Description
In the Linux kernel, the following vulnerability has been resolved:

KVM: nSVM: Raise #UD if unhandled VMMCALL isn't intercepted by L1

Explicitly synthesize a #UD for VMMCALL if L2 is active, L1 does NOT want
to intercept VMMCALL, nested_svm_l2_tlb_flush_enabled() is true, and the
hypercall is something other than one of the supported Hyper-V hypercalls.
When all of the above conditions are met, KVM will intercept VMMCALL but
never forward it to L1, i.e. will let L2 make hypercalls as if it were L1.

The TLFS says a whole lot of nothing about this scenario, so go with the
architectural behavior, which says that VMMCALL #UDs if it's not
intercepted.

Opportunistically do a 2-for-1 stub trade by stub-ifying the new API
instead of the helpers it uses. The last remaining "single" stub will
soon be dropped as well.

[sean: rewrite changelog and comment, tag for stable, remove defunct stubs]
Published: 2026-05-27
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A bug in the Linux kernel’s KVM nested‑SVM (nSVM) path causes an invalid‑opcode exception, or #UD, whenever a Level 2 guest issues a VMMCALL that the host’s hypervisor is not configured to intercept, and the call is not one of the supported Hyper‑V hypercalls. Instead of forwarding the request to the host, KVM raises the #UD, which aborts the guest execution. The resulting crash or stalling of the Level 2 virtual machine is a denial of service that can be triggered by any malicious or misbehaving guest when nested virtualization is enabled.

Affected Systems

The issue affects Linux hosts that run the kernel with KVM and have the nested‑SVM capability enabled. Any kernel that has not yet incorporated the commit that introduces the patch is vulnerable; administrators should consult the linked kernel commit logs to verify whether their running kernel contains the fix. No specific version range is listed in the advisory, so any configuration with nested SVM enabled prior to the patch is impacted.

Risk and Exploitability

The CVSS score is not disclosed and EPSS data is unavailable. The known KEV status indicates the vulnerability is not listed in the CISA KEV catalog. It is inferred that the most probable attack vector is a host hypervisor granting a malicious Level 2 guest the ability to issue arbitrary VMMCALLs; this requires access to a nested virtualization environment. Because the bug leads only to a guest crash rather than privilege escalation or data exfiltration, the risk level is moderate for environments that rely heavily on nested VMs, while the likelihood of exploitation is limited to scenarios where an attacker can control or influence the guest.

Generated by OpenCVE AI on May 27, 2026 at 20:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Linux kernel update that contains the KVM nSVM fix
  • If an immediate kernel upgrade is not feasible, disable the nested‑SVM feature or block VMMCALL handling in the host configuration
  • Monitor system logs for unexpected #UD exceptions in virtual machine execution and enforce stricter isolation or guest hypercall restrictions

Generated by OpenCVE AI on May 27, 2026 at 20:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: KVM: nSVM: Raise #UD if unhandled VMMCALL isn't intercepted by L1 Explicitly synthesize a #UD for VMMCALL if L2 is active, L1 does NOT want to intercept VMMCALL, nested_svm_l2_tlb_flush_enabled() is true, and the hypercall is something other than one of the supported Hyper-V hypercalls. When all of the above conditions are met, KVM will intercept VMMCALL but never forward it to L1, i.e. will let L2 make hypercalls as if it were L1. The TLFS says a whole lot of nothing about this scenario, so go with the architectural behavior, which says that VMMCALL #UDs if it's not intercepted. Opportunistically do a 2-for-1 stub trade by stub-ifying the new API instead of the helpers it uses. The last remaining "single" stub will soon be dropped as well. [sean: rewrite changelog and comment, tag for stable, remove defunct stubs]
Title KVM: nSVM: Raise #UD if unhandled VMMCALL isn't intercepted by L1
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-27T12:58:09.169Z

Reserved: 2026-05-13T15:03:33.096Z

Link: CVE-2026-46076

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:28.930

Modified: 2026-05-27T14:48:03.013

Link: CVE-2026-46076

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T20:15:16Z

Weaknesses

No weakness.