CVE-2026-45987 - Vulnerability Details

- KVM: nSVM: Sync interrupt shadow to cached vmcb12 after VMRUN of L2

Description

In the Linux kernel, the following vulnerability has been resolved:

KVM: nSVM: Sync interrupt shadow to cached vmcb12 after VMRUN of L2

After VMRUN in guest mode, nested_sync_control_from_vmcb02() syncs
fields written by the CPU from vmcb02 to the cached vmcb12. This is
because the cached vmcb12 is used as the authoritative copy of some of
the controls, and is the payload when saving/restoring nested state.

int_state is also written by the CPU, specifically bit 0 (i.e.
SVM_INTERRUPT_SHADOW_MASK) for nested VMs, but it is not sync'd to
cached vmcb12. This does not cause a problem if KVM_SET_NESTED_STATE
preceeds KVM_SET_VCPU_EVENTS in the restore path, as an interrupt shadow
would be correctly restored to vmcb02 (KVM_SET_VCPU_EVENTS overwrites
what KVM_SET_NESTED_STATE restored in int_state).

However, if KVM_SET_VCPU_EVENTS preceeds KVM_SET_NESTED_STATE, an
interrupt shadow would be restored into vmcb01 instead of vmcb02. This
would mostly be benign for L1 (delays an interrupt), but not for L2. For
L2, the vCPU could hang (e.g. if a wakeup interrupt is delivered before
a HLT that should have been in an interrupt shadow).

Sync int_state to the cached vmcb12 in nested_sync_control_from_vmcb02()
to avoid this problem. With that, KVM_SET_NESTED_STATE restores the
correct interrupt shadow state, and if KVM_SET_VCPU_EVENTS follows it
would overwrite it with the same value.

Published: 2026-05-27

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The Linux kernel KVM hypervisor fails to synchronize the interrupt shadow state from the guest CPU’s vmcb02 to the cached vmcb12 when executing a VMRUN on a level‑2 (nested) virtual machine. Because the bit controlling the interrupt shadow mask in int_state is not copied, an L2 guest may receive a wake‑up interrupt that should have been masked, causing the guest to hang or experience a timed‑out HLT. This flaw does not allow direct code execution or privilege escalation, but it permits a malicious or mis‑configured nested guest to induce a denial‑of‑service condition on the host or other guests. The primary weakness is a race‑condition in state synchronization.

Affected Systems

The vulnerability applies to Linux kernel builds that implement KVM with nested SVM support. No specific kernel version range is listed in the data, so any kernel that includes the affected nested‑VM code paths is potentially affected. The issue is tied to the Linux vendor and the generic Linux kernel product; affected systems include any host running these components with nested virtualization enabled.

Risk and Exploitability

The CVSS score is not provided, and the EPSS score is unavailable. The CISA KEV catalog does not list this vulnerability, indicating no known active exploitation. However, the flaw can be triggered by an attacker that controls the ordering of the KVM_SET_VCPU_EVENTS and KVM_SET_NESTED_STATE ioctls on a nested guest; a benign mis‑ordering can also cause a system administrator to suffer a guest hang. Given the lack of publicly documented exploits, the immediate risk is primarily a service disruption scenario, but the potential for significant downtime makes it a high‑priority issue for environments relying on nested virtualization.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`cc440cdad5b7a4c1de12dace725209eb3e0cf663`	affected	< 1709418535a8df95532999d61b03d59975280258
`cc440cdad5b7a4c1de12dace725209eb3e0cf663`	affected	< 2f950eeb27af6885416232761700b8820cae0a61
`cc440cdad5b7a4c1de12dace725209eb3e0cf663`	affected	< 497f6af9679fc9c6ce2f438e11ed5d51b1aa8297
`cc440cdad5b7a4c1de12dace725209eb3e0cf663`	affected	< e0377e52f3c10ee572732d11b04625b7f517a862
`cc440cdad5b7a4c1de12dace725209eb3e0cf663`	affected	< 03bee264f8ebfd39e0254c98e112d033a7aa9055

Linux

affected

Version	Status	Constraints
`5.8`	affected	—
`0`	unaffected	< 5.8
`6.6.140`	unaffected	≤ 6.6.*
`6.12.86`	unaffected	≤ 6.12.*
`6.18.27`	unaffected	≤ 6.18.*
`7.0.4`	unaffected	≤ 7.0.*
`7.1-rc1`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[cc440cdad5b7a4c1de12dace725209eb3e0cf663,1709418535a8df95532999d61b03d59975280258)`	affected	code_commit	—
`[cc440cdad5b7a4c1de12dace725209eb3e0cf663,2f950eeb27af6885416232761700b8820cae0a61)`	affected	code_commit	—
`[cc440cdad5b7a4c1de12dace725209eb3e0cf663,497f6af9679fc9c6ce2f438e11ed5d51b1aa8297)`	affected	code_commit	—
`[cc440cdad5b7a4c1de12dace725209eb3e0cf663,e0377e52f3c10ee572732d11b04625b7f517a862)`	affected	code_commit	—
`[cc440cdad5b7a4c1de12dace725209eb3e0cf663,03bee264f8ebfd39e0254c98e112d033a7aa9055)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`5.8`	affected	generic	—
`[0,5.8)`	unaffected	generic	—
`[6.6.140,6.7.0)`	unaffected	semver	—
`[6.12.86,6.13.0)`	unaffected	semver	—
`[6.18.27,6.19.0)`	unaffected	semver	—
`[7.0.4,7.1.0)`	unaffected	semver	—
`[7.1-rc1,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a version that includes the commit that synchronizes int_state to vmcb12
If an upgrade is not feasible, disable nested virtualization or ensure that L2 guests do not employ nested VMs
Verify that any custom code or drivers handling KVM_SET_VCPU_EVENTS to KVM_SET_NESTED_STATE calls order them correctly to avoid the stale shadow state

Generated by OpenCVE AI on May 27, 2026 at 17:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/03bee264f8ebfd39e0254c98e112d033a7aa9055
https://git.kernel.org/stable/c/1709418535a8df95532999d61b03d59975280258
https://git.kernel.org/stable/c/2f950eeb27af6885416232761700b8820cae0a61
https://git.kernel.org/stable/c/497f6af9679fc9c6ce2f438e11ed5d51b1aa8297
https://git.kernel.org/stable/c/e0377e52f3c10ee572732d11b04625b7f517a862

History

Wed, 27 May 2026 17:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-362

Wed, 27 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: KVM: nSVM: Sync interrupt shadow to cached vmcb12 after VMRUN of L2 After VMRUN in guest mode, nested_sync_control_from_vmcb02() syncs fields written by the CPU from vmcb02 to the cached vmcb12. This is because the cached vmcb12 is used as the authoritative copy of some of the controls, and is the payload when saving/restoring nested state. int_state is also written by the CPU, specifically bit 0 (i.e. SVM_INTERRUPT_SHADOW_MASK) for nested VMs, but it is not sync'd to cached vmcb12. This does not cause a problem if KVM_SET_NESTED_STATE preceeds KVM_SET_VCPU_EVENTS in the restore path, as an interrupt shadow would be correctly restored to vmcb02 (KVM_SET_VCPU_EVENTS overwrites what KVM_SET_NESTED_STATE restored in int_state). However, if KVM_SET_VCPU_EVENTS preceeds KVM_SET_NESTED_STATE, an interrupt shadow would be restored into vmcb01 instead of vmcb02. This would mostly be benign for L1 (delays an interrupt), but not for L2. For L2, the vCPU could hang (e.g. if a wakeup interrupt is delivered before a HLT that should have been in an interrupt shadow). Sync int_state to the cached vmcb12 in nested_sync_control_from_vmcb02() to avoid this problem. With that, KVM_SET_NESTED_STATE restores the correct interrupt shadow state, and if KVM_SET_VCPU_EVENTS follows it would overwrite it with the same value.
Title		KVM: nSVM: Sync interrupt shadow to cached vmcb12 after VMRUN of L2
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/03bee264f8ebfd39e0254c98e112d033a7aa9055 https://git.kernel.org/stable/c/1709418535a8df95532999d61b03d59975280258 https://git.kernel.org/stable/c/2f950eeb27af6885416232761700b8820cae0a61 https://git.kernel.org/stable/c/497f6af9679fc9c6ce2f438e11ed5d51b1aa8297 https://git.kernel.org/stable/c/e0377e52f3c10ee572732d11b04625b7f517a862

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-27T12:55:38.653Z

Updated: 2026-05-27T12:55:38.653Z

Reserved: 2026-05-13T15:03:33.090Z

Link: CVE-2026-45987

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:16.113

Modified: 2026-05-27T14:48:03.013

Link: CVE-2026-45987

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-27T21:15:25Z

Weaknesses

CWE-362

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object