#VU124946 Improper Initialization in Linux kernel - CVE-2026-23425
Published: April 6, 2026
Vulnerability identifier: #VU124946
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-23425
CWE-ID: CWE-665
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vulnerable software:
Linux kernel
Linux kernel
Software vendor:
Linux Foundation
Linux Foundation
Description
The vulnerability allows a local user to cause state corruption.
The vulnerability exists due to improper initialization in ID register initialization for non-protected pKVM guests when initializing the hypervisor kvm structure from the host state. A local user can create a non-protected VM to cause state corruption.
The issue affects non-protected arm64 pKVM guests because the ID register initialized flag can be copied without the underlying id_regs data being initialized, causing feature checks at EL2 to fail and some system registers to not be saved or restored during the world switch.
Remediation
Install security update from vendor's repository.