Bug 2481992 (CVE-2026-46076) - CVE-2026-46076 kernel: KVM: nSVM: Raise #UD if unhandled VMMCALL isn't intercepted by L1
Summary: CVE-2026-46076 kernel: KVM: nSVM: Raise #UD if unhandled VMMCALL isn't interc...
Keywords:
Status: NEW
Alias: CVE-2026-46076
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-05-27 15:06 UTC by OSIDB Bzimport
Modified: 2026-05-27 17:40 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-05-27 15:06:00 UTC
In the Linux kernel, the following vulnerability has been resolved:

KVM: nSVM: Raise #UD if unhandled VMMCALL isn't intercepted by L1

Explicitly synthesize a #UD for VMMCALL if L2 is active, L1 does NOT want
to intercept VMMCALL, nested_svm_l2_tlb_flush_enabled() is true, and the
hypercall is something other than one of the supported Hyper-V hypercalls.
When all of the above conditions are met, KVM will intercept VMMCALL but
never forward it to L1, i.e. will let L2 make hypercalls as if it were L1.

The TLFS says a whole lot of nothing about this scenario, so go with the
architectural behavior, which says that VMMCALL #UDs if it's not
intercepted.

Opportunistically do a 2-for-1 stub trade by stub-ifying the new API
instead of the helpers it uses.  The last remaining "single" stub will
soon be dropped as well.

[sean: rewrite changelog and comment, tag for stable, remove defunct stubs]


Note You need to log in before you can comment on or make changes to this bug.