CVE-2026-46071 - Vulnerability Details

- KVM: nSVM: Avoid clearing VMCB_LBR in vmcb12

Description

In the Linux kernel, the following vulnerability has been resolved:

KVM: nSVM: Avoid clearing VMCB_LBR in vmcb12

svm_copy_lbrs() always marks VMCB_LBR dirty in the destination VMCB.
However, nested_svm_vmexit() uses it to copy LBRs to vmcb12, and
clearing clean bits in vmcb12 is not architecturally defined.

Move vmcb_mark_dirty() to callers and drop it for vmcb12.

This also facilitates incoming refactoring that does not pass the entire
VMCB to svm_copy_lbrs().

Published: 2026-05-27

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The flaw is found in the Linux kernel’s KVM nested SVM implementation. A function that copies Last Branch Record (LBR) data to a nested virtual machine’s VMCB structure incorrectly clears state that is not architecturally defined. This mishandling can cause LBR information to leak across virtual machine boundaries, potentially exposing execution traces of one guest to another. The weakness reflects improper isolation of architectural state and results in an information exposure scenario.

Affected Systems

Linux kernel builds that enable KVM with nested SVM (SVM) support are affected if the patch removing the invalid VMCB_LBR clearing logic has not been applied. No specific version range is provided, so all current builds that contain the referenced code are presumed vulnerable until the fix is applied.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity. No public exploits are documented and the vulnerability is not listed in the CISA KEV catalog. The EPSS score is not available, suggesting low probability of exploitation on the internet. However, an attacker with local host or hypervisor privileges—such as a resident VM—could trigger the faulty copy during a nested SVM exit and gain access to the LBR data of other guests. Therefore the risk level is considered significant for environments that enforce strict isolation between virtual machines.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`d20c796ca3709801f8a7fa36e8770a3dd8ebd34e`	affected	< a3f0981a5a0e0bd51ad74cc7d9eed32294b24002
`d20c796ca3709801f8a7fa36e8770a3dd8ebd34e`	affected	< 9efe23568806d1cd06f7d146f9b3037b8d585a9f
`d20c796ca3709801f8a7fa36e8770a3dd8ebd34e`	affected	< b53ab5167a81537777ac780bbd93d32613aa3bda

Linux

affected

Version	Status	Constraints
`5.19`	affected	—
`0`	unaffected	< 5.19
`6.18.27`	unaffected	≤ 6.18.*
`7.0.4`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[d20c796ca3709801f8a7fa36e8770a3dd8ebd34e,a3f0981a5a0e0bd51ad74cc7d9eed32294b24002)`	affected	code_commit	—
`[d20c796ca3709801f8a7fa36e8770a3dd8ebd34e,9efe23568806d1cd06f7d146f9b3037b8d585a9f)`	affected	code_commit	—
`[d20c796ca3709801f8a7fa36e8770a3dd8ebd34e,b53ab5167a81537777ac780bbd93d32613aa3bda)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`5.19`	affected	generic	—
`[0,5.19)`	unaffected	generic	—
`[6.18.27,6.19.0)`	unaffected	semver	—
`[7.0.4,7.1.0)`	unaffected	semver	—
`[7.1-rc1,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply a kernel update that includes the patch removing the incorrect VMCB_LBR clearing logic
If an update is unavailable, disable nested virtualization for KVM guests to prevent LBR leakage
Consider applying a backport of the fix to older kernels that cannot be upgraded immediately

Generated by OpenCVE AI on May 28, 2026 at 02:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00166.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/9efe23568806d1cd06f7d146f9b3037b8d585a9f
https://git.kernel.org/stable/c/a3f0981a5a0e0bd51ad74cc7d9eed32294b24002
https://git.kernel.org/stable/c/b53ab5167a81537777ac780bbd93d32613aa3bda
https://lore.kernel.org/linux-cve-announce/2026052758-CVE-2026-46071-d16a@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-46071
https://www.cve.org/CVERecord?id=CVE-2026-46071

History

Thu, 28 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-440
References		https://lore.kernel.org/linux-cve-announce/2026052758-CVE-2026-46071-d16a@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-46071 https://www.cve.org/CVERecord?id=CVE-2026-46071
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Low`

Wed, 27 May 2026 22:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-200

Wed, 27 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: KVM: nSVM: Avoid clearing VMCB_LBR in vmcb12 svm_copy_lbrs() always marks VMCB_LBR dirty in the destination VMCB. However, nested_svm_vmexit() uses it to copy LBRs to vmcb12, and clearing clean bits in vmcb12 is not architecturally defined. Move vmcb_mark_dirty() to callers and drop it for vmcb12. This also facilitates incoming refactoring that does not pass the entire VMCB to svm_copy_lbrs().
Title		KVM: nSVM: Avoid clearing VMCB_LBR in vmcb12
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/9efe23568806d1cd06f7d146f9b3037b8d585a9f https://git.kernel.org/stable/c/a3f0981a5a0e0bd51ad74cc7d9eed32294b24002 https://git.kernel.org/stable/c/b53ab5167a81537777ac780bbd93d32613aa3bda

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-27T12:57:57.316Z

Updated: 2026-06-14T17:52:10.514Z

Reserved: 2026-05-13T15:03:33.095Z

Link: CVE-2026-46071

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:28.397

Modified: 2026-06-17T10:53:01.230

Link: CVE-2026-46071

Redhat

Severity : Low

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-46071 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-28T04:00:07Z

Weaknesses

CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE-440
Expected Behavior Violation

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object