PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-43483 Linux CVE debrief

CVE-2026-43483 is a Linux kernel KVM issue in the SVM/AVIC path. If AVIC is activated or deactivated at the wrong time, KVM can leave CR8 write interception enabled when it should not be, which is described as a lingering performance problem on its own. The CVE notes that, when combined with an earlier TPR synchronization bug fixed by commit d02e48830e3f, the mismatch between hardware-visible TPR state and guest reality can become fatal for Windows guests. The issue is explicitly described as an SVM implementation flaw and not a VMX/APICv problem.

Vendor
Linux
Product
Unknown
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-13
Original CVE updated
2026-05-13
Advisory published
2026-05-13
Advisory updated
2026-05-13

Who should care

Linux kernel and virtualization teams running KVM on AMD SVM systems with AVIC enabled, especially environments hosting Windows guests. Kernel maintainers, cloud operators, and virtualization platform admins should prioritize review if they rely on AVIC/interrupt virtualization behavior.

Technical summary

The vulnerability is a state-management bug in KVM’s SVM AVIC handling. The kernel should explicitly set or clear CR8 write interception when AVIC is activated or deactivated, but the bug can leave interception enabled indefinitely after AVIC activation. That alone causes incorrect interrupt virtualization behavior and performance impact. The CVE states the situation becomes severe when paired with the earlier TPR-sync defect fixed by commit d02e48830e3f, because hardware then observes a stale or inconsistent TPR state. The description also says KVM should never enter the guest with AVIC enabled while CR8 writes remain intercepted, and warns if that situation occurs.

Defensive priority

High for affected AMD SVM/AVIC deployments, especially if Windows guests are involved. Lower urgency for environments not using AVIC or not affected by the SVM path.

Recommended defensive actions

  • Identify Linux hosts using KVM on AMD SVM with AVIC enabled or available.
  • Review whether your kernel build includes the fix that explicitly sets and clears CR8 write interception during AVIC activation and deactivation.
  • Prioritize validation on hosts running Windows guests, since the CVE description says the bug can be fatal in that scenario when combined with the related TPR sync issue.
  • Check whether your deployment is exposed to the earlier TPR synchronization bug referenced in the CVE description and ensure both fixes are present.
  • Apply vendor or stable-kernel updates that include the referenced kernel changes once available in your distribution channel.
  • After updating, verify guest stability and interrupt behavior on affected virtualization clusters.

Evidence notes

This debrief is based only on the supplied CVE description and official reference links. The description states: (1) KVM should explicitly set/clear CR8 write interception when AVIC is activated/deactivated; (2) leaving the interception enabled can persist indefinitely; (3) the issue is a performance problem by itself but can be fatal for Windows guests when combined with the TPR sync bug fixed by commit d02e48830e3f; (4) the issue is specific to SVM and not VMX. The source references are stable kernel commit links and official CVE/NVD records. No CVSS score or severity vector was provided in the corpus.

Official resources

CVE published 2026-05-13T16:16:51.497Z. Use this published date for timing context; do not infer issue onset from the publication date. The corpus does not provide a CVSS score or an exploitation timeline.