Description
In the Linux kernel, the following vulnerability has been resolved:

KVM: arm64: Fix ID register initialization for non-protected pKVM guests

In protected mode, the hypervisor maintains a separate instance of
the `kvm` structure for each VM. For non-protected VMs, this structure is
initialized from the host's `kvm` state.

Currently, `pkvm_init_features_from_host()` copies the
`KVM_ARCH_FLAG_ID_REGS_INITIALIZED` flag from the host without the
underlying `id_regs` data being initialized. This results in the
hypervisor seeing the flag as set while the ID registers remain zeroed.

Consequently, `kvm_has_feat()` checks at EL2 fail (return 0) for
non-protected VMs. This breaks logic that relies on feature detection,
such as `ctxt_has_tcrx()` for TCR2_EL1 support. As a result, certain
system registers (e.g., TCR2_EL1, PIR_EL1, POR_EL1) are not
saved/restored during the world switch, which could lead to state
corruption.

Fix this by explicitly copying the ID registers from the host `kvm` to
the hypervisor `kvm` for non-protected VMs during initialization, since
we trust the host with its non-protected guests' features. Also ensure
`KVM_ARCH_FLAG_ID_REGS_INITIALIZED` is cleared initially in
`pkvm_init_features_from_host` so that `vm_copy_id_regs` can properly
initialize them and set the flag once done.
Published: 2026-04-03
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: State corruption due to improper ID register initialization
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a CWE‑909 flaw in the KVM hypervisor’s handling of the ID register initialization flag for non‑protected pKVM guests. During VM startup, the hypervisor copies a flag from the host indicating the ID registers are initialized, but it fails to copy the actual register values. As a result, the hypervisor believes the registers are ready while they remain zeroed, causing feature checks to fail. This failure prevents critical system registers such as TCR2_EL1, PIR_EL1, and POR_EL1 from being saved and restored during world switches, which can corrupt the processor state and break VM isolation.

Affected Systems

The issue affects the Linux kernel’s KVM implementation on ARM64 platforms. All kernel releases that include the vulnerable code path – currently the 6.14 series and the 7.0 release candidates (rc1‑rc7) – are potentially impacted, as the relevant patches appear in recent kernel git commits.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity flaw. The EPSS score is below 1%, meaning the likelihood of exploitation is very low, and the vulnerability has not been listed in CISA’s KEV catalog. Exploitation likely requires control over a non‑protected VM or the host, and while the exact attack vector is inferred from the description rather than explicitly stated, it is therefore a local or privileged attack scenario. Based on the description, it is inferred that state corruption could lead to privilege escalation or denial of service within the virtualized environment.

Generated by OpenCVE AI on April 29, 2026 at 02:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Linux kernel patch that corrects the ID register initialization for non‑protected pKVM guests (see kernel commit 7e7c2cf).
  • Configure KVM guests to run in protected mode or disable non‑protected guest support to avoid the faulty initialization path.
  • Keep the kernel updated to the newest stable release and monitor vendor advisories for additional patches or mitigations.

Generated by OpenCVE AI on April 29, 2026 at 02:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

 cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Thu, 23 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:6.14:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Tue, 07 Apr 2026 08:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-665

Sat, 04 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-909
References

Fri, 03 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-665

Fri, 03 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Fix ID register initialization for non-protected pKVM guests In protected mode, the hypervisor maintains a separate instance of the `kvm` structure for each VM. For non-protected VMs, this structure is initialized from the host's `kvm` state. Currently, `pkvm_init_features_from_host()` copies the `KVM_ARCH_FLAG_ID_REGS_INITIALIZED` flag from the host without the underlying `id_regs` data being initialized. This results in the hypervisor seeing the flag as set while the ID registers remain zeroed. Consequently, `kvm_has_feat()` checks at EL2 fail (return 0) for non-protected VMs. This breaks logic that relies on feature detection, such as `ctxt_has_tcrx()` for TCR2_EL1 support. As a result, certain system registers (e.g., TCR2_EL1, PIR_EL1, POR_EL1) are not saved/restored during the world switch, which could lead to state corruption. Fix this by explicitly copying the ID registers from the host `kvm` to the hypervisor `kvm` for non-protected VMs during initialization, since we trust the host with its non-protected guests' features. Also ensure `KVM_ARCH_FLAG_ID_REGS_INITIALIZED` is cleared initially in `pkvm_init_features_from_host` so that `vm_copy_id_regs` can properly initialize them and set the flag once done.
Title KVM: arm64: Fix ID register initialization for non-protected pKVM guests
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-27T14:02:17.285Z

Reserved: 2026-01-13T15:37:46.015Z

Link: CVE-2026-23425

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2026-04-03T14:16:28.747

Modified: 2026-04-27T14:16:31.883

Link: CVE-2026-23425

cve-icon Redhat

Severity :

Publid Date: 2026-04-03T00:00:00Z

Links: CVE-2026-23425 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T02:45:35Z

Weaknesses