HOMEVULNERABILITIESCVE-2026-45987
NONE

CVE-2026-45987

Published: May 27, 2026· Updated: Jun 1, 2026

Official Description

In the Linux kernel, the following vulnerability has been resolved:

KVM: nSVM: Sync interrupt shadow to cached vmcb12 after VMRUN of L2

After VMRUN in guest mode, nested_sync_control_from_vmcb02() syncs

fields written by the CPU from vmcb02 to the cached vmcb12. This is

because the cached vmcb12 is used as the authoritative copy of some of

the controls, and is the payload when saving/restoring nested state.

int_state is also written by the CPU, specifically bit 0 (i.e.

SVM_INTERRUPT_SHADOW_MASK) for nested VMs, but it is not sync'd to

cached vmcb12. This does not cause a problem if KVM_SET_NESTED_STATE

preceeds KVM_SET_VCPU_EVENTS in the restore path, as an interrupt shadow

would be correctly restored to vmcb02 (KVM_SET_VCPU_EVENTS overwrites

what KVM_SET_NESTED_STATE restored in int_state).

However, if KVM_SET_VCPU_EVENTS preceeds KVM_SET_NESTED_STATE, an

interrupt shadow would be restored into vmcb01 instead of vmcb02. This

would mostly be benign for L1 (delays an interrupt), but not for L2. For

L2, the vCPU could hang (e.g. if a wakeup interrupt is delivered before

a HLT that should have been in an interrupt shadow).

Sync int_state to the cached vmcb12 in nested_sync_control_from_vmcb02()

to avoid this problem. With that, KVM_SET_NESTED_STATE restores the

correct interrupt shadow state, and if KVM_SET_VCPU_EVENTS follows it

would overwrite it with the same value.

NVD Source

Technical Analysis

CVE-2026-45987 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires some privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

Affected Vendors & Products

Mentioned vendors (from description):
Linux
CPE data not yet available in NVD for this CVE.

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

All References (8)

Quick Facts

CVE IDCVE-2026-45987
SeverityNONE
CISA KEVNo
PublishedMay 27, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-45987 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.