CVE-2026-46059
Analyzed Analyzed - Analysis Complete
KVM: nSVM NextRIP Handling Issue in Linux Kernel

Publication date: 2026-05-27

Last updated on: 2026-06-16

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: KVM: nSVM: Always use NextRIP as vmcb02's NextRIP after first L2 VMRUN For guests with NRIPS disabled, L1 does not provide NextRIP when running an L2 with an injected soft interrupt, instead it advances the current RIP before running it. KVM uses the current RIP as the NextRIP in vmcb02 to emulate a CPU without NRIPS. However, after L2 runs the first time, NextRIP will be updated by the CPU and/or KVM, and the current RIP is no longer the correct value to use in vmcb02. Hence, after save/restore, use the current RIP if and only if a nested run is pending, otherwise use NextRIP. Give soft_int_next_rip the same treatment, as it's the same logic, just for a narrower use case. [sean: give soft_int_next_rip the same treatment]
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-06-16
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-46059
EUVD
EUVD-2026-32441
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 6.19 (inc) to 7.0.4 (exc)
linux linux_kernel From 5.8 (inc) to 6.18.27 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's KVM (Kernel-based Virtual Machine) related to nested virtualization using nSVM. Specifically, when guests have NRIPS (Next RIP) disabled, the L1 hypervisor does not provide the NextRIP value when running an L2 guest with an injected soft interrupt. Instead, it advances the current RIP before running it. KVM uses the current RIP as the NextRIP in vmcb02 to emulate a CPU without NRIPS.

However, after the L2 guest runs for the first time, the NextRIP is updated by the CPU or KVM, making the current RIP no longer the correct value to use in vmcb02. The fix ensures that after save/restore operations, the current RIP is used only if a nested run is pending; otherwise, NextRIP is used. The same logic is applied to soft_int_next_rip, which handles a narrower use case.

Impact Analysis

This vulnerability affects the Linux kernel's KVM nested virtualization feature, specifically how the NextRIP value is handled during nested virtual machine runs. If exploited, it could cause incorrect CPU state emulation when running nested virtual machines with NRIPS disabled and injected soft interrupts. This may lead to unexpected behavior or instability in nested virtual machines.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46059. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart