PatchSiren cyber security CVE debrief
CVE-2026-23401 Linux CVE debrief
A medium-severity vulnerability, CVE-2026-23401, was found in the Linux kernel's KVM component. The issue arises during the installation of emulated MMIO SPTEs, where an existing shadow-present SPTE is not properly dropped or zapped. This can lead to unexpected behavior when a guest hits a page fault. The vulnerability has a CVSS score of 5.5 and is considered a local attack vector with low attack complexity. Linux kernel versions 5.13.1 to 5.15.203, 5.16 to 6.1.168, 6.2 to 6.6.131, 6.7 to 6.12.80, 6.13 to 6.18.21, 6.19 to 6.19.11 are affected.
- Vendor
- Linux
- Product
- Unknown
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-01
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-04-01
- Advisory updated
- 2026-06-30
Who should care
System administrators and security teams managing Linux-based virtualization environments using KVM should be aware of this vulnerability. They should assess their current kernel versions and patch levels to determine if they are affected. Additionally, organizations relying on Linux kernel versions 5.13.1 to 5.15.203, 5.16 to 6.1.168, 6.2 to 6.6.131, 6.7 to 6.12.80, 6.13 to 6.18.21, 6.19 to 6.19.11 should prioritize patching.
Technical summary
The vulnerability is located in the KVM component of the Linux kernel, specifically in the MMIO SPTE installation process. When creating an emulated MMIO SPTE, the existing present SPTE is not properly dropped or zapped if it's shadow-present. This can cause issues when a guest hits a page fault. The problem was initially identified through a warning in the mark_mmio_spte function. To address this, the kernel patch ensures that the existing SPTE is dropped/zapped before installing the MMIO SPTE.
Defensive priority
Apply patches: Update Linux kernel to versions that include the fix. Inventory and prioritize: Identify and prioritize systems running affected kernel versions. Monitor: Implement monitoring to detect potential exploitation attempts.
Recommended defensive actions
- Apply patches: Update Linux kernel to versions that include the fix.
- Inventory and prioritize: Identify and prioritize systems running affected kernel versions.
- Monitor: Implement monitoring to detect potential exploitation attempts.
- Verify patch application: Ensure patches have been successfully applied and systems are no longer vulnerable.
- Update documentation: Document patch application and vulnerability mitigation efforts.
Evidence notes
The CVE-2026-23401 vulnerability was publicly disclosed on April 1, 2026, with a CVSS score of 5.5. The Linux kernel community addressed the issue through a series of patches. Multiple Red Hat advisories (RHSA-2026:13577, RHSA-2026:13578, etc.) reference this CVE, indicating affected Red Hat products and providing additional mitigation details.
Official resources
-
CVE-2026-23401 CVE record
CVE.org
-
CVE-2026-23401 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67 - Patch
-
Mitigation or vendor reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67 - Patch
-
Mitigation or vendor reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67 - Patch
-
Mitigation or vendor reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67 - Patch
-
Mitigation or vendor reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67 - Patch
-
Mitigation or vendor reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67 - Patch
-
Mitigation or vendor reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67 - Patch
This article was generated with AI assistance based on the supplied source corpus.