CVE-2026-43315
Received Received - Intake
WARN Removal in KVM AMD Nested State Handling

Publication date: 2026-05-08

Last updated on: 2026-05-08

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: KVM: nSVM: Remove a user-triggerable WARN on nested_svm_load_cr3() succeeding Drop the WARN in svm_set_nested_state() on nested_svm_load_cr3() failing as it is trivially easy to trigger from userspace by modifying CPUID after loading CR3. E.g. modifying the state restoration selftest like so: --- tools/testing/selftests/kvm/x86/state_test.c +++ tools/testing/selftests/kvm/x86/state_test.c @@ -280,7 +280,16 @@ int main(int argc, char *argv[]) /* Restore state in a new VM. */ vcpu = vm_recreate_with_one_vcpu(vm); - vcpu_load_state(vcpu, state); + + if (stage == 4) { + state->sregs.cr3 = BIT(44); + vcpu_load_state(vcpu, state); + + vcpu_set_cpuid_property(vcpu, X86_PROPERTY_MAX_PHY_ADDR, 36); + __vcpu_nested_state_set(vcpu, &state->nested); + } else { + vcpu_load_state(vcpu, state); + } /* * Restore XSAVE state in a dummy vCPU, first without doing generates: WARNING: CPU: 30 PID: 938 at arch/x86/kvm/svm/nested.c:1877 svm_set_nested_state+0x34a/0x360 [kvm_amd] Modules linked in: kvm_amd kvm irqbypass [last unloaded: kvm] CPU: 30 UID: 1000 PID: 938 Comm: state_test Tainted: G W 6.18.0-rc7-58e10b63777d-next-vm Tainted: [W]=WARN Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 RIP: 0010:svm_set_nested_state+0x34a/0x360 [kvm_amd] Call Trace: <TASK> kvm_arch_vcpu_ioctl+0xf33/0x1700 [kvm] kvm_vcpu_ioctl+0x4e6/0x8f0 [kvm] __x64_sys_ioctl+0x8f/0xd0 do_syscall_64+0x61/0xad0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 Simply delete the WARN instead of trying to prevent userspace from shoving "illegal" state into CR3. For better or worse, KVM's ABI allows userspace to set CPUID after SREGS, and vice versa, and KVM is very permissive when it comes to guest CPUID. I.e. attempting to enforce the virtual CPU model when setting CPUID could break userspace. Given that the WARN doesn't provide any meaningful protection for KVM or benefit for userspace, simply drop it even though the odds of breaking userspace are minuscule. Opportunistically delete a spurious newline.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-08
Generated
2026-05-09
AI Q&A
2026-05-08
EPSS Evaluated
N/A
NVD
CVE-2026-43315
EUVD
EUVD-2026-28585
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel 6.18.0-rc7-58e10b63777d-next-vm
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability involves the Linux kernel's KVM (Kernel-based Virtual Machine) subsystem, specifically the nested SVM (Secure Virtual Machine) feature. A user-triggerable warning (WARN) was generated in the function nested_svm_load_cr3() when certain state changes were made by userspace, such as modifying CPUID after loading CR3. This WARN was easy to trigger from userspace by manipulating the virtual CPU state, but it did not provide meaningful protection or benefit.

The fix was to remove this WARN instead of trying to prevent userspace from setting what was considered an 'illegal' state, because KVM's ABI allows userspace to set CPUID and segment registers in a flexible order. Enforcing stricter checks could break userspace applications, so the warning was dropped to avoid unnecessary disruptions.


How can this vulnerability impact me? :

This issue primarily caused a warning message to be triggered in the kernel logs when userspace manipulated certain virtual CPU states in a way that was allowed but previously warned against. The warning did not indicate a security risk or functional failure, but rather a spurious alert that could confuse users or developers.

Removing the warning reduces unnecessary noise in kernel logs and avoids potential disruptions to userspace applications that rely on flexible CPU state settings. There is no indication that this vulnerability leads to privilege escalation, data corruption, or other direct security impacts.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability manifests as a user-triggerable WARN message in the Linux kernel related to KVM nested virtualization, specifically in the nested_svm_load_cr3() function.

Detection can be done by monitoring kernel logs for the specific WARN message:

  • WARNING: CPU: <cpu_number> PID: <pid> at arch/x86/kvm/svm/nested.c:1877 svm_set_nested_state+0x34a/0x360 [kvm_amd]

You can use the following command to check for this warning in your system logs:

  • dmesg | grep svm_set_nested_state

Additionally, since the issue relates to KVM nested virtualization, checking for unusual WARN messages related to KVM modules in kernel logs can help detect attempts to trigger this condition.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability is addressed by removing the WARN message triggered by userspace in nested_svm_load_cr3() and svm_set_nested_state().

Immediate mitigation steps include:

  • Update your Linux kernel to a version that includes the fix removing this WARN, as the warning itself does not provide meaningful protection and is removed to avoid unnecessary alerts.
  • Monitor kernel logs for any unusual WARN messages related to KVM nested virtualization to ensure no other issues arise.

Since the vulnerability is related to permissive KVM ABI behavior and does not represent a security risk beyond noisy warnings, no additional configuration changes are required.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The provided information about CVE-2026-43315 does not include any details on how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart