Description
In the Linux kernel, the following vulnerability has been resolved:

KVM: nSVM: Triple fault if restore host CR3 fails on nested #VMEXIT

If loading L1's CR3 fails on a nested #VMEXIT, nested_svm_vmexit()
returns an error code that is ignored by most callers, and continues to
run L1 with corrupted state. A sane recovery is not possible in this
case, and HW behavior is to cause a shutdown. Inject a triple fault
instead, and do not return early from nested_svm_vmexit(). Continue
cleaning up the vCPU state (e.g. clear pending exceptions), to handle
the failure as gracefully as possible.

From the APM:

Upon #VMEXIT, the processor performs the following actions in order to
return to the host execution context:

...

if (illegal host state loaded, or exception while loading host state)
shutdown
else
execute first host instruction following the VMRUN

Remove the return value of nested_svm_vmexit(), which is mostly
unchecked anyway.
Published: 2026-05-27
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The bug occurs in the Linux kernel KVM module when executing nested virtual machines using SVM (nSVM). When a nested VM triggers a VMEXIT, the host must restore its CR3 register. If that restore fails, the function nested_svm_vmexit() returns an error code that is ignored by most callers, allowing the corrupted CR3 state to persist. This flaw is a classic case of CWE‑390: detection of error condition without action. The corrupted state can lead to a triple fault, causing the host processor to shutdown, resulting in a denial of availability for the host system rather than a direct compromise of confidentiality or integrity.

Affected Systems

All Linux kernel systems running the KVM module with nested SVM enabled are affected. No specific kernel version range is provided in the data, so any kernel that includes the unpatched KVM:nSVM code is potentially vulnerable.

Risk and Exploitability

Based on the description, the likely attack vector is a nested guest that can induce a failing CR3 load during a VMEXIT. The consequence is a hard shutdown of the host, giving high availability impact. The EPSS score is not available and the flaw is not listed in the CISA KEV catalog, suggesting that it has not yet been widely exploited. Nonetheless, the severity of the outcome mandates timely remediation.

Generated by OpenCVE AI on May 27, 2026 at 20:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a Linux kernel update that includes the KVM:nSVM patch removing the ignored return value from nested_svm_vmexit() and enforcing shutdown, as referenced in the supplied git commits.
  • If an immediate kernel update is not feasible, disable nested SVM on the host by setting the nested parameter to 0 in /sys/module/kvm-nested/parameters/nested or by disabling the module entirely before starting nested guests.
  • Schedule a host reboot after the kernel update to complete the reinitialization and eliminate any residual corrupted CR3 state.

Generated by OpenCVE AI on May 27, 2026 at 20:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 20:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-390

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: KVM: nSVM: Triple fault if restore host CR3 fails on nested #VMEXIT If loading L1's CR3 fails on a nested #VMEXIT, nested_svm_vmexit() returns an error code that is ignored by most callers, and continues to run L1 with corrupted state. A sane recovery is not possible in this case, and HW behavior is to cause a shutdown. Inject a triple fault instead, and do not return early from nested_svm_vmexit(). Continue cleaning up the vCPU state (e.g. clear pending exceptions), to handle the failure as gracefully as possible. From the APM: Upon #VMEXIT, the processor performs the following actions in order to return to the host execution context: ... if (illegal host state loaded, or exception while loading host state) shutdown else execute first host instruction following the VMRUN Remove the return value of nested_svm_vmexit(), which is mostly unchecked anyway.
Title KVM: nSVM: Triple fault if restore host CR3 fails on nested #VMEXIT
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-27T12:56:41.159Z

Reserved: 2026-05-13T15:03:33.093Z

Link: CVE-2026-46032

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:22.190

Modified: 2026-05-27T14:48:03.013

Link: CVE-2026-46032

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T20:30:40Z

Weaknesses