CVE-2026-23401
Received Received - Intake
KVM MMU SPTE Handling Flaw Causes Stale Entry Faults

Publication date: 2026-04-01

Last updated on: 2026-04-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: KVM: x86/mmu: Drop/zap existing present SPTE even when creating an MMIO SPTE When installing an emulated MMIO SPTE, do so *after* dropping/zapping the existing SPTE (if it's shadow-present). While commit a54aa15c6bda3 was right about it being impossible to convert a shadow-present SPTE to an MMIO SPTE due to a _guest_ write, it failed to account for writes to guest memory that are outside the scope of KVM. E.g. if host userspace modifies a shadowed gPTE to switch from a memslot to emulted MMIO and then the guest hits a relevant page fault, KVM will install the MMIO SPTE without first zapping the shadow-present SPTE. ------------[ cut here ]------------ is_shadow_present_pte(*sptep) WARNING: arch/x86/kvm/mmu/mmu.c:484 at mark_mmio_spte+0xb2/0xc0 [kvm], CPU#0: vmx_ept_stale_r/4292 Modules linked in: kvm_intel kvm irqbypass CPU: 0 UID: 1000 PID: 4292 Comm: vmx_ept_stale_r Not tainted 7.0.0-rc2-eafebd2d2ab0-sink-vm #319 PREEMPT Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 RIP: 0010:mark_mmio_spte+0xb2/0xc0 [kvm] Call Trace: <TASK> mmu_set_spte+0x237/0x440 [kvm] ept_page_fault+0x535/0x7f0 [kvm] kvm_mmu_do_page_fault+0xee/0x1f0 [kvm] kvm_mmu_page_fault+0x8d/0x620 [kvm] vmx_handle_exit+0x18c/0x5a0 [kvm_intel] kvm_arch_vcpu_ioctl_run+0xc55/0x1c20 [kvm] kvm_vcpu_ioctl+0x2d5/0x980 [kvm] __x64_sys_ioctl+0x8a/0xd0 do_syscall_64+0xb5/0x730 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x47fa3f </TASK> ---[ end trace 0000000000000000 ]---
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-01
Last Modified
2026-04-24
Generated
2026-05-07
AI Q&A
2026-04-01
EPSS Evaluated
2026-05-05
NVD
CVE-2026-23401
EUVD
EUVD-2026-17828
Affected Vendors & Products
Showing 14 associated CPEs
Vendor Product Version / Range
linux linux_kernel 5.13
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 5.13.1 (inc) to 5.15.203 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.168 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.21 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.11 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.131 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.80 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :

This vulnerability can cause instability or unexpected behavior in virtualized environments using KVM on affected Linux kernels. Because the kernel improperly manages page table entries during emulated MMIO operations, it may lead to kernel warnings, crashes, or incorrect memory access handling. This can affect the reliability and security of virtual machines running on the host, potentially leading to denial of service or other operational issues.


Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's KVM (Kernel-based Virtual Machine) module for x86 architecture. It involves improper handling of shadow page table entries (SPTEs) when installing an emulated MMIO (Memory-Mapped I/O) SPTE. Specifically, the kernel fails to drop or zap an existing shadow-present SPTE before creating a new MMIO SPTE. This can occur when host userspace modifies a shadowed guest page table entry (gPTE) to switch from a memory slot to emulated MMIO, and then the guest triggers a page fault. The kernel installs the MMIO SPTE without first removing the existing shadow-present SPTE, which can lead to inconsistencies and potential errors in memory management.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability manifests as a warning and stack trace in the Linux kernel logs related to KVM's handling of MMIO SPTEs. Detection involves monitoring the kernel log for specific warning messages.

  • Check kernel logs for the warning: "is_shadow_present_pte(*sptep) WARNING: arch/x86/kvm/mmu/mmu.c:484 at mark_mmio_spte+0xb2/0xc0 [kvm]"
  • Use the command: dmesg | grep 'mark_mmio_spte' to find relevant warnings in the kernel ring buffer.
  • Alternatively, monitor system logs with: journalctl -k | grep 'mark_mmio_spte'

What immediate steps should I take to mitigate this vulnerability?

The vulnerability has been resolved in the Linux kernel by ensuring that existing shadow-present SPTEs are dropped or zapped before installing an emulated MMIO SPTE. Immediate mitigation involves updating the Linux kernel to a version that includes this fix.

  • Update the Linux kernel to the latest stable release that contains the fix for this KVM MMIO SPTE issue.
  • Restart the system after the kernel update to ensure the patched kernel is in use.
  • Monitor kernel logs post-update to confirm the absence of the warning message.

Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart