Impact
In the Linux kernel’s KVM subsystem, a 64‑bit addition in the bounds check for dirty‑ring entry processing is unchecked, allowing a crafted offset to wrap around and bypass the guard. The resulting out‑of‑bounds read/write corrupts MMU data structures, which can lead to privilege escalation or kernel instability. The weakness is an integer overflow (CWE‑190).
Affected Systems
All versions of the Linux kernel that expose the /dev/kvm device and implement the dirty ring logic are impacted. The vulnerable code path was fixed in a 2026 kernel update, so any kernel build before that change, across mainstream distributions shipping KVM, remains vulnerable. No specific version numbers are listed in the advisory.
Risk and Exploitability
Based on the description, the likely attack vector is local or containerised access to /dev/kvm, where the attacker must be able to write to the dirty ring entries to manipulate the offset field. The unchecked arithmetic can trigger a wrap‑around that bypasses bounds checks. The CVSS score of 7.0 indicates moderate severity, while the EPSS score of less than 1 % shows a low probability of exploitation in the wild. The vulnerability is not in the CISA KEV catalog, but the potential for privilege escalation warrants urgent attention.
OpenCVE Enrichment
Debian DLA