CVE-2026-23425
Received Received - Intake
KVM ARM64 ID Register Initialization Bug Causes State Corruption

Publication date: 2026-04-03

Last updated on: 2026-04-27

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Fix ID register initialization for non-protected pKVM guests In protected mode, the hypervisor maintains a separate instance of the `kvm` structure for each VM. For non-protected VMs, this structure is initialized from the host's `kvm` state. Currently, `pkvm_init_features_from_host()` copies the `KVM_ARCH_FLAG_ID_REGS_INITIALIZED` flag from the host without the underlying `id_regs` data being initialized. This results in the hypervisor seeing the flag as set while the ID registers remain zeroed. Consequently, `kvm_has_feat()` checks at EL2 fail (return 0) for non-protected VMs. This breaks logic that relies on feature detection, such as `ctxt_has_tcrx()` for TCR2_EL1 support. As a result, certain system registers (e.g., TCR2_EL1, PIR_EL1, POR_EL1) are not saved/restored during the world switch, which could lead to state corruption. Fix this by explicitly copying the ID registers from the host `kvm` to the hypervisor `kvm` for non-protected VMs during initialization, since we trust the host with its non-protected guests' features. Also ensure `KVM_ARCH_FLAG_ID_REGS_INITIALIZED` is cleared initially in `pkvm_init_features_from_host` so that `vm_copy_id_regs` can properly initialize them and set the flag once done.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-03
Last Modified
2026-04-27
Generated
2026-05-07
AI Q&A
2026-04-03
EPSS Evaluated
2026-05-05
NVD
CVE-2026-23425
EUVD
EUVD-2026-18647
Affected Vendors & Products
Showing 10 associated CPEs
Vendor Product Version / Range
linux linux_kernel 6.14
linux linux_kernel From 6.19 (inc) to 6.19.7 (exc)
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.14.1 (inc) to 6.18.17 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's KVM implementation for arm64 architecture, specifically affecting non-protected pKVM guests. The issue arises because the hypervisor incorrectly copies a flag indicating that ID registers have been initialized from the host without actually initializing the underlying ID register data. As a result, the hypervisor believes the ID registers are ready when they are actually zeroed.

This causes feature detection checks at the EL2 exception level to fail for non-protected VMs, breaking logic that depends on these features. Consequently, certain system registers such as TCR2_EL1, PIR_EL1, and POR_EL1 are not properly saved or restored during context switches between virtual machines, which can lead to state corruption.

The fix involves explicitly copying the ID registers from the host to the hypervisor for non-protected VMs during initialization and properly managing the initialization flag to ensure the registers are correctly set up.


How can this vulnerability impact me? :

This vulnerability can lead to state corruption in non-protected virtual machines running on the affected Linux kernel. Because certain system registers are not saved and restored correctly during VM context switches, the virtual machines may behave unpredictably or experience errors.

Such state corruption could potentially cause instability or crashes in virtualized environments, impacting the reliability and security of systems relying on KVM for virtualization on arm64 platforms.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability is resolved by fixing the initialization of the ID registers for non-protected pKVM guests in the Linux kernel's KVM arm64 code.

To mitigate this vulnerability, you should update your Linux kernel to a version that includes this fix, which ensures proper copying and initialization of ID registers for non-protected VMs.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart