CVE-2026-53345
Received Received - Intake

Memory Leak Fix in Linux Kernel KVM

Vulnerability report for CVE-2026-53345, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: kernel.org

Description

In the Linux kernel, the following vulnerability has been resolved: KVM: Don't WARN if memory is dirtied without a vCPU when the VM is dying When marking a page dirty, complain about not having a running/loaded vCPU if and only if the VM is still alive, i.e. its refcount is non-zero. This will allow fixing a memory leak for x86 SEV-ES guests without hitting what is effectively a false positive on the WARN. For some SEV-ES VM-Exits, KVM keeps a writable mapping of a guest page across an exit to userspace, and typically unmaps the page on the next KVM_RUN. But if userspace never calls KVM_RUN after such an exit, then KVM needs to unmap the page when the vCPU is destroyed, which in turn triggers the WARN about not having a running vCPU. Alternatively, SEV-ES could temporarily load the vCPU to suppress the WARN, as is done in nested_vmx_free_vcpu() (but for completely unrelated reasons; suppressing WARN from nested_put_vmcs12_pages() is pure happenstance). But loading a vCPU during destruction is gross (ideally nVMX code would be cleaned up), risks complicating the SEV-ES code (KVM would need to ensure the temporarily load()+put() only runs when the vCPU isn't already loaded), and is ultimately pointless. The motivation for the WARN is to guard against KVM dirtying guest memory without pushing the corresponding GFN to the active vCPU's dirty ring, e.g. to ensure userspace doesn't miss a dirty page. But for the VM's refcount to reach zero, there can't be _any_ userspace mappings to the dirty ring, as mapping the dirty ring requires doing mmap() on the vCPU FD. I.e. if userspace had a valid mapping for the dirty ring, then the vCPU file and thus the owning VM would still be alive. And so since userspace can't possibly reach the dirty ring, whether or not KVM technically "misses" a push to the dirty ring is irrelevant.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-01
AI Q&A
2026-07-01
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability relates to the Linux kernel's KVM (Kernel-based Virtual Machine) subsystem, specifically handling memory dirtying for SEV-ES (Secure Encrypted Virtualization - Encrypted State) guests. The issue arises when memory pages are marked as dirty without an active or loaded virtual CPU (vCPU) while the virtual machine (VM) is in the process of shutting down or dying.

Normally, KVM warns if memory is dirtied without a running vCPU to ensure userspace does not miss tracking dirty pages. However, this warning can trigger falsely when the VM is already dying and its reference count is zero, because userspace cannot access the dirty ring in this state. The fix prevents the warning from appearing in these cases, avoiding false positives and fixing a memory leak for x86 SEV-ES guests.

Impact Analysis

The vulnerability could cause false positive warnings in the kernel logs when memory pages are marked dirty without an active vCPU during VM shutdown. This may lead to confusion or misdiagnosis of issues related to memory management in virtualized environments using SEV-ES guests.

Additionally, without the fix, there is a memory leak for x86 SEV-ES guests because KVM does not properly unmap guest pages if userspace does not call KVM_RUN after certain VM exits. This could lead to increased memory usage and potential resource exhaustion on the host system.

Mitigation Strategies

This vulnerability has been resolved in the Linux kernel by changing the behavior of KVM when marking a page dirty without a running vCPU during VM destruction.

To mitigate this vulnerability, you should update your Linux kernel to a version that includes this fix.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53345. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart