CVE-2026-23402
Description
In the Linux kernel, the following vulnerability has been resolved:
KVM: x86/mmu: Only WARN in direct MMUs when overwriting shadow-present SPTE
Adjust KVM's sanity check against overwriting a shadow-present SPTE with a another SPTE with a different target PFN to only apply to direct MMUs, i.e. only to MMUs without shadowed gPTEs. While it's impossible for KVM to overwrite a shadow-present SPTE in response to a guest write, writes from outside the scope of KVM, e.g. from host userspace, aren't detected by KVM's write tracking and so can break KVM's shadow paging rules.
------------[ cut here ]------------ pfn != spte_to_pfn(*sptep) WARNING: arch/x86/kvm/mmu/mmu.c:3069 at mmu_set_spte+0x1e4/0x440 [kvm], CPU#0: vmx_ept_stale_r/872 Modules linked in: kvm_intel kvm irqbypass CPU: 0 UID: 1000 PID: 872 Comm: vmx_ept_stale_r Not tainted 7.0.0-rc2-eafebd2d2ab0-sink-vm #319 PREEMPT Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 RIP: 0010:mmu_set_spte+0x1e4/0x440 [kvm] Call Trace:
ept_page_fault+0x535/0x7f0 [kvm] kvm_mmu_do_page_fault+0xee/0x1f0 [kvm] kvm_mmu_page_fault+0x8d/0x620 [kvm] vmx_handle_exit+0x18c/0x5a0 [kvm_intel] kvm_arch_vcpu_ioctl_run+0xc55/0x1c20 [kvm] kvm_vcpu_ioctl+0x2d5/0x980 [kvm] __x64_sys_ioctl+0x8a/0xd0 do_syscall_64+0xb5/0x730 entry_SYSCALL_64_after_hwframe+0x4b/0x53
---[ end trace 0000000000000000 ]---
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
KVM x86 MMU sanity check triggers false WARN when host userspace overwrites shadow-present SPTE, fixed by restricting check to direct MMUs.
The vulnerability is a bug in the Linux kernel's KVM x86 memory management unit (MMU). The function mmu_set_spte contains a sanity check that warns when a shadow-present SPTE (Shadow Page Table Entry) is overwritten with a different target PFN. This check was intended to catch unexpected guest writes, but it incorrectly triggers for writes originating from outside KVM, such as from host userspace via /dev/kvm or other interfaces. The warning is a WARN_ONCE that can flood kernel logs.
Exploitation does not require guest interaction; an attacker with access to the host userspace (e.g., a malicious VM process) can trigger the warning by performing a write that causes KVM to overwrite a shadow-present SPTE. The attack surface is the KVM device interface, which is typically accessible to users with appropriate permissions. No special authentication is needed beyond the ability to open /dev/kvm and run a VM.
The impact is limited to a kernel warning (WARN) that may cause denial of service through log flooding or system instability if panic_on_warn is set. The warning itself does not directly lead to memory corruption or privilege escalation, but it indicates a violation of KVM's internal invariants. The fix adjusts the sanity check to only apply to direct MMUs (those without shadowed guest page tables), preventing false positives.
The fix has been applied to the Linux kernel stable trees via commits [1], [2], [3]. Users should update to a kernel version containing these patches. No workaround is documented; the issue is resolved by the kernel update.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
10cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 8 more
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=6.16.1,<6.18.21
- cpe:2.3:o:linux:linux_kernel:6.16:-:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3News mentions
0No linked articles in our index yet.