Threat Advisory

Linux KVM Hypervisor Flaw Grants Host Code Execution

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: Critical
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in Linux's KVM hypervisor that can be triggered from a guest virtual machine to corrupt the shadow-page state of the host kernel that runs it. The flaws sit in the shadow MMU code that KVM shares across both Intel and AMD systems. Affected versions include kernel 2.6.36 era and later.

CVE-2026-53359: A use-after-free bug in Linux's KVM hypervisor can be triggered from a guest virtual machine to corrupt the shadow-page state of the host kernel that runs it, allowing an attacker to gain full host code execution. These vulnerabilities collectively present a significant risk to any x86 environment that hosts untrusted guests with nested virtualization enabled. Administrators should apply updates as soon as possible to mitigate this risk.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in Linux's KVM hypervisor that can be triggered from a guest virtual machine to corrupt the shadow-page state of the host kernel that runs it. The flaws sit in the shadow MMU code that KVM shares across both Intel and AMD systems. Affected versions include kernel 2.6.36 era and later.

CVE-2026-53359: A use-after-free bug in Linux's KVM hypervisor can be triggered from a guest virtual machine to corrupt the shadow-page state of the host kernel that runs it, allowing an attacker to gain full host code execution. These vulnerabilities collectively present a significant risk to any x86 environment that hosts untrusted guests with nested virtualization enabled. Administrators should apply updates as soon as possible to mitigate this risk.[emaillocker id="1283"]

CVE-2026-43284: A page-cache write vulnerability chain that delivers deterministic root on most major distributions, extending the same bug class as Dirty Pipe and Copy Fail.

CVE-2026-43500: A page-cache write vulnerability chain that delivers deterministic root on most major distributions, extending the same bug class as Dirty Pipe and Copy Fail.

CVE-2026-46316: The first publicly demonstrated guest-to-host escape on KVM/arm64, exploiting a race condition in the virtual interrupt controller.

CVE-2026-46113: Involving a related but distinct rmap mismatch was fixed in May 2026. These vulnerabilities collectively present a significant risk to any x86 environment that hosts untrusted guests with nested virtualization enabled.

These vulnerabilities collectively present a significant risk to any x86 environment that hosts untrusted guests with nested virtualization enabled.

RECOMMENDATION:

We recommend you update Linux kernel to 7.1.3, or later.

REFERENCES:

The following reports contain further technical details:

[/emaillocker]
crossmenu