Incomplete Blacklist to Cross-Site Scripting in Linux kernel - CVE-2026-23402

 

Incomplete Blacklist to Cross-Site Scripting in Linux kernel - CVE-2026-23402

Published: April 1, 2026


Vulnerability identifier: #VU124779
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-23402
CWE-ID: CWE-692
Exploitation vector: Local access
Exploit availability: No public exploit available
Vendor: Linux Foundation
Affected software:
Linux kernel

Detailed vulnerability description

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper input validation in KVM's x86/mmu component when handling SPTE updates from host userspace. A local user can trigger a warning condition that leads to a system crash to cause a denial of service.

Exploitation requires access to host userspace and affects virtualized environments using KVM with EPT. The issue arises when modifying SPTEs outside KVM's write tracking scope.


How to mitigate CVE-2026-23402

Install security update from vendor's repository.

Sources