VYPR
← All advisories
High severity8.8NVD Advisory· Published Apr 3, 2026· Updated Apr 27, 2026

CVE-2026-23425

CVE-2026-23425

Description

In the Linux kernel, the following vulnerability has been resolved:

KVM: arm64: Fix ID register initialization for non-protected pKVM guests

In protected mode, the hypervisor maintains a separate instance of the kvm structure for each VM. For non-protected VMs, this structure is initialized from the host's kvm state.

Currently, pkvm_init_features_from_host() copies the KVM_ARCH_FLAG_ID_REGS_INITIALIZED flag from the host without the underlying id_regs data being initialized. This results in the hypervisor seeing the flag as set while the ID registers remain zeroed.

Consequently, kvm_has_feat() checks at EL2 fail (return 0) for non-protected VMs. This breaks logic that relies on feature detection, such as ctxt_has_tcrx() for TCR2_EL1 support. As a result, certain system registers (e.g., TCR2_EL1, PIR_EL1, POR_EL1) are not saved/restored during the world switch, which could lead to state corruption.

Fix this by explicitly copying the ID registers from the host kvm to the hypervisor kvm for non-protected VMs during initialization, since we trust the host with its non-protected guests' features. Also ensure KVM_ARCH_FLAG_ID_REGS_INITIALIZED is cleared initially in pkvm_init_features_from_host so that vm_copy_id_regs can properly initialize them and set the flag once done.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

KVM/arm64 in protected mode incorrectly zeroes ID registers for non-protected pKVM guests, causing feature detection failures and potential register state corruption.

Vulnerability

Overview

In the Linux kernel's KVM/arm64 subsystem, a flaw in the initialization of non-protected pKVM guests leads to feature-detected missing ID register data. When pkvm_init_features_from_host() copies the KVM_ARCH_FLAG_ID_REGS_INITIALIZED flag from the host, it does so that the hypervisor erroneously considers the ID registers as initialized—even though they remain zeroed. This causes kvm_has_feat() checks at EL2 to incorrectly return 0 for critical CPU features.

Attack

Vector & Exploitation

An attacker controlling a non-protected pKVM guest could exploit this bug to bypass EL2 feature checks. Since the ID registers are zeroed, the hypervisor believes certain architectural features are absent. The attack requires the ability to run a VM in non-protected pKVM mode. No special privileges beyond that are needed; the guest can simply exercise system registers that rely on correct feature detection.

Impact

Without proper feature detection, the hypervisor fails to save/restore registers such as TCR2_EL1, PIR_EL1, and POR_EL1 during world switches. This can lead to guest state corruption or unintended exposure of hypervisor state, potentially allowing a guest to crash the system or escalate privileges. The CVSS v3 score of 8.8 (High) reflects the risk of confidentiality, integrity, and availability loss.

Mitigation

The fix explicitly copies the host's ID registers to the hypervisor structure for non-protected VMs and clears the initialized flag until the copy is complete. Patches are available in the stable kernel trees [1][2][3]. All users running protected pKVM (which is the typical in Android or confidential computing deployments) should apply the updates as soon as possible.

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!
  3. Making sure you're not a bot!

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

10
  • Linux/Kernel10 versions
    cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 9 more
    • cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=6.14.1,<6.18.17
    • cpe:2.3:o:linux:linux_kernel:6.14:-:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*
    • (no CPE)

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.