CVE-2026-46131 Linux CVE debrief

Who should care

Organizations running Linux-based hypervisors with KVM nested virtualization enabled, particularly those hosting multi-tenant workloads or untrusted nested guests. Cloud providers and enterprises using nested virtualization for testing, development, or container-in-VM deployments should prioritize patching.

Technical summary

The KVM x86 implementation incorrectly used `is_guest_mode(vcpu)` to guard calls to `translate_nested_gpa()` in slow flush hypercall paths. This condition is insufficient because `translate_nested_gpa()` requires nested EPT/NPT to be enabled, not merely that the vCPU is in guest mode. When an L2 guest runs without nested EPT/NPT, the incorrect condition could lead to invalid GPA translations. The fix replaces the condition with the same check used internally by `translate_nested_gpa()`, ensuring the translation function is only invoked when its preconditions are satisfied.

Defensive priority

medium

Recommended defensive actions

• Apply the relevant stable kernel patch for your kernel version (commits referenced in CVE record)
• Verify nested virtualization configurations use properly patched KVM modules
• Monitor NVD for CVSS scoring once analysis is complete
• Review hypervisor logs for any anomalous nested guest behavior if running unpatched kernels with nested virtualization enabled

Evidence notes

CVE description confirms the vulnerability is resolved in Linux kernel KVM x86 code. Five stable kernel commits are referenced, indicating backports to multiple kernel versions. NVD status is 'Awaiting Analysis' with no CVSS vector or weaknesses assigned. No KEV listing or known ransomware campaign use is indicated.

Official resources