HOMEVULNERABILITIESCVE-2026-43315
NONE

CVE-2026-43315

Published: May 8, 2026· Updated: May 12, 2026

EPSS:0.02%probability of exploitation in 30 daysPercentile:7.0th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

KVM: nSVM: Remove a user-triggerable WARN on nested_svm_load_cr3() succeeding

Drop the WARN in svm_set_nested_state() on nested_svm_load_cr3() failing

as it is trivially easy to trigger from userspace by modifying CPUID after

loading CR3. E.g. modifying the state restoration selftest like so:

--- tools/testing/selftests/kvm/x86/state_test.c

+++ tools/testing/selftests/kvm/x86/state_test.c

@@ -280,7 +280,16 @@ int main(int argc, char *argv[])

/* Restore state in a new VM. */

vcpu = vm_recreate_with_one_vcpu(vm);

- vcpu_load_state(vcpu, state);

+

+ if (stage == 4) {

+ state->sregs.cr3 = BIT(44);

+ vcpu_load_state(vcpu, state);

+

+ vcpu_set_cpuid_property(vcpu, X86_PROPERTY_MAX_PHY_ADDR, 36);

+ __vcpu_nested_state_set(vcpu, &state->nested);

+ } else {

+ vcpu_load_state(vcpu, state);

+ }

/*

* Restore XSAVE state in a dummy vCPU, first without doing

generates:

WARNING: CPU: 30 PID: 938 at arch/x86/kvm/svm/nested.c:1877 svm_set_nested_state+0x34a/0x360 [kvm_amd]

Modules linked in: kvm_amd kvm irqbypass [last unloaded: kvm]

CPU: 30 UID: 1000 PID: 938 Comm: state_test Tainted: G W 6.18.0-rc7-58e10b63777d-next-vm

Tainted: [W]=WARN

Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015

RIP: 0010:svm_set_nested_state+0x34a/0x360 [kvm_amd]

Call Trace:

<TASK>

kvm_arch_vcpu_ioctl+0xf33/0x1700 [kvm]

kvm_vcpu_ioctl+0x4e6/0x8f0 [kvm]

__x64_sys_ioctl+0x8f/0xd0

do_syscall_64+0x61/0xad0

entry_SYSCALL_64_after_hwframe+0x4b/0x53

Simply delete the WARN instead of trying to prevent userspace from shoving

"illegal" state into CR3. For better or worse, KVM's ABI allows userspace

to set CPUID after SREGS, and vice versa, and KVM is very permissive when

it comes to guest CPUID. I.e. attempting to enforce the virtual CPU model

when setting CPUID could break userspace. Given that the WARN doesn't

provide any meaningful protection for KVM or benefit for userspace, simply

drop it even though the odds of breaking userspace are minuscule.

Opportunistically delete a spurious newline.

NVD Source

Technical Analysis

CVE-2026-43315 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires some privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

Affected Vendors & Products

Mentioned vendors (from description):
Linux
CPE data not yet available in NVD for this CVE.

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

All References (7)

Quick Facts

CVE IDCVE-2026-43315
SeverityNONE
CISA KEVNo
EPSS (30d)0.02%
PublishedMay 8, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-43315 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.