PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-23401 Linux CVE debrief

A medium-severity vulnerability, CVE-2026-23401, was found in the Linux kernel's KVM component. The issue arises during the installation of emulated MMIO SPTEs, where an existing shadow-present SPTE is not properly dropped or zapped. This can lead to unexpected behavior when a guest hits a page fault. The vulnerability has a CVSS score of 5.5 and is considered a local attack vector with low attack complexity. Linux kernel versions 5.13.1 to 5.15.203, 5.16 to 6.1.168, 6.2 to 6.6.131, 6.7 to 6.12.80, 6.13 to 6.18.21, 6.19 to 6.19.11 are affected.

Vendor
Linux
Product
Unknown
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-01
Original CVE updated
2026-06-30
Advisory published
2026-04-01
Advisory updated
2026-06-30

Who should care

System administrators and security teams managing Linux-based virtualization environments using KVM should be aware of this vulnerability. They should assess their current kernel versions and patch levels to determine if they are affected. Additionally, organizations relying on Linux kernel versions 5.13.1 to 5.15.203, 5.16 to 6.1.168, 6.2 to 6.6.131, 6.7 to 6.12.80, 6.13 to 6.18.21, 6.19 to 6.19.11 should prioritize patching.

Technical summary

The vulnerability is located in the KVM component of the Linux kernel, specifically in the MMIO SPTE installation process. When creating an emulated MMIO SPTE, the existing present SPTE is not properly dropped or zapped if it's shadow-present. This can cause issues when a guest hits a page fault. The problem was initially identified through a warning in the mark_mmio_spte function. To address this, the kernel patch ensures that the existing SPTE is dropped/zapped before installing the MMIO SPTE.

Defensive priority

Apply patches: Update Linux kernel to versions that include the fix. Inventory and prioritize: Identify and prioritize systems running affected kernel versions. Monitor: Implement monitoring to detect potential exploitation attempts.

Recommended defensive actions

  • Apply patches: Update Linux kernel to versions that include the fix.
  • Inventory and prioritize: Identify and prioritize systems running affected kernel versions.
  • Monitor: Implement monitoring to detect potential exploitation attempts.
  • Verify patch application: Ensure patches have been successfully applied and systems are no longer vulnerable.
  • Update documentation: Document patch application and vulnerability mitigation efforts.

Evidence notes

The CVE-2026-23401 vulnerability was publicly disclosed on April 1, 2026, with a CVSS score of 5.5. The Linux kernel community addressed the issue through a series of patches. Multiple Red Hat advisories (RHSA-2026:13577, RHSA-2026:13578, etc.) reference this CVE, indicating affected Red Hat products and providing additional mitigation details.

Official resources

This article was generated with AI assistance based on the supplied source corpus.