CVE-2026-23401: KVM: x86/mmu: Drop/zap existing present SPTE even when creating an MMIO SPTE
In the Linux kernel, the following vulnerability has been resolved:
KVM: x86/mmu: Drop/zap existing present SPTE even when creating an MMIO SPTE
When installing an emulated MMIO SPTE, do so *after* dropping/zapping the
existing SPTE (if it's shadow-present). While commit a54aa15c6bda3 was
right about it being impossible to convert a shadow-present SPTE to an
MMIO SPTE due to a _guest_ write, it failed to account for writes to guest
memory that are outside the scope of KVM.
E.g. if host userspace modifies a shadowed gPTE to switch from a memslot
to emulted MMIO and then the guest hits a relevant page fault, KVM will
install the MMIO SPTE without first zapping the shadow-present SPTE.
------------[ cut here ]------------
is_shadow_present_pte(*sptep)
WARNING: arch/x86/kvm/mmu/mmu.c:484 at mark_mmio_spte+0xb2/0xc0 [kvm], CPU#0: vmx_ept_stale_r/4292
Modules linked in: kvm_intel kvm irqbypass
CPU: 0 UID: 1000 PID: 4292 Comm: vmx_ept_stale_r Not tainted 7.0.0-rc2-eafebd2d2ab0-sink-vm #319 PREEMPT
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
RIP: 0010:mark_mmio_spte+0xb2/0xc0 [kvm]
Call Trace:
<TASK>
mmu_set_spte+0x237/0x440 [kvm]
ept_page_fault+0x535/0x7f0 [kvm]
kvm_mmu_do_page_fault+0xee/0x1f0 [kvm]
kvm_mmu_page_fault+0x8d/0x620 [kvm]
vmx_handle_exit+0x18c/0x5a0 [kvm_intel]
kvm_arch_vcpu_ioctl_run+0xc55/0x1c20 [kvm]
kvm_vcpu_ioctl+0x2d5/0x980 [kvm]
__x64_sys_ioctl+0x8a/0xd0
do_syscall_64+0xb5/0x730
entry_SYSCALL_64_after_hwframe+0x4b/0x53
RIP: 0033:0x47fa3f
</TASK>
---[ end trace 0000000000000000 ]---
Security readout for executives and security teams
Plain-English summary
This is a high-severity Linux KVM kernel flaw affecting x86 virtualization. Under a specific memory-management transition, KVM can leave stale shadow page-table state when mapping emulated MMIO. For organizations running KVM hosts, the business concern is guest-to-host virtualization risk, but the provided sources do not show active exploitation.
Executive priority
Treat this as a priority patching item for virtualization infrastructure, not a broad internet-facing emergency. Focus first on production KVM hosts, shared hosting platforms, and systems running untrusted or lower-trust guest workloads.
Technical view
KVM x86/mmu installs an emulated MMIO SPTE without first zapping an existing shadow-present SPTE when host userspace changes a shadowed guest PTE from memslot-backed memory to emulated MMIO. The CVE is classified as CWE-416 with CVSS 8.1, AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H.
Likely exposure
Exposure is most relevant to Linux systems using KVM on x86, especially virtualization hosts. The bundle lists Linux kernel versions and stable kernel commits, but exact affected range semantics are incomplete, so confirm against your distribution's advisory.
Exploitation context
The CVE is not listed as KEV in the supplied bundle, and no cited source states active exploitation. The CVSS vector indicates local access, high attack complexity, no required privileges, no user interaction, changed scope, and high confidentiality, integrity, and availability impact.
Researcher notes
The root issue is stale SPTE handling during MMIO SPTE creation after host userspace changes guest page-table backing. The public bundle provides kernel commit references and Red Hat advisories, but does not provide exploitation proof, affected CPEs, or complete distribution-by-distribution impact.
Mitigation direction
Apply vendor-provided kernel updates for affected KVM hosts.
Review Red Hat errata if running Red Hat Enterprise Linux derivatives.
Track the referenced Linux stable commits for upstream fixed kernels.
Prioritize hypervisors hosting sensitive or multi-tenant workloads.
If no vendor fix is available, seek vendor-specific mitigation guidance.
Validation and detection
Inventory Linux KVM hosts and record running kernel versions.
Compare kernels against distribution advisories for CVE-2026-23401.
Confirm whether x86 KVM modules are loaded on exposed systems.
Verify installed kernels include the referenced stable fixes or vendor errata.
Document unsupported kernels requiring upgrade or isolation.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-416: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
1CVSS vectors
5Timeline events
1ADP providers
29Source links
CVSS vector scores
1 official score
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-416 · source CWE mapping
Use After Free
Use After Free represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.