PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-46113 Linux CVE debrief

A use-after-free vulnerability in the Linux kernel's KVM x86 shadow MMU implementation allows privilege escalation and denial of service. The flaw occurs when guest page tables are modified between VM entries, causing KVM to create stale reverse map (rmap) entries that reference freed kvm_mmu_page structures. When a memslot is deleted, the rmap walk fails to locate entries outside the expected GFN range, leaving dangling pointers. Subsequent operations like dirty logging or MMU notifier invalidations dereference these freed structures. The vulnerability exists because KVM assumed GFNs would always match when walking shadow PTEs, an assumption that held until memory optimization changes in 2032a93d66fa removed separate GFN page allocation for direct MMU pages. The fix adds validation to detect GFN mismatches and zap existing SPTEs before installing new mappings.

Vendor
Linux
Product
Unknown
CVSS
HIGH 8.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-28
Original CVE updated
2026-05-30
Advisory published
2026-05-28
Advisory updated
2026-05-30

Who should care

Cloud providers running KVM-based virtualization, organizations hosting untrusted workloads on Linux hypervisors, security teams responsible for kernel patch management

Technical summary

The vulnerability stems from incorrect GFN range assumptions in KVM's shadow page table management. When a guest's 2MB PDE mapping is modified externally and the guest accesses another page in that region, KVM installs a leaf SPTE with a GFN outside the original kvm_mmu_page's [sp->gfn, sp->gfn + 511] range. The rmap entry is recorded at this incorrect offset. When the original memslot is deleted, rmap_remove() only searches the original range and misses the stale entry. Later rmap walks for dirty logging or MMU notifiers traverse this stale entry and dereference the freed kvm_mmu_page. The fix validates target GFNs against existing SPTEs and zaps mismatches before installing new mappings.

Defensive priority

high

Recommended defensive actions

  • Apply kernel updates containing commits 06c19c967b845b63172601fe459667d973b7e6b7, 0cb2af2ea66ad8ff195c156ea690f11216285bdf, 14d1e55dfd2cf4711bff164a6aaaddb783552134, 488e386484ec8c0e558be6e156edf34ed9f4d5c8, or 738ec97b5
  • Restart KVM virtual machines after kernel update to ensure shadow MMU state is reinitialized
  • Audit systems for unauthorized VM memory access attempts in hypervisor logs
  • Prioritize patching on multi-tenant virtualization hosts where untrusted guests execute

Evidence notes

Vulnerability description sourced from official CVE record published 2026-05-28. Fix commits identified in kernel.org stable tree. No CVSS score or severity assigned by NVD at time of disclosure.

Official resources

2026-05-28