Description
In the Linux kernel, the following vulnerability has been resolved:

KVM: SVM: Set/clear CR8 write interception when AVIC is (de)activated

Explicitly set/clear CR8 write interception when AVIC is (de)activated to
fix a bug where KVM leaves the interception enabled after AVIC is
activated. E.g. if KVM emulates INIT=>WFS while AVIC is deactivated, CR8
will remain intercepted in perpetuity.

On its own, the dangling CR8 intercept is "just" a performance issue, but
combined with the TPR sync bug fixed by commit d02e48830e3f ("KVM: SVM:
Sync TPR from LAPIC into VMCB::V_TPR even if AVIC is active"), the danging
intercept is fatal to Windows guests as the TPR seen by hardware gets
wildly out of sync with reality.

Note, VMX isn't affected by the bug as TPR_THRESHOLD is explicitly ignored
when Virtual Interrupt Delivery is enabled, i.e. when APICv is active in
KVM's world. I.e. there's no need to trigger update_cr8_intercept(), this
is firmly an SVM implementation flaw/detail.

WARN if KVM gets a CR8 write #VMEXIT while AVIC is active, as KVM should
never enter the guest with AVIC enabled and CR8 writes intercepted.

[Squash fix to avic_deactivate_vmcb. - Paolo]
Published: 2026-05-13
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel’s KVM module for AMD SVM incorrectly keeps the CR8 write interception flag set when the Advanced Virtual Interrupt Controller (AVIC) is enabled or disabled. While this alone only reduces performance, it becomes fatal when combined with a known TPR synchronization bug, causing the virtual processor’s TPR to diverge from the host’s hardware TPR. For Windows guests this divergence can trigger hard crashes or severe instability, and the flaw is a classic example of improper resource management and failure to recognize a fatal condition, reflected in CWE‑821.

Affected Systems

The vulnerability exists in all Linux kernel releases that have not incorporated the commit that explicitly clears CR8 write interception when AVIC state changes. It affects KVM hosts that use the AMD SVM virtualization technology with AVIC enabled. Any distribution running a kernel version prior to the included commits remains affected, regardless of the specific distribution.

Risk and Exploitability

The CVSS score is 5.5 and the EPSS score indicates less than 1% probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is local or system-level; an adversary must control the hypervisor or influence AVIC configuration or trigger CR8 writes. Once exploited, the result is a crash or severe instability of guests that depend on correct TPR management, especially Windows; VMX mode is unaffected.

Generated by OpenCVE AI on May 14, 2026 at 15:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that contains the patch which sets or clears CR8 write interception when AVIC is activated or deactivated, referencing the listed commit hashes.
  • If the kernel cannot be upgraded immediately, disable AVIC for affected guests or avoid operations that write to CR8 until the fix is applied.
  • Monitor Windows guests for TPR‑synchronization failures, unexpected shutdowns or kernel panic logs, and consider pausing or removing affected VMs until the kernel update is implemented.

Generated by OpenCVE AI on May 14, 2026 at 15:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-665
CWE-682

Thu, 14 May 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-821
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Low

Wed, 13 May 2026 18:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-665
CWE-682

Wed, 13 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: KVM: SVM: Set/clear CR8 write interception when AVIC is (de)activated Explicitly set/clear CR8 write interception when AVIC is (de)activated to fix a bug where KVM leaves the interception enabled after AVIC is activated. E.g. if KVM emulates INIT=>WFS while AVIC is deactivated, CR8 will remain intercepted in perpetuity. On its own, the dangling CR8 intercept is "just" a performance issue, but combined with the TPR sync bug fixed by commit d02e48830e3f ("KVM: SVM: Sync TPR from LAPIC into VMCB::V_TPR even if AVIC is active"), the danging intercept is fatal to Windows guests as the TPR seen by hardware gets wildly out of sync with reality. Note, VMX isn't affected by the bug as TPR_THRESHOLD is explicitly ignored when Virtual Interrupt Delivery is enabled, i.e. when APICv is active in KVM's world. I.e. there's no need to trigger update_cr8_intercept(), this is firmly an SVM implementation flaw/detail. WARN if KVM gets a CR8 write #VMEXIT while AVIC is active, as KVM should never enter the guest with AVIC enabled and CR8 writes intercepted. [Squash fix to avic_deactivate_vmcb. - Paolo]
Title KVM: SVM: Set/clear CR8 write interception when AVIC is (de)activated
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-13T15:08:30.319Z

Reserved: 2026-05-01T14:12:56.012Z

Link: CVE-2026-43483

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-13T16:16:51.497

Modified: 2026-05-13T16:16:51.497

Link: CVE-2026-43483

cve-icon Redhat

Severity : Low

Publid Date: 2026-05-13T00:00:00Z

Links: CVE-2026-43483 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T15:30:16Z

Weaknesses