Description
In the Linux kernel, the following vulnerability has been resolved:

KVM: SVM: Add missing save/restore handling of LBR MSRs

MSR_IA32_DEBUGCTLMSR and LBR MSRs are currently not enumerated by
KVM_GET_MSR_INDEX_LIST, and LBR MSRs cannot be set with KVM_SET_MSRS. So
save/restore is completely broken.

Fix it by adding the MSRs to msrs_to_save_base, and allowing writes to
LBR MSRs from userspace only (as they are read-only MSRs) if LBR
virtualization is enabled. Additionally, to correctly restore L1's LBRs
while L2 is running, make sure the LBRs are copied from the captured
VMCB01 save area in svm_copy_vmrun_state().

Note, for VMX, this also fixes a flaw where MSR_IA32_DEBUGCTLMSR isn't
reported as an MSR to save/restore.

Note #2, over-reporting MSR_IA32_LASTxxx on Intel is ok, as KVM already
handles unsupported reads and writes thanks to commit b5e2fec0ebc3 ("KVM:
Ignore DEBUGCTL MSRs with no effect") (kvm_do_msr_access() will morph the
unsupported userspace write into a nop).

[sean: guard with lbrv checks, massage changelog]
Published: 2026-05-27
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw in the Linux kernel’s KVM SVM implementation means that the MSR_IA32_DEBUGCTLMSR and LBR MSRs were not enumerated for saving and restoring. As a result, when a virtual machine enables LBR virtualization, the host does not preserve the guest’s branch history correctly, and the state cannot be restored after a migration or a context switch. This broken save/restore path may allow information about the host or other guests’ branch direction, location, and timing to be unintentionally exposed or to corrupt the LBR state of another VM, potentially leading to data leakage or a denial‑of‑service condition. The recent patch re‑adds these MSRs to the save list and updates access controls so that writes to LBR MSRs are permitted only when the feature is enabled, thereby restoring correct isolation.

Affected Systems

All Linux kernel versions running KVM with AMD SVM support that have not yet applied the commit that adds the missing LBR MSRs to the save list. This includes any system using the KVM module where LBR virtualization is enabled for a guest. The vendor designation is Linux kernel; specific sub‑versions are not enumerated in the advisory, so any kernel build predating the referenced patches is potentially affected.

Risk and Exploitability

The CVSS score is not supplied, and the EPSS score is unavailable. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is from within a guest virtual machine that can invoke KVM_GET_MSR_INDEX_LIST or KVM_SET_MSRS; the attacker would need to enable LBR virtualization to exercise the path. Because the flaw relates to state handling rather than a direct code execution vector, the exploitation complexity is moderate, and the potential impact is limited to data leakage or instability across virtual machines. No public exploit is known at this time.

Generated by OpenCVE AI on May 27, 2026 at 18:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Linux kernel patch that includes the KVM LBR MSR handling fix
  • Temporarily disable LBR virtualization for all virtual machines (remove the 'lbrv' flag) until the kernel patch is deployed
  • Restart the KVM service or reboot the host to ensure the updated MSR handling is active

Generated by OpenCVE AI on May 27, 2026 at 18:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 19:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: KVM: SVM: Add missing save/restore handling of LBR MSRs MSR_IA32_DEBUGCTLMSR and LBR MSRs are currently not enumerated by KVM_GET_MSR_INDEX_LIST, and LBR MSRs cannot be set with KVM_SET_MSRS. So save/restore is completely broken. Fix it by adding the MSRs to msrs_to_save_base, and allowing writes to LBR MSRs from userspace only (as they are read-only MSRs) if LBR virtualization is enabled. Additionally, to correctly restore L1's LBRs while L2 is running, make sure the LBRs are copied from the captured VMCB01 save area in svm_copy_vmrun_state(). Note, for VMX, this also fixes a flaw where MSR_IA32_DEBUGCTLMSR isn't reported as an MSR to save/restore. Note #2, over-reporting MSR_IA32_LASTxxx on Intel is ok, as KVM already handles unsupported reads and writes thanks to commit b5e2fec0ebc3 ("KVM: Ignore DEBUGCTL MSRs with no effect") (kvm_do_msr_access() will morph the unsupported userspace write into a nop). [sean: guard with lbrv checks, massage changelog]
Title KVM: SVM: Add missing save/restore handling of LBR MSRs
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-27T12:56:16.052Z

Reserved: 2026-05-13T15:03:33.092Z

Link: CVE-2026-46014

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:19.667

Modified: 2026-05-27T14:48:03.013

Link: CVE-2026-46014

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T18:45:39Z

Weaknesses