CVE-2026-23402
KVM MMU Shadow-Present SPTE Overwrite Warning in Linux Kernel
Publication date: 2026-04-01
Last updated on: 2026-04-24
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | 6.16 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | From 6.19 (inc) to 6.19.11 (exc) |
| linux | linux_kernel | From 6.16.1 (inc) to 6.18.21 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can lead to instability or unexpected warnings in the Linux kernel when using KVM virtualization. Specifically, unauthorized or unexpected modifications to shadow-present SPTEs by host userspace could break the integrity of KVM's shadow paging mechanism.
Such disruptions might cause virtual machines to behave unpredictably, potentially leading to crashes or degraded performance. However, the description does not specify any direct security impact such as privilege escalation or data leakage.
Can you explain this vulnerability to me?
This vulnerability exists in the Linux kernel's KVM (Kernel-based Virtual Machine) component related to memory management on x86 architectures. Specifically, it involves the handling of shadow-present SPTEs (Shadow Page Table Entries) in the MMU (Memory Management Unit). The issue arises because KVM's sanity check for overwriting a shadow-present SPTE with another SPTE pointing to a different physical frame number (PFN) only applies to direct MMUs, which do not have shadowed guest page tables (gPTEs).
While KVM prevents overwriting shadow-present SPTEs in response to guest writes, it does not detect writes originating from outside KVM's scope, such as those from host userspace. These undetected writes can break KVM's shadow paging rules, potentially causing warnings or errors in the kernel.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring the Linux kernel logs for specific warning messages related to KVM's memory management unit (MMU). In particular, look for warnings about overwriting shadow-present SPTEs in direct MMUs.
A typical warning message to watch for in the kernel logs is:
- "WARNING: arch/x86/kvm/mmu/mmu.c:3069 at mmu_set_spte+0x1e4/0x440 [kvm], CPU#0: vmx_ept_stale_r/872"
You can check for such messages using the following command to search the kernel log:
- sudo dmesg | grep -i 'kvm.*mmu_set_spte'
Alternatively, monitor the system journal for related warnings:
- sudo journalctl -k | grep -i 'kvm.*mmu_set_spte'
These commands help detect if the kernel has logged warnings indicating the presence of this vulnerability or its exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the Linux kernel to a version where this vulnerability has been resolved.
Since the issue involves KVM's handling of shadow-present SPTEs in direct MMUs, applying the patch or upgrading to a kernel version that includes the fix will prevent the vulnerability from being exploited.
Additionally, monitor kernel logs for any warning messages related to this issue to detect potential exploitation attempts.