HOMEVULNERABILITIESCVE-2026-52969
HIGH

CVE-2026-52969

Published: June 24, 2026· Updated: Jun 30, 2026

7.0
CVSS v3.1
EPSS:0.19%probability of exploitation in 30 daysPercentile:8.7th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

KVM: Reject wrapped offset in kvm_reset_dirty_gfn()

kvm_reset_dirty_gfn() guards the gfn range with

if (!memslot || (offset + __fls(mask)) >= memslot->npages)

return;

but offset is u64 and the addition is unchecked. The check can be

silently bypassed by a u64 wrap.

The dirty ring backing those entries is MAP_SHARED at

KVM_DIRTY_LOG_PAGE_OFFSET of the vcpu fd, so the VMM can rewrite the

slot and offset fields of any entry between when the kernel pushes

them and when KVM_RESET_DIRTY_RINGS consumes them. On reset,

kvm_dirty_ring_reset() re-reads the values via READ_ONCE() and feeds

them straight back into this check; only the flags handshake is

treated as the handover, the slot/offset payload is taken on trust.

Crafting two entries

entry[i].offset = 0xffffffffffffffc1

entry[i+1].offset = 0

makes the coalescing loop in kvm_dirty_ring_reset() compute

delta = (s64)(0 - 0xffffffffffffffc1) = 63

which falls in [0, BITS_PER_LONG), so it folds entry[i+1] into the

existing mask by setting bit 63. The trailing kvm_reset_dirty_gfn()

call then sees offset = 0xffffffffffffffc1 and __fls(mask) = 63;

the sum is 0 in u64 and the bounds check passes.

That offset propagates into kvm_arch_mmu_enable_log_dirty_pt_masked()

unchanged. On the legacy MMU path -- kvm_memslots_have_rmaps() ==

true, i.e. shadow paging, any VM that has allocated shadow roots, or

a write-tracked slot -- it reaches gfn_to_rmap(), which indexes

slot->arch.rmap[0][] with a near-U64_MAX gfn. That is an

out-of-bounds load of a kvm_rmap_head, followed by a conditional

clear of PT_WRITABLE_MASK in whatever the loaded pointer points at.

The path is reachable from any process holding /dev/kvm.

Range-check offset on its own first, so the addition cannot wrap.

memslot->npages is bounded well below U64_MAX, so once offset <

npages holds, offset + __fls(mask) (with __fls(mask) < BITS_PER_LONG)

stays in range.

NVD Source

Technical Analysis

CVE-2026-52969 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires low privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

A successful exploit results in complete confidentiality breach (data exposure), full integrity compromise (data manipulation), availability disruption (denial of service), with a CVSS base score of 7.0.

CVSS v3.1 Vector Breakdown

Exploitability
Attack VectorLocal
Attack ComplexityHigh
Privileges Req.Low
User InteractionNone
ScopeUnchanged
Impact
ConfidentialityHigh
IntegrityHigh
AvailabilityHigh
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Vendors & Products

Mentioned vendors (from description):
Linux
CPE data not yet available in NVD for this CVE.

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

All References (10)

Quick Facts

CVE IDCVE-2026-52969
CVSS Score7.0 / 10
SeverityHIGH
CISA KEVNo
EPSS (30d)0.19%
PublishedJun 24, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-52969 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.