CVE-2026-45987
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
27/05/2026
Last modified:
16/06/2026
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
KVM: nSVM: Sync interrupt shadow to cached vmcb12 after VMRUN of L2<br />
<br />
After VMRUN in guest mode, nested_sync_control_from_vmcb02() syncs<br />
fields written by the CPU from vmcb02 to the cached vmcb12. This is<br />
because the cached vmcb12 is used as the authoritative copy of some of<br />
the controls, and is the payload when saving/restoring nested state.<br />
<br />
int_state is also written by the CPU, specifically bit 0 (i.e.<br />
SVM_INTERRUPT_SHADOW_MASK) for nested VMs, but it is not sync&#39;d to<br />
cached vmcb12. This does not cause a problem if KVM_SET_NESTED_STATE<br />
preceeds KVM_SET_VCPU_EVENTS in the restore path, as an interrupt shadow<br />
would be correctly restored to vmcb02 (KVM_SET_VCPU_EVENTS overwrites<br />
what KVM_SET_NESTED_STATE restored in int_state).<br />
<br />
However, if KVM_SET_VCPU_EVENTS preceeds KVM_SET_NESTED_STATE, an<br />
interrupt shadow would be restored into vmcb01 instead of vmcb02. This<br />
would mostly be benign for L1 (delays an interrupt), but not for L2. For<br />
L2, the vCPU could hang (e.g. if a wakeup interrupt is delivered before<br />
a HLT that should have been in an interrupt shadow).<br />
<br />
Sync int_state to the cached vmcb12 in nested_sync_control_from_vmcb02()<br />
to avoid this problem. With that, KVM_SET_NESTED_STATE restores the<br />
correct interrupt shadow state, and if KVM_SET_VCPU_EVENTS follows it<br />
would overwrite it with the same value.
Impact
Base Score 3.x
5.50
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.8 (including) | 5.10.258 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.11 (including) | 5.15.209 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.16 (including) | 6.1.175 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.2 (including) | 6.6.140 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (including) | 6.12.86 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.13 (including) | 6.18.27 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.19 (including) | 7.0.4 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/03bee264f8ebfd39e0254c98e112d033a7aa9055
- https://git.kernel.org/stable/c/0c1f74d8b74d8a31751fb6ea5417e48e02c93b58
- https://git.kernel.org/stable/c/1709418535a8df95532999d61b03d59975280258
- https://git.kernel.org/stable/c/2f950eeb27af6885416232761700b8820cae0a61
- https://git.kernel.org/stable/c/497f6af9679fc9c6ce2f438e11ed5d51b1aa8297
- https://git.kernel.org/stable/c/4b44aa1a134e499c4517597118378b308602a16c
- https://git.kernel.org/stable/c/e0377e52f3c10ee572732d11b04625b7f517a862
- https://git.kernel.org/stable/c/e39a77a9b1e17d2d831c304eafac4c41a784a0be



