CVE-2026-23425

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> KVM: arm64: Fix ID register initialization for non-protected pKVM guests<br /> <br /> In protected mode, the hypervisor maintains a separate instance of<br /> the `kvm` structure for each VM. For non-protected VMs, this structure is<br /> initialized from the host&amp;#39;s `kvm` state.<br /> <br /> Currently, `pkvm_init_features_from_host()` copies the<br /> `KVM_ARCH_FLAG_ID_REGS_INITIALIZED` flag from the host without the<br /> underlying `id_regs` data being initialized. This results in the<br /> hypervisor seeing the flag as set while the ID registers remain zeroed.<br /> <br /> Consequently, `kvm_has_feat()` checks at EL2 fail (return 0) for<br /> non-protected VMs. This breaks logic that relies on feature detection,<br /> such as `ctxt_has_tcrx()` for TCR2_EL1 support. As a result, certain<br /> system registers (e.g., TCR2_EL1, PIR_EL1, POR_EL1) are not<br /> saved/restored during the world switch, which could lead to state<br /> corruption.<br /> <br /> Fix this by explicitly copying the ID registers from the host `kvm` to<br /> the hypervisor `kvm` for non-protected VMs during initialization, since<br /> we trust the host with its non-protected guests&amp;#39; features. Also ensure<br /> `KVM_ARCH_FLAG_ID_REGS_INITIALIZED` is cleared initially in<br /> `pkvm_init_features_from_host` so that `vm_copy_id_regs` can properly<br /> initialize them and set the flag once done.