2453803 – (CVE-2026-23401) CVE-2026-23401 kernel: Linux kernel KVM: Privilege escalation or denial of service due to improper shadow page table entry handling

Bug 2453803 (CVE-2026-23401) - CVE-2026-23401 kernel: Linux kernel KVM: Privilege escalation or denial of service due to improper shadow page table entry handling

Summary: CVE-2026-23401 kernel: Linux kernel KVM: Privilege escalation or denial of se...

Keywords:
Status:	NEW
Alias:	CVE-2026-23401
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	2444833 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-04-01 10:02 UTC by OSIDB Bzimport
Modified:	2026-05-11 00:29 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2026:13577	None	None	None	2026-05-05 05:41:05 UTC
Red Hat Product Errata	RHSA-2026:13578	None	None	None	2026-05-05 05:24:04 UTC
Red Hat Product Errata	RHSA-2026:13932	None	None	None	2026-05-06 08:16:12 UTC
Red Hat Product Errata	RHSA-2026:13936	None	None	None	2026-05-06 08:15:40 UTC
Red Hat Product Errata	RHSA-2026:14137	None	None	None	2026-05-06 13:38:11 UTC
Red Hat Product Errata	RHSA-2026:14230	None	None	None	2026-05-06 17:25:00 UTC
Red Hat Product Errata	RHSA-2026:14339	None	None	None	2026-05-06 20:41:06 UTC
Red Hat Product Errata	RHSA-2026:15883	None	None	None	2026-05-11 00:29:55 UTC

Description OSIDB Bzimport 2026-04-01 10:02:37 UTC

In the Linux kernel, the following vulnerability has been resolved:

KVM: x86/mmu: Drop/zap existing present SPTE even when creating an MMIO SPTE

When installing an emulated MMIO SPTE, do so *after* dropping/zapping the
existing SPTE (if it's shadow-present).  While commit a54aa15c6bda3 was
right about it being impossible to convert a shadow-present SPTE to an
MMIO SPTE due to a _guest_ write, it failed to account for writes to guest
memory that are outside the scope of KVM.

E.g. if host userspace modifies a shadowed gPTE to switch from a memslot
to emulted MMIO and then the guest hits a relevant page fault, KVM will
install the MMIO SPTE without first zapping the shadow-present SPTE.

  ------------[ cut here ]------------
  is_shadow_present_pte(*sptep)
  WARNING: arch/x86/kvm/mmu/mmu.c:484 at mark_mmio_spte+0xb2/0xc0 [kvm], CPU#0: vmx_ept_stale_r/4292
  Modules linked in: kvm_intel kvm irqbypass
  CPU: 0 UID: 1000 PID: 4292 Comm: vmx_ept_stale_r Not tainted 7.0.0-rc2-eafebd2d2ab0-sink-vm #319 PREEMPT
  Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
  RIP: 0010:mark_mmio_spte+0xb2/0xc0 [kvm]
  Call Trace:
   <TASK>
   mmu_set_spte+0x237/0x440 [kvm]
   ept_page_fault+0x535/0x7f0 [kvm]
   kvm_mmu_do_page_fault+0xee/0x1f0 [kvm]
   kvm_mmu_page_fault+0x8d/0x620 [kvm]
   vmx_handle_exit+0x18c/0x5a0 [kvm_intel]
   kvm_arch_vcpu_ioctl_run+0xc55/0x1c20 [kvm]
   kvm_vcpu_ioctl+0x2d5/0x980 [kvm]
   __x64_sys_ioctl+0x8a/0xd0
   do_syscall_64+0xb5/0x730
   entry_SYSCALL_64_after_hwframe+0x4b/0x53
  RIP: 0033:0x47fa3f
   </TASK>
  ---[ end trace 0000000000000000 ]---

Comment 1 Mauro Matteo Cascella 2026-04-01 10:16:15 UTC

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026040108-CVE-2026-23401-956d@gregkh/T

Comment 4 Keith Grant 2026-04-28 18:45:48 UTC

*** Bug 2444833 has been marked as a duplicate of this bug. ***

Comment 5 errata-xmlrpc 2026-05-05 05:24:03 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:13578 https://access.redhat.com/errata/RHSA-2026:13578

Comment 6 errata-xmlrpc 2026-05-05 05:41:04 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:13577 https://access.redhat.com/errata/RHSA-2026:13577

Comment 7 errata-xmlrpc 2026-05-06 08:15:39 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2026:13936 https://access.redhat.com/errata/RHSA-2026:13936

Comment 8 errata-xmlrpc 2026-05-06 08:16:11 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2026:13932 https://access.redhat.com/errata/RHSA-2026:13932

Comment 9 errata-xmlrpc 2026-05-06 13:38:10 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2026:14137 https://access.redhat.com/errata/RHSA-2026:14137

Comment 10 errata-xmlrpc 2026-05-06 17:25:00 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2026:14230 https://access.redhat.com/errata/RHSA-2026:14230

Comment 11 errata-xmlrpc 2026-05-06 20:41:05 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.6 Extended Update Support

Via RHSA-2026:14339 https://access.redhat.com/errata/RHSA-2026:14339

Comment 12 errata-xmlrpc 2026-05-11 00:29:53 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10.0 Extended Update Support

Via RHSA-2026:15883 https://access.redhat.com/errata/RHSA-2026:15883

Note You need to log in before you can comment on or make changes to this bug.