Description
In the Linux kernel, the following vulnerability has been resolved:

mshv: Fix infinite fault loop on permission-denied GPA intercepts

Prevent infinite fault loops when guests access memory regions without
proper permissions. Currently, mshv_handle_gpa_intercept() attempts to
remap pages for all faults on movable memory regions, regardless of
whether the access type is permitted. When a guest writes to a read-only
region, the remap succeeds but the region remains read-only, causing
immediate re-fault and spinning the vCPU indefinitely.

Validate intercept access type against region permissions before
attempting remaps. Reject writes to non-writable regions and executes to
non-executable regions early, returning false to let the VMM handle the
intercept appropriately.

This also closes a potential DoS vector where malicious guests could
intentionally trigger these fault loops to consume host resources.
Published: 2026-05-06
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw in the mshv_handle_gpa_intercept routine causes every fault on movable memory regions to be remapped without verifying if the access that caused the fault is actually allowed. If a guest writes to a read‑only area or attempts an execute in a non‑executable region, the remap succeeds but the page remains protected, leading the guest to fault again immediately. This cycle repeats indefinitely, spinning the virtual CPU and consuming host CPU cycles, which can be triggered intentionally by a malicious virtual machine. This behavior constitutes an infinite loop (CWE‑835) and is a form of denial‑of‑service vulnerability.

Affected Systems

All Linux kernel builds that include the Hyper‑V (mshv) virtual machine monitor component are potentially affected, regardless of the exact kernel release. The CVE data does not list specific kernel versions; the fix is contained in commits 02226839 and 16cbec24 in the kernel source tree, so any kernel that has not merged those commits may still be vulnerable.

Risk and Exploitability

The CVSS score of 5.5 indicates a medium severity. The exploitability is low in terms of public threat: the EPSS score is reported as < 1 % and the vulnerability is not listed in CISA’s KEV catalog, indicating no publicly known exploits. However, the vulnerability can still be triggered by a guest that has permission to load the Hyper‑V module and control memory permissions, which could lead to a denial of service of the host by exhausting CPU resources. The attack vector is therefore a malicious guest impersonating normal workload inside the same host or a compromised hypervisor setting up the faulty permissions.

Generated by OpenCVE AI on May 19, 2026 at 21:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a release that includes the mshv_handle_gpa_intercept patch (commits 02226839 and 16cbec24) or apply those specific kernel patches from the distros’ security repositories.
  • If Hyper‑V is not required, disable the mshv module to remove the vulnerable code path from the host.
  • Ensure guest virtual machines are configured with correct memory access rights, preventing writable or executable flags on read‑only buffers and steering the hypervisor from setting up the conditions that would trigger the fault loop.

Generated by OpenCVE AI on May 19, 2026 at 21:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 19 May 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-835
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Thu, 07 May 2026 04:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-770
CWE-779

Thu, 07 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-280
References

Wed, 06 May 2026 13:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-770
CWE-779

Wed, 06 May 2026 09:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: mshv: Fix infinite fault loop on permission-denied GPA intercepts Prevent infinite fault loops when guests access memory regions without proper permissions. Currently, mshv_handle_gpa_intercept() attempts to remap pages for all faults on movable memory regions, regardless of whether the access type is permitted. When a guest writes to a read-only region, the remap succeeds but the region remains read-only, causing immediate re-fault and spinning the vCPU indefinitely. Validate intercept access type against region permissions before attempting remaps. Reject writes to non-writable regions and executes to non-executable regions early, returning false to let the VMM handle the intercept appropriately. This also closes a potential DoS vector where malicious guests could intentionally trigger these fault loops to consume host resources.
Title mshv: Fix infinite fault loop on permission-denied GPA intercepts
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:17:39.132Z

Reserved: 2026-05-01T14:12:55.984Z

Link: CVE-2026-43096

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-06T10:16:23.027

Modified: 2026-05-19T20:20:13.650

Link: CVE-2026-43096

cve-icon Redhat

Severity :

Publid Date: 2026-05-06T00:00:00Z

Links: CVE-2026-43096 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-19T21:30:14Z

Weaknesses