Improper input validation in Linux kernel - CVE-2026-43265
Published: May 7, 2026
Vulnerability identifier: #VU130442
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-43265
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Linux Foundation
Affected software:
Linux kernel
Linux kernel
Detailed vulnerability description
The vulnerability allows a remote user to cause a denial of service.
The vulnerability exists due to improper state validation in KVM x86 nested virtualization handling when processing userspace-supplied MP_STATE or injected events for a blocked vCPU while L2 is active. A remote user can place the vCPU into an invalid state to cause a denial of service.
The issue can result in a spurious userspace exit, typically with KVM_EXIT_UNKNOWN, after exiting a blocking state.
How to mitigate CVE-2026-43265
Install security update from vendor's repository.
Sources
- https://git.kernel.org/stable/c/1c957773063ed3264953597e32990a748381caf6
- https://git.kernel.org/stable/c/1e88b5f854bdb469424132e0bb44793ad7a7c20a
- https://git.kernel.org/stable/c/2657439265d34a911886b916ba8be97ecc117d51
- https://git.kernel.org/stable/c/78265cd066d73a5cb41c088fcae4a2515e480d97
- https://git.kernel.org/stable/c/ead63640d4e72e6f6d464f4e31f7fecb79af8869
- https://git.kernel.org/stable/c/ec3be7dc9391085a2d96700e159d66d1328b7ff6