HIGH
kvm nSVM VMCB Corruption
CVE-2026-43133
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:H
KernelScan AI7.3HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: KVM: nSVM: Always use vmcb01 in VMLOAD/VMSAVE emulation Commit cc3ed80ae69f ("KVM: nSVM: always use vmcb01 to for vmsave/vmload of guest state") made KVM always use vmcb01 for the fields controlled by VMSAVE/VMLOAD, but it missed updating the VMLOAD/VMSAVE emulation code to always use vmcb01. As a result, if VMSAVE/VMLOAD is executed by an L2 guest and is not intercepted by L1, KVM will mistakenly use vmcb02. Always use vmcb01 instead of the current VMCB.
02KernelScan AI Analysis
Risk summary
Nested virtualization environments using AMD SVM are at risk of information disclosure, integrity corruption, and guest state corruption when L2 guests execute VMLOAD/VMSAVE instructions. The hypervisor mistakenly uses vmcb02 instead of vmcb01, causing stale or uninitialized state to be saved to guest memory (info leak) and attacker-controlled values to be written into hypervisor-managed VMCB state. This can lead to guest crashes and potential hypervisor instability in cloud and virtualization platforms.
Vulnerability analysis
The vulnerability stems from inconsistent VMCB (Virtual Machine Control Block) usage in KVM's nested SVM implementation. While commit cc3ed80ae69f standardized KVM to always use vmcb01 for VMSAVE/VMLOAD operations, the emulation code for these instructions was not updated accordingly. When an L2 guest executes VMLOAD/VMSAVE and L1 doesn't intercept it, KVM mistakenly operates on vmcb02 instead of vmcb01. For VMSAVE, this copies stale or uninitialized vmcb02 fields into L1-accessible guest memory (vmcb12), creating an information-leak primitive. For VMLOAD, this writes attacker-controlled values from vmcb12 into the hypervisor's vmcb02, corrupting hypervisor-managed guest state. The fix ensures both the actual hardware operations and emulation code consistently use vmcb01, preventing information disclosure and state corruption in nested virtualization scenarios.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.15 | 5.15.202 | 10063e1251c1 |
| 6.1 | 6.1.165 | c3b701500098 |
| 6.12 | 6.12.75 | fce2fd4a2ca0 |
| 6.18 | 6.18.16 | d464cf1ed900 |
| 6.19 | 6.19.6 | 0004ecb798b3 |
| 6.6 | 6.6.128 | 3880e331b0b3 |
| mainline | 7.0 | 127ccae2c185 |