CVE-2026-46032
Awaiting Analysis Awaiting Analysis - Queue
Triple Fault in Linux Kernel KVM nSVM

Publication date: 2026-05-27

Last updated on: 2026-06-16

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: KVM: nSVM: Triple fault if restore host CR3 fails on nested #VMEXIT If loading L1's CR3 fails on a nested #VMEXIT, nested_svm_vmexit() returns an error code that is ignored by most callers, and continues to run L1 with corrupted state. A sane recovery is not possible in this case, and HW behavior is to cause a shutdown. Inject a triple fault instead, and do not return early from nested_svm_vmexit(). Continue cleaning up the vCPU state (e.g. clear pending exceptions), to handle the failure as gracefully as possible. From the APM: Upon #VMEXIT, the processor performs the following actions in order to return to the host execution context: ... if (illegal host state loaded, or exception while loading host state) shutdown else execute first host instruction following the VMRUN Remove the return value of nested_svm_vmexit(), which is mostly unchecked anyway.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-06-16
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-46032
EUVD
EUVD-2026-32413
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel From 5.9 (inc) to 7.0.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's KVM nested virtualization feature (nSVM). When the system tries to restore the host's CR3 register during a nested VM exit (#VMEXIT), if loading L1's CR3 fails, the function nested_svm_vmexit() returns an error code that most callers ignore. This causes the nested virtual machine (L1) to continue running with a corrupted state.

Because the corrupted state cannot be recovered sanely, the hardware behavior is to cause a shutdown. The fix involves injecting a triple fault instead of returning early from nested_svm_vmexit(), and continuing to clean up the virtual CPU state (such as clearing pending exceptions) to handle the failure more gracefully.

Impact Analysis

If this vulnerability is triggered, it can cause the host system to shut down unexpectedly due to a triple fault triggered by corrupted CPU state during nested virtualization operations.

This can lead to system instability, potential data loss, and disruption of services running on the affected Linux kernel with nested virtualization enabled.

Mitigation Strategies

This vulnerability has been resolved in the Linux kernel by changing the handling of nested #VMEXIT when loading L1's CR3 fails. The fix involves injecting a triple fault instead of continuing with corrupted state and cleaning up the vCPU state to handle the failure gracefully.

To mitigate this vulnerability immediately, you should update your Linux kernel to a version that includes this fix.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46032. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart