Description
In the Linux kernel, the following vulnerability has been resolved:

KVM: nSVM: Triple fault if restore host CR3 fails on nested #VMEXIT

If loading L1's CR3 fails on a nested #VMEXIT, nested_svm_vmexit()
returns an error code that is ignored by most callers, and continues to
run L1 with corrupted state. A sane recovery is not possible in this
case, and HW behavior is to cause a shutdown. Inject a triple fault
instead, and do not return early from nested_svm_vmexit(). Continue
cleaning up the vCPU state (e.g. clear pending exceptions), to handle
the failure as gracefully as possible.

From the APM:

Upon #VMEXIT, the processor performs the following actions in order to
return to the host execution context:

...

if (illegal host state loaded, or exception while loading host state)
shutdown
else
execute first host instruction following the VMRUN

Remove the return value of nested_svm_vmexit(), which is mostly
unchecked anyway.
Published: 2026-05-27
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The bug occurs in the Linux kernel KVM module when executing nested virtual machines using SVM (nSVM). When a nested VM triggers a VMEXIT, the host must restore its CR3 register. If that restore fails, the function nested_svm_vmexit() returns an error code that is ignored by most callers, allowing the corrupted CR3 state to persist. This flaw is a classic case of CWE‑248: unchecked return value. The corrupted state can lead to a triple fault, causing the host processor to shutdown, resulting in a denial of availability for the host system rather than a direct compromise of confidentiality or integrity.

Affected Systems

All Linux kernel systems running the KVM module with nested SVM enabled are affected. No specific kernel version range is provided in the data, so any kernel that includes the unpatched KVM:nSVM code is potentially vulnerable.

Risk and Exploitability

Based on the description, the likely attack vector is a nested guest that can induce a failing CR3 load during a VMEXIT. The consequence is a hard shutdown of the host, giving high availability impact. The EPSS score is not available and the flaw is not listed in the CISA KEV catalog, suggesting that it has not yet been widely exploited. The CVSS score of 7.0 indicates a high severity level, underscoring the importance of timely remediation. Nonetheless, the severity of the outcome mandates timely remediation.

Generated by OpenCVE AI on May 28, 2026 at 04:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a Linux kernel update that includes the KVM:nSVM patch removing the ignored return value from nested_svm_vmexit() and enforcing shutdown, as referenced in the supplied git commits.
  • If an immediate kernel update is not feasible, disable nested SVM on the host by setting the nested parameter to 0 in /sys/module/kvm-nested/parameters/nested or by disabling the module entirely before starting nested guests.
  • Schedule a host reboot after the kernel update to complete the reinitialization and eliminate any residual corrupted CR3 state.

Generated by OpenCVE AI on May 28, 2026 at 04:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Thu, 28 May 2026 03:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-390

Thu, 28 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-248
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Wed, 27 May 2026 20:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-390

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: KVM: nSVM: Triple fault if restore host CR3 fails on nested #VMEXIT If loading L1's CR3 fails on a nested #VMEXIT, nested_svm_vmexit() returns an error code that is ignored by most callers, and continues to run L1 with corrupted state. A sane recovery is not possible in this case, and HW behavior is to cause a shutdown. Inject a triple fault instead, and do not return early from nested_svm_vmexit(). Continue cleaning up the vCPU state (e.g. clear pending exceptions), to handle the failure as gracefully as possible. From the APM: Upon #VMEXIT, the processor performs the following actions in order to return to the host execution context: ... if (illegal host state loaded, or exception while loading host state) shutdown else execute first host instruction following the VMRUN Remove the return value of nested_svm_vmexit(), which is mostly unchecked anyway.
Title KVM: nSVM: Triple fault if restore host CR3 fails on nested #VMEXIT
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-14T17:49:20.299Z

Reserved: 2026-05-13T15:03:33.093Z

Link: CVE-2026-46032

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-27T14:17:22.190

Modified: 2026-06-16T17:24:12.697

Link: CVE-2026-46032

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-46032 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T07:30:11Z

Weaknesses