CVE-2026-45987
Analyzed Analyzed - Analysis Complete
KVM: nSVM Interrupt Shadow Sync Vulnerability in Linux Kernel

Publication date: 2026-05-27

Last updated on: 2026-06-16

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: KVM: nSVM: Sync interrupt shadow to cached vmcb12 after VMRUN of L2 After VMRUN in guest mode, nested_sync_control_from_vmcb02() syncs fields written by the CPU from vmcb02 to the cached vmcb12. This is because the cached vmcb12 is used as the authoritative copy of some of the controls, and is the payload when saving/restoring nested state. int_state is also written by the CPU, specifically bit 0 (i.e. SVM_INTERRUPT_SHADOW_MASK) for nested VMs, but it is not sync'd to cached vmcb12. This does not cause a problem if KVM_SET_NESTED_STATE preceeds KVM_SET_VCPU_EVENTS in the restore path, as an interrupt shadow would be correctly restored to vmcb02 (KVM_SET_VCPU_EVENTS overwrites what KVM_SET_NESTED_STATE restored in int_state). However, if KVM_SET_VCPU_EVENTS preceeds KVM_SET_NESTED_STATE, an interrupt shadow would be restored into vmcb01 instead of vmcb02. This would mostly be benign for L1 (delays an interrupt), but not for L2. For L2, the vCPU could hang (e.g. if a wakeup interrupt is delivered before a HLT that should have been in an interrupt shadow). Sync int_state to the cached vmcb12 in nested_sync_control_from_vmcb02() to avoid this problem. With that, KVM_SET_NESTED_STATE restores the correct interrupt shadow state, and if KVM_SET_VCPU_EVENTS follows it would overwrite it with the same value.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-06-16
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-45987
EUVD
EUVD-2026-32283
Affected Vendors & Products
Showing 7 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 6.7 (inc) to 6.12.86 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.175 (exc)
linux linux_kernel From 5.11 (inc) to 5.15.209 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.140 (exc)
linux linux_kernel From 5.8 (inc) to 5.10.258 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.27 (exc)
linux linux_kernel From 6.19 (inc) to 7.0.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's KVM (Kernel-based Virtual Machine) nested virtualization feature. Specifically, after executing the VMRUN instruction in guest mode, certain CPU-written fields are synchronized from vmcb02 to a cached vmcb12, which acts as the authoritative copy for some controls. However, the interrupt state bit (int_state bit 0, known as SVM_INTERRUPT_SHADOW_MASK) is not synchronized to the cached vmcb12.

If the order of restoring nested state and virtual CPU events is incorrect (KVM_SET_VCPU_EVENTS happens before KVM_SET_NESTED_STATE), the interrupt shadow state is restored incorrectly into vmcb01 instead of vmcb02. This misordering is mostly harmless for the first-level guest (L1) but can cause the second-level guest (L2) virtual CPU to hang, for example, if a wakeup interrupt is delivered before a halt (HLT) instruction that should have been in the interrupt shadow.

The fix involves synchronizing the interrupt state bit to the cached vmcb12 to ensure the correct interrupt shadow state is restored, preventing the L2 vCPU hang.

Impact Analysis

This vulnerability can cause a virtual CPU (vCPU) in a nested virtual machine (L2) to hang. Specifically, if the interrupt shadow state is restored incorrectly due to the synchronization issue, the L2 guest may become unresponsive, for example, if a wakeup interrupt is delivered before a halt instruction that should have been masked.

For users running nested virtualization environments on Linux, this could lead to instability or downtime in nested virtual machines, potentially disrupting services or workloads running inside those nested guests.

Mitigation Strategies

The vulnerability has been resolved by syncing the interrupt shadow state (int_state) to the cached vmcb12 in the nested_sync_control_from_vmcb02() function. To mitigate this vulnerability, you should update your Linux kernel to a version that includes this fix.

This update ensures that the KVM_SET_NESTED_STATE restores the correct interrupt shadow state and prevents the vCPU from hanging in nested virtualization scenarios.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45987. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart