GHSA-P7J5-R5CQ-H6QJ

Vulnerability from github – Published: 2026-05-06 12:30 – Updated: 2026-05-08 21:31
VLAI?
Details

In the Linux kernel, the following vulnerability has been resolved:

KVM: x86: Ignore -EBUSY when checking nested events from vcpu_block()

Ignore -EBUSY when checking nested events after exiting a blocking state while L2 is active, as exiting to userspace will generate a spurious userspace exit, usually with KVM_EXIT_UNKNOWN, and likely lead to the VM's demise. Continuing with the wakeup isn't perfect either, as something has gone sideways if a vCPU is awakened in L2 with an injected event (or worse, a nested run pending), but continuing on gives the VM a decent chance of surviving without any major side effects.

As explained in the Fixes commits, it should be impossible for a vCPU to be put into a blocking state with an already-injected event (exception, IRQ, or NMI). Unfortunately, userspace can stuff MP_STATE and/or injected events, and thus put the vCPU into what should be an impossible state.

Don't bother trying to preserve the WARN, e.g. with an anti-syzkaller Kconfig, as WARNs can (hopefully) be added in paths where KVM would be violating x86 architecture, e.g. by WARNing if KVM attempts to inject an exception or interrupt while the vCPU isn't running.

Severity ?
5.5 (Medium)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Show details on source website
To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2026-43265"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-06T12:16:47Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86: Ignore -EBUSY when checking nested events from vcpu_block()\n\nIgnore -EBUSY when checking nested events after exiting a blocking state\nwhile L2 is active, as exiting to userspace will generate a spurious\nuserspace exit, usually with KVM_EXIT_UNKNOWN, and likely lead to the VM\u0027s\ndemise.  Continuing with the wakeup isn\u0027t perfect either, as *something*\nhas gone sideways if a vCPU is awakened in L2 with an injected event (or\nworse, a nested run pending), but continuing on gives the VM a decent\nchance of surviving without any major side effects.\n\nAs explained in the Fixes commits, it _should_ be impossible for a vCPU to\nbe put into a blocking state with an already-injected event (exception,\nIRQ, or NMI).  Unfortunately, userspace can stuff MP_STATE and/or injected\nevents, and thus put the vCPU into what should be an impossible state.\n\nDon\u0027t bother trying to preserve the WARN, e.g. with an anti-syzkaller\nKconfig, as WARNs can (hopefully) be added in paths where _KVM_ would be\nviolating x86 architecture, e.g. by WARNing if KVM attempts to inject an\nexception or interrupt while the vCPU isn\u0027t running.",
  "id": "GHSA-p7j5-r5cq-h6qj",
  "modified": "2026-05-08T21:31:21Z",
  "published": "2026-05-06T12:30:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43265"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1c957773063ed3264953597e32990a748381caf6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1e88b5f854bdb469424132e0bb44793ad7a7c20a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2657439265d34a911886b916ba8be97ecc117d51"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/78265cd066d73a5cb41c088fcae4a2515e480d97"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ead63640d4e72e6f6d464f4e31f7fecb79af8869"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ec3be7dc9391085a2d96700e159d66d1328b7ff6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.