CVE-2026-43265
Description
In the Linux kernel, the following vulnerability has been resolved:
KVM: x86: Ignore -EBUSY when checking nested events from vcpu_block()
Ignore -EBUSY when checking nested events after exiting a blocking state while L2 is active, as exiting to userspace will generate a spurious userspace exit, usually with KVM_EXIT_UNKNOWN, and likely lead to the VM's demise. Continuing with the wakeup isn't perfect either, as *something* has gone sideways if a vCPU is awakened in L2 with an injected event (or worse, a nested run pending), but continuing on gives the VM a decent chance of surviving without any major side effects.
As explained in the Fixes commits, it _should_ be impossible for a vCPU to be put into a blocking state with an already-injected event (exception, IRQ, or NMI). Unfortunately, userspace can stuff MP_STATE and/or injected events, and thus put the vCPU into what should be an impossible state.
Don't bother trying to preserve the WARN, e.g. with an anti-syzkaller Kconfig, as WARNs can (hopefully) be added in paths where _KVM_ would be violating x86 architecture, e.g. by WARNing if KVM attempts to inject an exception or interrupt while the vCPU isn't running.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel, KVM ignoring -EBUSY from nested events when a vCPU exits a blocking state in L2 forces a spurious userspace exit and may crash the VM.
Vulnerability
Description
CVE-2026-43265 is a vulnerability in the Linux kernel's KVM component, specifically in the handling of nested virtualization events when a vCPU exits a blocking state (e.g., HLT or MWAIT) while running in L2 (nested guest). The root cause is that KVM incorrectly propagates an -EBUSY error from the function kvm_check_nested_events() during vcpu_block(), which can lead to a spurious userspace exit, usually with KVM_EXIT_UNKNOWN, instead of gracefully resuming execution.
Exploitation
To trigger the issue, a local attacker with the ability to control a nested guest (L2) must force the vCPU into an architecturally impossible state—such as having an injected event (exception, IRQ, or NMI) while the vCPU is blocked—or manipulate MP_STATE or injected events via userspace [1]. While the commit notes that such a state "_should_ be impossible" under normal KVM operation, the kernel does not prevent userspace from setting these values. Once the vCPU is in this state, exiting the blocked state in L2 causes KVM to return -EBUSY when checking for pending nested events, leading to the spurious exit. No special hardware or network access is required, only local privileges to interact with KVM's API.
Impact
If successfully triggered, the bug forces the VM to exit to userspace with an unknown exit reason, which is likely to result in the VM being terminated or malfunctioning, effectively causing a denial of service (DoS) for the affected guest [1]. The fix changes the behavior to ignore the -EBUSY error and continue with the wakeup, giving the VM a better chance of surviving without major side effects. The CVSS v3 score is 5.5 (Medium), reflecting the local attack vector and moderate availability impact.
Mitigation
This vulnerability has been patched in the Linux kernel through the commit referenced in the advisory [1]. Users should apply the stable kernel update containing the patch (commit ec3be7dc9391). Alternatively, KVM users should ensure that no untrusted userspace process can set MP_STATE or inject events into a nested guest in an architecturally invalid way. There is no known workaround besides updating the kernel.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- git.kernel.org/stable/c/1c957773063ed3264953597e32990a748381caf6nvdPatch
- git.kernel.org/stable/c/1e88b5f854bdb469424132e0bb44793ad7a7c20anvdPatch
- git.kernel.org/stable/c/2657439265d34a911886b916ba8be97ecc117d51nvdPatch
- git.kernel.org/stable/c/78265cd066d73a5cb41c088fcae4a2515e480d97nvdPatch
- git.kernel.org/stable/c/ead63640d4e72e6f6d464f4e31f7fecb79af8869nvdPatch
- git.kernel.org/stable/c/ec3be7dc9391085a2d96700e159d66d1328b7ff6nvdPatch
News mentions
0No linked articles in our index yet.