Description
In the Linux kernel, the following vulnerability has been resolved:

KVM: Don't WARN if memory is dirtied without a vCPU when the VM is dying

When marking a page dirty, complain about not having a running/loaded vCPU
if and only if the VM is still alive, i.e. its refcount is non-zero. This
will allow fixing a memory leak for x86 SEV-ES guests without hitting what
is effectively a false positive on the WARN.

For some SEV-ES VM-Exits, KVM keeps a writable mapping of a guest page
across an exit to userspace, and typically unmaps the page on the next
KVM_RUN. But if userspace never calls KVM_RUN after such an exit, then KVM
needs to unmap the page when the vCPU is destroyed, which in turn triggers
the WARN about not having a running vCPU.

Alternatively, SEV-ES could temporarily load the vCPU to suppress the WARN,
as is done in nested_vmx_free_vcpu() (but for completely unrelated reasons;
suppressing WARN from nested_put_vmcs12_pages() is pure happenstance). But
loading a vCPU during destruction is gross (ideally nVMX code would be
cleaned up), risks complicating the SEV-ES code (KVM would need to ensure
the temporarily load()+put() only runs when the vCPU isn't already loaded),
and is ultimately pointless.

The motivation for the WARN is to guard against KVM dirtying guest memory
without pushing the corresponding GFN to the active vCPU's dirty ring, e.g.
to ensure userspace doesn't miss a dirty page. But for the VM's refcount
to reach zero, there can't be _any_ userspace mappings to the dirty ring,
as mapping the dirty ring requires doing mmap() on the vCPU FD. I.e. if
userspace had a valid mapping for the dirty ring, then the vCPU file and
thus the owning VM would still be alive. And so since userspace can't
possibly reach the dirty ring, whether or not KVM technically "misses" a
push to the dirty ring is irrelevant.
Published: 2026-07-01
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw involves a conditional WARN statement in the Linux kernel’s KVM implementation that incorrectly triggers when a guest page is marked dirty during a VM exit if there is no active vCPU and the VM is being destroyed. The warning logic was intended to guard against missed pushes of dirty pages to the active vCPU’s dirty ring, but it also caused a memory leak for x86 SEV‑ES guests because the page mapping was not cleaned up properly, leading to unused memory remaining allocated. Although the vulnerability cannot be directly exploited for remote code execution or other classic attacks, the resulting memory leak can degrade host availability by exhausting system memory over time.

Affected Systems

This issue affects the Linux kernel’s KVM subsystem on all Linux platforms that support SEV‑ES guests. It applies to the KVM module in the kernel (cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*), regardless of the specific kernel version, as long as SEV‑ES functionality is enabled. End‑users running virtual machines that rely on SEV‑ES should be aware that the kernel’s page mapping cleanup logic may leave orphaned pages until the kernel is updated.

Risk and Exploitability

The CVSS score is not publicly available, and the EPSS score is undefined; the vulnerability is not listed in the CISA KEV catalog. Because the flaw manifests only when a VM is terminated without a running vCPU, exploitation requires the attacker to have control over the guest lifecycle on the host, which is typically limited to privileged system access. In practice, the risk is low to moderate, primarily as a resource depletion concern rather than a code‑execution vector. The fix mitigates the issue by suppressing the misleading WARN and removing the memory leak during VM shutdown.

Generated by OpenCVE AI on July 1, 2026 at 14:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a kernel version where KVM has been patched to stop WARNing for page dirtying during VM exit and to correctly unmap guest pages on vCPU destruction
  • Verify that SEV‑ES guests are running on the updated kernel; if unable to upgrade, periodically audit memory usage of the host to detect orphaned pages
  • Configure KVM or host tooling to ensure all VMs are properly terminated and userspace mappings are released before host shutdown or reboot

Generated by OpenCVE AI on July 1, 2026 at 14:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1330
CWE-789

Wed, 01 Jul 2026 13:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: KVM: Don't WARN if memory is dirtied without a vCPU when the VM is dying When marking a page dirty, complain about not having a running/loaded vCPU if and only if the VM is still alive, i.e. its refcount is non-zero. This will allow fixing a memory leak for x86 SEV-ES guests without hitting what is effectively a false positive on the WARN. For some SEV-ES VM-Exits, KVM keeps a writable mapping of a guest page across an exit to userspace, and typically unmaps the page on the next KVM_RUN. But if userspace never calls KVM_RUN after such an exit, then KVM needs to unmap the page when the vCPU is destroyed, which in turn triggers the WARN about not having a running vCPU. Alternatively, SEV-ES could temporarily load the vCPU to suppress the WARN, as is done in nested_vmx_free_vcpu() (but for completely unrelated reasons; suppressing WARN from nested_put_vmcs12_pages() is pure happenstance). But loading a vCPU during destruction is gross (ideally nVMX code would be cleaned up), risks complicating the SEV-ES code (KVM would need to ensure the temporarily load()+put() only runs when the vCPU isn't already loaded), and is ultimately pointless. The motivation for the WARN is to guard against KVM dirtying guest memory without pushing the corresponding GFN to the active vCPU's dirty ring, e.g. to ensure userspace doesn't miss a dirty page. But for the VM's refcount to reach zero, there can't be _any_ userspace mappings to the dirty ring, as mapping the dirty ring requires doing mmap() on the vCPU FD. I.e. if userspace had a valid mapping for the dirty ring, then the vCPU file and thus the owning VM would still be alive. And so since userspace can't possibly reach the dirty ring, whether or not KVM technically "misses" a push to the dirty ring is irrelevant.
Title KVM: Don't WARN if memory is dirtied without a vCPU when the VM is dying
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-07-01T13:32:25.098Z

Reserved: 2026-06-09T07:44:35.399Z

Link: CVE-2026-53345

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T18:45:05Z

Weaknesses
  • CWE-1330

    Remanent Data Readable after Memory Erase

  • CWE-789

    Memory Allocation with Excessive Size Value