Description
In the Linux kernel, the following vulnerability has been resolved:

KVM: nSVM: Always use NextRIP as vmcb02's NextRIP after first L2 VMRUN

For guests with NRIPS disabled, L1 does not provide NextRIP when running
an L2 with an injected soft interrupt, instead it advances the current RIP
before running it. KVM uses the current RIP as the NextRIP in vmcb02 to
emulate a CPU without NRIPS.

However, after L2 runs the first time, NextRIP will be updated by the CPU
and/or KVM, and the current RIP is no longer the correct value to use in
vmcb02. Hence, after save/restore, use the current RIP if and only if a
nested run is pending, otherwise use NextRIP. Give soft_int_next_rip the
same treatment, as it's the same logic, just for a narrower use case.

[sean: give soft_int_next_rip the same treatment]
Published: 2026-05-27
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A logic flaw in the Linux kernel’s KVM module causes the virtual machine control block (vmcb02) to receive an incorrect value for the NextRIP register when a nested hypervisor (L1) runs an L2 guest with a soft interrupt and the NRIPS feature disabled. Instead of capturing the true NextRIP value after the first L2 VMRUN, the kernel uses the current RIP, which is no longer valid after subsequent executions. This can result in the guest executing arbitrary instructions from an incorrect address, potentially allowing a malicious L2 guest to influence the host or compromise data integrity.

Affected Systems

Linux kernel, any host running KVM with nested virtualization (L1) and guests (L2) that use soft interrupts while NRIPS is disabled. All current releases prior to the patch that introduced the conditional use of CurrentRIP versus NextRIP are affected.

Risk and Exploitability

The CVSS score is not provided, but the flaw represents a substantial integrity risk in nested virtualization contexts. The EPSS score is not available, and the vulnerability is not listed in CISA's KEV catalog. Attackers would need to be able to run or influence a nested guest with soft interrupts; however, from the description it is inferred that the attack path requires nested virtualization usage and the presence of NRIPS disabled. Because the vulnerability is tied to a specific CPU state transition, exploitation may be complex and not trivially automated, but with sufficient control over the guest it could be leveraged to escape the guest or corrupt host state.

Generated by OpenCVE AI on May 27, 2026 at 20:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that includes the KVM patch for nested VM run handling
  • Adjust nested virtualization configuration so that NRIPS is enabled or soft interrupts are disabled to avoid the edge case exercised by the bug
  • If an immediate kernel update is not possible, reconfigure host policies to prevent L2 guests from raising soft interrupts while NRIPS is disabled and monitor virtualized workloads for anomalous CPU state changes

Generated by OpenCVE AI on May 27, 2026 at 20:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: KVM: nSVM: Always use NextRIP as vmcb02's NextRIP after first L2 VMRUN For guests with NRIPS disabled, L1 does not provide NextRIP when running an L2 with an injected soft interrupt, instead it advances the current RIP before running it. KVM uses the current RIP as the NextRIP in vmcb02 to emulate a CPU without NRIPS. However, after L2 runs the first time, NextRIP will be updated by the CPU and/or KVM, and the current RIP is no longer the correct value to use in vmcb02. Hence, after save/restore, use the current RIP if and only if a nested run is pending, otherwise use NextRIP. Give soft_int_next_rip the same treatment, as it's the same logic, just for a narrower use case. [sean: give soft_int_next_rip the same treatment]
Title KVM: nSVM: Always use NextRIP as vmcb02's NextRIP after first L2 VMRUN
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-27T12:57:19.928Z

Reserved: 2026-05-13T15:03:33.095Z

Link: CVE-2026-46059

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:25.650

Modified: 2026-05-27T14:48:03.013

Link: CVE-2026-46059

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T20:15:16Z

Weaknesses

No weakness.