CVE-2026-53359
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
04/07/2026
Last modified:
04/07/2026
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
KVM: x86: Fix shadow paging use-after-free due to unexpected role<br />
<br />
Commit 0cb2af2ea66ad ("KVM: x86: Fix shadow paging use-after-free due<br />
to unexpected GFN") fixed a shadow paging mismatch between stored and<br />
computed GFNs; the bug could be triggered by changing a PDE mapping from<br />
outside the guest, and then deleting a memslot. The rmap_remove()<br />
call would miss entries created after the PDE change because the GFN<br />
of the leaf SPTE does not match the GFN of the struct kvm_mmu_page.<br />
<br />
A similar hole however remains if the modified PDE points to a non-leaf<br />
page. In this case the gfn can be made to match, but the role does not<br />
match: the original large 2MB page creates a kvm_mmu_page with direct=1,<br />
while the new 4KB needs a kvm_mmu_page with direct=0. However,<br />
kvm_mmu_get_child_sp() does not compare the role, and therefore reuses<br />
the page.<br />
<br />
The next step is installing a leaf (4KB) SPTE on the new path which<br />
records an rmap entry under the gfn resolved by the walk. But when<br />
that child is zapped its parent kvm_mmu_page has direct=1 and<br />
kvm_mmu_page_get_gfn() computes the gfn for the 4KB page as<br />
sp->gfn + index instead of using sp->shadowed_translation[] (or sp->gfns[]<br />
in older kernels). It therefore fails to remove the recorded entry.<br />
<br />
When the memslot is dropped the shadow page is freed but the rmap<br />
entry survives, as in the scenario that was already fixed. Code that<br />
later walks that gfn (dirty logging, MMU notifier invalidation, and<br />
so on) dereferences an sptep that lies in the freed page, causing the<br />
use-after-free.
Impact
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/1ae7d5a6db6c190ce183e3098ca0e0846e14d462
- https://git.kernel.org/stable/c/2ad3afa40ac6aa340dada122f9abfa46c0a6eb35
- https://git.kernel.org/stable/c/5e470998a23e4c3d89ed24e8172cb22747e61efa
- https://git.kernel.org/stable/c/81ccda30b4e83d8f5cc4fd50503c44e3a33abfeb
- https://git.kernel.org/stable/c/9291654d69e08542de37755cebe4d5b02c3170d1
- https://git.kernel.org/stable/c/b1337aae5e194324e4810d561764e7793f8b3864



