SB2026050750 - Improper input validation in Linux kernel x86 kvm
Published: May 7, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Improper input validation (CVE-ID: CVE-2026-43265)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to cause a denial of service.
The vulnerability exists due to improper state validation in KVM x86 nested virtualization handling when processing userspace-supplied MP_STATE or injected events for a blocked vCPU while L2 is active. A remote user can place the vCPU into an invalid state to cause a denial of service.
The issue can result in a spurious userspace exit, typically with KVM_EXIT_UNKNOWN, after exiting a blocking state.
Remediation
Install update from vendor's website.
References
- https://git.kernel.org/stable/c/1c957773063ed3264953597e32990a748381caf6
- https://git.kernel.org/stable/c/1e88b5f854bdb469424132e0bb44793ad7a7c20a
- https://git.kernel.org/stable/c/2657439265d34a911886b916ba8be97ecc117d51
- https://git.kernel.org/stable/c/78265cd066d73a5cb41c088fcae4a2515e480d97
- https://git.kernel.org/stable/c/ead63640d4e72e6f6d464f4e31f7fecb79af8869
- https://git.kernel.org/stable/c/ec3be7dc9391085a2d96700e159d66d1328b7ff6