PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-46014 Linux CVE debrief

A vulnerability in the Linux kernel's KVM (Kernel-based Virtual Machine) subsystem for AMD SVM (Secure Virtual Machine) was resolved on 2026-05-27. The issue involved missing save/restore handling of Last Branch Record (LBR) Model-Specific Registers (MSRs), specifically MSR_IA32_DEBUGCTLMSR and LBR MSRs. These MSRs were not enumerated by KVM_GET_MSR_INDEX_LIST, and LBR MSRs could not be set with KVM_SET_MSRS, resulting in broken save/restore functionality for virtual machine state. The fix adds these MSRs to msrs_to_save_base, permits writes to LBR MSRs from userspace when LBR virtualization is enabled, and ensures proper restoration of L1's LBRs while L2 is running through svm_copy_vmrun_state(). The patch also addresses a related flaw in VMX where MSR_IA32_DEBUGCTLMSR was not reported as an MSR requiring save/restore. This vulnerability affects KVM-based virtualization environments on AMD processors with SVM and potentially Intel processors with VMX.

Vendor
Linux
Product
Unknown
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-27
Advisory published
2026-05-27
Advisory updated
2026-05-27

Who should care

Organizations running Linux-based virtualization infrastructure using KVM on AMD or Intel processors, particularly those enabling nested virtualization or LBR virtualization features. Cloud providers and enterprises with self-hosted virtualization platforms should prioritize kernel updates containing this fix.

Technical summary

CVE-2026-46014 addresses a vulnerability in the Linux kernel's KVM subsystem where MSR_IA32_DEBUGCTLMSR and LBR (Last Branch Record) MSRs were not properly handled during save/restore operations. On AMD SVM, these MSRs were not enumerated by KVM_GET_MSR_INDEX_LIST and could not be set via KVM_SET_MSRS, breaking save/restore functionality. The fix adds these MSRs to msrs_to_save_base, allows userspace writes to LBR MSRs when LBR virtualization is enabled, and ensures proper copying of LBR state from VMCB01 save area during svm_copy_vmrun_state() for correct L1 LBR restoration while L2 runs. For Intel VMX, the fix also corrects missing enumeration of MSR_IA32_DEBUGCTLMSR. The vulnerability affects nested virtualization scenarios where incorrect MSR state could lead to information disclosure or execution anomalies.

Defensive priority

medium

Recommended defensive actions

  • Apply the relevant stable kernel patches from the 2026-05-27 commits to affected systems running KVM virtualization
  • Verify kernel version includes fixes for CVE-2026-46014 in KVM SVM and VMX subsystems
  • Review virtualization configurations that utilize LBR (Last Branch Record) virtualization features
  • Audit nested virtualization deployments where L1/L2 state transitions occur
  • Monitor for kernel updates addressing MSR save/restore handling in KVM subsystems

Evidence notes

The vulnerability description indicates this was a resolved issue in the Linux kernel KVM subsystem. The fix was committed to stable kernel branches as evidenced by three git.kernel.org stable commits. The issue was present in KVM's SVM (AMD) implementation and also affected VMX (Intel) regarding MSR_IA32_DEBUGCTLMSR enumeration. The vulnerability relates to improper state management of debug-related MSRs during VM save/restore operations, which could lead to information disclosure or incorrect execution state in nested virtualization scenarios.

Official resources

2026-05-27