PatchSiren cyber security CVE debrief
CVE-2026-53359 Linux CVE debrief
CVE-2026-53359 is a use-after-free vulnerability in the KVM x86 shadow paging functionality. The vulnerability arises from a mismatch between stored and computed GFNs (Guest Physical Addresses) in shadow paging, which can be triggered by changing a PDE (Page Directory Entry) mapping from outside the guest and then deleting a memslot. The bug was fixed by a commit that addresses the shadow paging mismatch. However, a similar issue remains if a modified PDE points to a non-leaf page, leading to a role mismatch that can cause a use-after-free error when a leaf SPTE (Shadow Page Table Entry) is installed and the child page is zapped.
- Vendor
- Linux
- Product
- Unknown
- CVSS
- Unknown
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-04
- Original CVE updated
- 2026-07-04
- Advisory published
- 2026-07-04
- Advisory updated
- 2026-07-04
Who should care
System administrators and security teams responsible for managing Linux kernel-based virtualization environments, particularly those using KVM (Kernel-based Virtual Machine) on x86 architectures, should be aware of this vulnerability. This vulnerability could potentially allow attackers to escalate privileges or cause denial-of-service conditions within virtualized environments.
Technical summary
The vulnerability is located in the KVM x86 shadow paging functionality. When a PDE mapping is changed from outside the guest and then a memslot is deleted, it can lead to a use-after-free error. This happens because the rmap_remove() call misses entries created after the PDE change if the GFN of the leaf SPTE does not match the GFN of the struct kvm_mmu_page. A similar issue occurs if the modified PDE points to a non-leaf page, causing a role mismatch that leads to the reuse of a kvm_mmu_page with an incorrect role. When a leaf SPTE is installed on the new path, it records an rmap entry under the GFN resolved by the walk. However, when the child page is zapped, its parent kvm_mmu_page has a direct role that does not match, and kvm_mmu_page_get_gfn() computes the GFN incorrectly, failing to remove the recorded entry. This results in a use-after-free error when the memslot is dropped and the shadow page is freed, but the rmap entry survives.
Defensive priority
High. This vulnerability can potentially allow for privilege escalation or denial-of-service attacks within virtualized environments. Immediate attention is required to apply the necessary patches or mitigations.
Recommended defensive actions
- Apply the official patches provided by the Linux kernel maintainers to fix the vulnerability.
- Review and update KVM x86 configurations to ensure that all related mitigations are enabled.
- Perform thorough inventory checks to identify all affected systems and prioritize patching based on risk and exposure.
- Monitor virtualized environments for suspicious activity that could indicate exploitation attempts.
- Implement compensating controls, such as enhanced monitoring and logging, to detect potential attacks.
Evidence notes
The CVE record and associated references provide detailed information about the vulnerability, including its cause, potential impact, and fixes. The Linux kernel maintainers have addressed the issue through specific commits that correct the shadow paging mismatch and role mismatches.
Official resources
-
CVE-2026-53359 CVE record
CVE.org
-
CVE-2026-53359 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67
-
Source reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67
-
Source reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67
-
Source reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67
-
Source reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67
-
Source reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67
This AI-assisted debrief is based on the supplied source corpus and official links. It is intended to provide a factual overview of the vulnerability and recommended defensive actions.