CVE-2026-46076
Awaiting Analysis Awaiting Analysis - Queue
KVM VMMCALL Unhandled Interception Issue in Linux Kernel

Publication date: 2026-05-27

Last updated on: 2026-05-30

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: KVM: nSVM: Raise #UD if unhandled VMMCALL isn't intercepted by L1 Explicitly synthesize a #UD for VMMCALL if L2 is active, L1 does NOT want to intercept VMMCALL, nested_svm_l2_tlb_flush_enabled() is true, and the hypercall is something other than one of the supported Hyper-V hypercalls. When all of the above conditions are met, KVM will intercept VMMCALL but never forward it to L1, i.e. will let L2 make hypercalls as if it were L1. The TLFS says a whole lot of nothing about this scenario, so go with the architectural behavior, which says that VMMCALL #UDs if it's not intercepted. Opportunistically do a 2-for-1 stub trade by stub-ifying the new API instead of the helpers it uses. The last remaining "single" stub will soon be dropped as well. [sean: rewrite changelog and comment, tag for stable, remove defunct stubs]
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-30
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-46076
EUVD
EUVD-2026-32458
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability involves the Linux kernel's KVM (Kernel-based Virtual Machine) subsystem, specifically related to nested virtualization using AMD's nSVM technology.

The issue occurs when a nested virtual machine (L2) makes a VMMCALL hypercall, but the first-level hypervisor (L1) does not want to intercept this call, and certain conditions are met (such as nested_svm_l2_tlb_flush_enabled() being true). In this case, KVM intercepts the VMMCALL but does not forward it to L1, effectively allowing L2 to make hypercalls as if it were L1.

The fix explicitly causes a #UD (Undefined Instruction exception) to be raised if the VMMCALL is unhandled by L1 under these conditions, aligning with architectural expectations that VMMCALL should #UD if not intercepted.

Impact Analysis

This vulnerability could allow a nested virtual machine (L2) to bypass the first-level hypervisor's (L1) control over certain hypercalls, potentially leading to unauthorized actions or privilege escalations within nested virtualization environments.

By allowing L2 to make hypercalls as if it were L1, it may undermine the isolation and security guarantees expected in nested virtualization setups, possibly leading to security breaches or instability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46076. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart