HIGH
x86/amd OpCache Corruption
CVE-2026-46174
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
KernelScan AI7.6HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: x86/CPU/AMD: Prevent improper isolation of shared resources in Zen2's op cache Make sure resources are not improperly shared in the op cache and cause instruction corruption this way.
02KernelScan AI Analysis
Risk summary
AMD Zen2 processors have a hardware bug where the operation cache improperly shares resources between execution contexts, potentially causing instruction corruption. The Linux kernel failed to apply the required bare-metal workaround, leaving systems vulnerable to cross-context corruption. An attacker with local unprivileged code execution can trigger this hardware erratum to corrupt instructions in other contexts (including the kernel), potentially leading to privilege escalation, limited information disclosure, or system instability. This is especially relevant for multi-tenant systems, container hosts, and hypervisors running on affected Zen2 CPUs.
Vulnerability analysis
The root cause is a missing hardware workaround in the Linux kernel for AMD Zen2's operation cache. During CPU initialization, the kernel does not set bit 33 in the MSR_ZEN4_BP_CFG register on bare-metal systems (the write is intentionally skipped when running under a hypervisor). Without this MSR configuration, the op cache is improperly shared between execution contexts—such as sibling threads, processes, or privilege levels—allowing one context to influence the decoded instructions of another. The attack surface is local: any unprivileged code executing on the affected physical CPU can trigger the erratum. Because the resulting instruction corruption can cross security boundaries (e.g., from user space into kernel space or between guests), the scope changes. Successful exploitation can subvert kernel integrity and cause crashes or unpredictable execution.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 3.17 | 3.17 | 1e23b30a80b1 |
| 4.10 | 4.10 | 251497955f23 |
| 4.5 | 4.5 | f5bc3aef7df4 |
| 5.10 | 5.10.256 | ff6fc65b3bf7 |
| 5.15 | 5.15.207 | 9109489cc8c3 |
| 6.1 | 6.1.173 | 28f5ed477eef |
| 6.12 | 6.12.88 | c21b90f77687 |
| 6.18 | 6.18.30 | — |
| 6.6 | 6.6.139 | 1cd85a19748b |
| 7.0 | 7.0.7 | — |
| mainline | 7.1-rc4 | — |