from the host without the underlying `id_regs` data being initialized. This results in the hypervisor seeing the flag as set while the ID registers remain zeroed. Consequently, `kvm_has_feat()` checks at EL2 fail (return 0) for non-protected VMs. This breaks logic that relies on feature detection, such as `ctxt_has_tcrx()` for TCR2_EL1 support. As a result, certain system registers (e.g., TCR2_EL1, PIR_EL1, POR_EL1) are not saved/restored during the world switch, which could lead to state corruption. Fix this by explicitly copying the ID registers from the host `kvm` to the hypervisor `kvm` for non-protected VMs during initialization, since we trust the host with its non-protected guests' features. Also ensure `KVM_ARCH_FLAG_ID_REGS_INITIALIZED` is cleared initially in `pkvm_init_features_from_host` so that `vm_copy_id_regs` can properly initialize them and set the flag once done.
Title KVM: arm64: Fix ID register initialization for non-protected pKVM guests
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-03T13:24:33.384Z

Reserved: 2026-01-13T15:37:46.015Z

Link: CVE-2026-23425

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-03T14:16:28.747

Modified: 2026-04-03T16:10:23.730

Link: CVE-2026-23425

cve-icon Redhat

Severity :

Publid Date: 2026-04-03T00:00:00Z

Links: CVE-2026-23425 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:54:12Z

Weaknesses