CVE-2026-23401
Description
In the Linux kernel, the following vulnerability has been resolved:
KVM: x86/mmu: Drop/zap existing present SPTE even when creating an MMIO SPTE
When installing an emulated MMIO SPTE, do so *after* dropping/zapping the existing SPTE (if it's shadow-present). While commit a54aa15c6bda3 was right about it being impossible to convert a shadow-present SPTE to an MMIO SPTE due to a _guest_ write, it failed to account for writes to guest memory that are outside the scope of KVM.
E.g. if host userspace modifies a shadowed gPTE to switch from a memslot to emulted MMIO and then the guest hits a relevant page fault, KVM will install the MMIO SPTE without first zapping the shadow-present SPTE.
------------[ cut here ]------------ is_shadow_present_pte(*sptep) WARNING: arch/x86/kvm/mmu/mmu.c:484 at mark_mmio_spte+0xb2/0xc0 [kvm], CPU#0: vmx_ept_stale_r/4292 Modules linked in: kvm_intel kvm irqbypass CPU: 0 UID: 1000 PID: 4292 Comm: vmx_ept_stale_r Not tainted 7.0.0-rc2-eafebd2d2ab0-sink-vm #319 PREEMPT Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 RIP: 0010:mark_mmio_spte+0xb2/0xc0 [kvm] Call Trace:
mmu_set_spte+0x237/0x440 [kvm] ept_page_fault+0x535/0x7f0 [kvm] kvm_mmu_do_page_fault+0xee/0x1f0 [kvm] kvm_mmu_page_fault+0x8d/0x620 [kvm] vmx_handle_exit+0x18c/0x5a0 [kvm_intel] kvm_arch_vcpu_ioctl_run+0xc55/0x1c20 [kvm] kvm_vcpu_ioctl+0x2d5/0x980 [kvm] __x64_sys_ioctl+0x8a/0xd0 do_syscall_64+0xb5/0x730 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x47fa3f
---[ end trace 0000000000000000 ]---
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel, KVM/x86 MMU could install an MMIO SPTE without first dropping an existing shadow-present SPTE, triggering a kernel warning.
Vulnerability
Overview
CVE-2026-23401 is a bug in the Linux kernel's KVM subsystem for x86, specifically in the MMU handling. When installing an emulated MMIO SPTE (Shadow Page Table Entry), the code failed to drop or zap an existing shadow-present SPTE before overwriting it. This violates an invariant that an MMIO SPTE should never be installed over a shadow-present SPTE, leading to a kernel warning in mark_mmio_spte.
Exploitation
Scenario
The issue arises when host userspace (e.g., QEMU) modifies a guest page table entry to switch from a memslot to emulated MMIO, and the guest subsequently triggers a page fault on that page. KVM's page fault handler then attempts to install an MMIO SPTE without first clearing the existing shadow-present SPTE. This can be triggered by a malicious or misconfigured host userspace process, as the bug is in the host kernel's handling of guest memory changes.
Impact
An attacker with access to the host userspace (e.g., a VM process) could cause a kernel warning (WARN_ON) and potentially a crash or denial of service. The CVSS score of 5.5 (Medium) reflects a local attack vector with low complexity and no privileges required, but the impact is limited to availability (system integrity or confidentiality.
Mitigation
The fix is included in Linux kernel stable updates. Patches are available in commits such as [1], [2], [3], and [4]. Users should update their kernel to a version containing the fix. No workaround is documented; the vulnerability is resolved by ensuring the existing SPTE is dropped before installing an MMIO SPTE.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
11cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 8 more
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=5.13.1,<5.15.203
- cpe:2.3:o:linux:linux_kernel:5.13:-:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- git.kernel.org/stable/c/20656cd1f243d3a154aac5dd1b823110b6906fe1nvdPatch
- git.kernel.org/stable/c/459158151a158a6703b49f3c9de0e536d8bd553fnvdPatch
- git.kernel.org/stable/c/695320de6eadb75aaed8be1787c4ce4c189e4c7bnvdPatch
- git.kernel.org/stable/c/aad885e774966e97b675dfe928da164214a71605nvdPatch
- git.kernel.org/stable/c/bce7fe59d43531623f3e43779127bfb33804925dnvdPatch
- git.kernel.org/stable/c/ed5909992f344a7d3f4024261e9f751d9618a27dnvdPatch
- git.kernel.org/stable/c/fd28c5618699180cd69619801e9ae6a5266c0a22nvdPatch
News mentions
0No linked articles in our index yet.