CVE-2026-43133 - Vulnerability Details

- KVM: nSVM: Always use vmcb01 in VMLOAD/VMSAVE emulation

Description

In the Linux kernel, the following vulnerability has been resolved:

KVM: nSVM: Always use vmcb01 in VMLOAD/VMSAVE emulation

Commit cc3ed80ae69f ("KVM: nSVM: always use vmcb01 to for vmsave/vmload
of guest state") made KVM always use vmcb01 for the fields controlled by
VMSAVE/VMLOAD, but it missed updating the VMLOAD/VMSAVE emulation code
to always use vmcb01.

As a result, if VMSAVE/VMLOAD is executed by an L2 guest and is not
intercepted by L1, KVM will mistakenly use vmcb02. Always use vmcb01
instead of the current VMCB.

Published: 2026-05-06

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

In nested KVM environments, a bug caused the VMLOAD and VMSAVE emulation path to use the second virtual machine control block (vmcb02) instead of the first one (vmcb01) when those instructions were executed by a Level‑2 virtual machine and not intercepted by Level‑1. This incorrect use of vmcb02 can result in the guest’s state being saved to or restored from the wrong control block, causing memory corruption or unintended data exposure between virtual machines. The flaw does not directly enable arbitrary code execution but undermines the isolation guarantees of nested virtualization.

Affected Systems

Linux kernel running KVM with nested virtualization enabled. No specific version range is listed, so any kernel that implements the vmcb02 field for VMSAVE/VMLOAD may be affected until the patch is applied.

Risk and Exploitability

The CVSS score is not listed, and the EPSS score is not available, so formal severity metrics are missing. The vulnerability is only exploitable in environments that use nested virtualization and where the L1 hypervisor does not intercept VMSAVE/VMLOAD. Because the flaw requires a nested virtual machine context to be triggered, the risk to a typical host system is limited, but it can be significant in multi‑tenant data‑center or cloud scenarios that rely on guest isolation. The defect was fixed in commit cc3ed80, which now forces the use of vmcb01 for both the emulation and actual instruction handling. Once patched, the risk is mitigated.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`cc3ed80ae69f454c3d904af9f65394a540099723`	affected	< 10063e1251c1485034a018236080792ad083dcc5
`cc3ed80ae69f454c3d904af9f65394a540099723`	affected	< c3b7015000988ba35ecd5648f4b2283960f00543
`cc3ed80ae69f454c3d904af9f65394a540099723`	affected	< 3880e331b0b31d0d5d3702b124f6c93539cd478a
`cc3ed80ae69f454c3d904af9f65394a540099723`	affected	< fce2fd4a2ca05670a91015aacccf96a1c26268fd
`cc3ed80ae69f454c3d904af9f65394a540099723`	affected	< d464cf1ed900d47c85393d40b00017b6adfc2e6c
`cc3ed80ae69f454c3d904af9f65394a540099723`	affected	< 0004ecb798b30e90d7ebfe74efae2d9423315a64
`cc3ed80ae69f454c3d904af9f65394a540099723`	affected	< 127ccae2c185f62e6ecb4bf24f9cb307e9b9c619

Linux

affected

Version	Status	Constraints
`5.13`	affected	—
`0`	unaffected	< 5.13
`5.15.202`	unaffected	≤ 5.15.*
`6.1.165`	unaffected	≤ 6.1.*
`6.6.128`	unaffected	≤ 6.6.*
`6.12.75`	unaffected	≤ 6.12.*
`6.18.16`	unaffected	≤ 6.18.*
`6.19.6`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[cc3ed80ae69f454c3d904af9f65394a540099723,10063e1251c1485034a018236080792ad083dcc5)`	affected	code_commit	—
`[cc3ed80ae69f454c3d904af9f65394a540099723,c3b7015000988ba35ecd5648f4b2283960f00543)`	affected	code_commit	—
`[cc3ed80ae69f454c3d904af9f65394a540099723,3880e331b0b31d0d5d3702b124f6c93539cd478a)`	affected	code_commit	—
`[cc3ed80ae69f454c3d904af9f65394a540099723,fce2fd4a2ca05670a91015aacccf96a1c26268fd)`	affected	code_commit	—
`[cc3ed80ae69f454c3d904af9f65394a540099723,d464cf1ed900d47c85393d40b00017b6adfc2e6c)`	affected	code_commit	—
`[cc3ed80ae69f454c3d904af9f65394a540099723,0004ecb798b30e90d7ebfe74efae2d9423315a64)`	affected	code_commit	—
`[cc3ed80ae69f454c3d904af9f65394a540099723,127ccae2c185f62e6ecb4bf24f9cb307e9b9c619)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`5.13`	affected	semver	—
`[0,5.13)`	unaffected	semver	—
`[5.15.202,5.16.0)`	unaffected	semver	—
`[6.1.165,6.2.0)`	unaffected	semver	—
`[6.6.128,6.7.0)`	unaffected	semver	—
`[6.12.75,6.13.0)`	unaffected	semver	—
`[6.18.16,6.19.0)`	unaffected	semver	—
`[6.19.6,7.0.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update your Linux kernel to a version that contains commit cc3ed80, which ensures vmcb01 is used for all VMLOAD and VMSAVE operations
Disable nested virtualization for workloads that cannot be updated, guaranteeing that L1 will always intercept VMSAVE/VMLOAD
Migrate or isolate vulnerable workloads to a host without nested virtualization until the kernel patch is applied

Generated by OpenCVE AI on May 6, 2026 at 14:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/0004ecb798b30e90d7ebfe74efae2d9423315a64
https://git.kernel.org/stable/c/10063e1251c1485034a018236080792ad083dcc5
https://git.kernel.org/stable/c/127ccae2c185f62e6ecb4bf24f9cb307e9b9c619
https://git.kernel.org/stable/c/3880e331b0b31d0d5d3702b124f6c93539cd478a
https://git.kernel.org/stable/c/c3b7015000988ba35ecd5648f4b2283960f00543
https://git.kernel.org/stable/c/d464cf1ed900d47c85393d40b00017b6adfc2e6c
https://git.kernel.org/stable/c/fce2fd4a2ca05670a91015aacccf96a1c26268fd

History

Wed, 06 May 2026 15:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-680 CWE-704

Wed, 06 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: KVM: nSVM: Always use vmcb01 in VMLOAD/VMSAVE emulation Commit cc3ed80ae69f ("KVM: nSVM: always use vmcb01 to for vmsave/vmload of guest state") made KVM always use vmcb01 for the fields controlled by VMSAVE/VMLOAD, but it missed updating the VMLOAD/VMSAVE emulation code to always use vmcb01. As a result, if VMSAVE/VMLOAD is executed by an L2 guest and is not intercepted by L1, KVM will mistakenly use vmcb02. Always use vmcb01 instead of the current VMCB.
Title		KVM: nSVM: Always use vmcb01 in VMLOAD/VMSAVE emulation
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/0004ecb798b30e90d7ebfe74efae2d9423315a64 https://git.kernel.org/stable/c/10063e1251c1485034a018236080792ad083dcc5 https://git.kernel.org/stable/c/127ccae2c185f62e6ecb4bf24f9cb307e9b9c619 https://git.kernel.org/stable/c/3880e331b0b31d0d5d3702b124f6c93539cd478a https://git.kernel.org/stable/c/c3b7015000988ba35ecd5648f4b2283960f00543 https://git.kernel.org/stable/c/d464cf1ed900d47c85393d40b00017b6adfc2e6c https://git.kernel.org/stable/c/fce2fd4a2ca05670a91015aacccf96a1c26268fd

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-06T11:27:20.882Z

Updated: 2026-05-06T11:27:20.882Z

Reserved: 2026-05-01T14:12:55.988Z

Link: CVE-2026-43133

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-06T12:16:30.480

Modified: 2026-05-06T13:07:51.607

Link: CVE-2026-43133

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-06T15:00:07Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object