In the Linux kernel, the following vulnerability has been resolved:
KVM: nSVM: Remove a user-triggerable WARN on nestedsvmload_cr3() succeeding
Drop the WARN in svmsetnestedstate() on nestedsvmloadcr3() failing as it is trivially easy to trigger from userspace by modifying CPUID after loading CR3. E.g. modifying the state restoration selftest like so:
--- tools/testing/selftests/kvm/x86/statetest.c +++ tools/testing/selftests/kvm/x86/statetest.c @@ -280,7 +280,16 @@ int main(int argc, char *argv[])
/* Restore state in a new VM. */
vcpu = vm_recreate_with_one_vcpu(vm);
- vcpuloadstate(vcpu, state); + + if (stage == 4) { + state->sregs.cr3 = BIT(44); + vcpuloadstate(vcpu, state); + + vcpusetcpuidproperty(vcpu, X86PROPERTYMAXPHY_ADDR, 36); + _vcpunestedstateset(vcpu, &state->nested); + } else { + vcpuloadstate(vcpu, state); + }
/*
* Restore XSAVE state in a dummy vCPU, first without doing
generates:
WARNING: CPU: 30 PID: 938 at arch/x86/kvm/svm/nested.c:1877 svmsetnestedstate+0x34a/0x360 [kvmamd] Modules linked in: kvmamd kvm irqbypass [last unloaded: kvm] CPU: 30 UID: 1000 PID: 938 Comm: statetest Tainted: G W 6.18.0-rc7-58e10b63777d-next-vm Tainted: [W]=WARN Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 RIP: 0010:svmsetnestedstate+0x34a/0x360 [kvmamd] Call Trace: <TASK> kvmarchvcpuioctl+0xf33/0x1700 [kvm] kvmvcpu_ioctl+0x4e6/0x8f0 [kvm] __x64sysioctl+0x8f/0xd0 dosyscall64+0x61/0xad0 entrySYSCALL64afterhwframe+0x4b/0x53
Simply delete the WARN instead of trying to prevent userspace from shoving "illegal" state into CR3. For better or worse, KVM's ABI allows userspace to set CPUID after SREGS, and vice versa, and KVM is very permissive when it comes to guest CPUID. I.e. attempting to enforce the virtual CPU model when setting CPUID could break userspace. Given that the WARN doesn't provide any meaningful protection for KVM or benefit for userspace, simply drop it even though the odds of breaking userspace are minuscule.
Opportunistically delete a spurious newline.
{
"cna_assigner": "Linux",
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43315.json"
}