Bug 2444833 - kernel: KVM shadow EPT stale rmap use-after-free
Summary: kernel: KVM shadow EPT stale rmap use-after-free
Keywords:
Status: CLOSED DUPLICATE of bug 2453803
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability-draft
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-03-05 14:45 UTC by OSIDB Bzimport
Modified: 2026-04-28 18:45 UTC (History)
6 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2026-04-28 18:45:48 UTC
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-03-05 14:45:51 UTC
A use-after-free vulnerability was found in KVM's shadow EPT code. The bug requires the ability for the guest to initiate a host or device write to guest memory, to bypass KVM's write-tracking. In practice, this vulnerability is exploitable from almost any VMX x86 guest with nested virtualization enabled or using shadow paging (ept=0). The flaw can lead to a denial-of-service (DoS) condition and host kernel memory corruption.

Comment 5 Keith Grant 2026-04-28 18:45:48 UTC

*** This bug has been marked as a duplicate of bug 2453803 ***


Note You need to log in before you can comment on or make changes to this bug.