PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-46082 Linux CVE debrief

## Summary CVE-2026-46082 is a vulnerability in the Linux kernel's KVM (Kernel-based Virtual Machine) SVM (Secure Virtual Machine) module. The issue involves the INVLPGA instruction not properly injecting an undefined opcode (#UD) exception when the EFER.SVME (Secure Virtual Machine Enable) bit is not set. According to AMD architecture specifications, INVLPGA should cause a #UD when SVM is not enabled. The vulnerability was resolved by adding a check to properly inject #UD when EFER.SVME=0. ## Technical Details The vulnerability exists in the KVM SVM implementation where the INVLPGA (Invalidate TLB Entry in a Specified ASID) instruction handler did not verify whether SVM was enabled via EFER.SVME before executing. When a guest VM executes INVLPGA without SVM enabled, the hardware expects a #UD exception, but the kernel was not properly injecting this exception. This could lead to unexpected behavior or potential security implications in virtualized environments. The fix adds a check to ensure that when EFER.SVME is not set, the KVM module properly injects a #UD exception for INVLPGA instructions, aligning the software behavior with hardware expectations and AMD architectural specifications. ## Affected Versions The vulnerability affects Linux kernel versions with KVM SVM support. Based on the stable kernel commits referenced, patches have been applied to multiple stable branches. The commits indicate backports to various stable kernel versions. ## Impact Without the fix, a guest virtual machine could execute INVLPGA instructions in a state where SVM is not enabled, potentially leading to: - Unexpected execution flow in the guest - Possible information disclosure or denial of service conditions - Violation of expected architectural behavior The vulnerability is particularly relevant for AMD-based virtualization environments using KVM. ## Detection Organizations running KVM on AMD hardware should verify their kernel versions against the patched versions. The vulnerability would manifest in virtualized environments where guests might attempt to execute INVLPGA instructions. ## Remediation Apply the appropriate kernel patch from the stable kernel tree.

Vendor
Linux
Product
Unknown
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-27
Advisory published
2026-05-27
Advisory updated
2026-05-27

Who should care

Organizations running virtualized workloads on AMD hardware using KVM, Linux kernel maintainers, virtualization administrators, and security teams managing on-premise or cloud infrastructure with AMD-based hypervisors.

Technical summary

The Linux kernel KVM SVM module did not properly inject an undefined opcode (#UD) exception when the INVLPGA instruction was executed with EFER.SVME=0. The fix adds proper checking to inject #UD when SVM is not enabled, ensuring compliance with AMD architectural specifications.

Defensive priority

medium

Recommended defensive actions

  • Apply kernel patches from stable kernel branches once available for your distribution
  • Verify KVM SVM configurations on AMD-based virtualization hosts
  • Monitor for kernel updates addressing this vulnerability in your Linux distribution
  • Review guest VM configurations to ensure proper SVM enablement where required

Evidence notes

- CVE published: 2026-05-27T14:17:29.617Z - CVE modified: 2026-05-27T14:48:03.013Z - Source: NVD modified feed - Vulnerability status: Awaiting Analysis - Fix commits identified in kernel stable tree

Official resources

2026-05-27