LiveActive security incident?Get immediate response
CVE Record

CVE-2026-23401: KVM: x86/mmu: Drop/zap existing present SPTE even when creating an MMIO SPTE

In the Linux kernel, the following vulnerability has been resolved: KVM: x86/mmu: Drop/zap existing present SPTE even when creating an MMIO SPTE When installing an emulated MMIO SPTE, do so *after* dropping/zapping the existing SPTE (if it's shadow-present). While commit a54aa15c6bda3 was right about it being impossible to convert a shadow-present SPTE to an MMIO SPTE due to a _guest_ write, it failed to account for writes to guest memory that are outside the scope of KVM. E.g. if host userspace modifies a shadowed gPTE to switch from a memslot to emulted MMIO and then the guest hits a relevant page fault, KVM will install the MMIO SPTE without first zapping the shadow-present SPTE. ------------[ cut here ]------------ is_shadow_present_pte(*sptep) WARNING: arch/x86/kvm/mmu/mmu.c:484 at mark_mmio_spte+0xb2/0xc0 [kvm], CPU#0: vmx_ept_stale_r/4292 Modules linked in: kvm_intel kvm irqbypass CPU: 0 UID: 1000 PID: 4292 Comm: vmx_ept_stale_r Not tainted 7.0.0-rc2-eafebd2d2ab0-sink-vm #319 PREEMPT Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 RIP: 0010:mark_mmio_spte+0xb2/0xc0 [kvm] Call Trace: <TASK> mmu_set_spte+0x237/0x440 [kvm] ept_page_fault+0x535/0x7f0 [kvm] kvm_mmu_do_page_fault+0xee/0x1f0 [kvm] kvm_mmu_page_fault+0x8d/0x620 [kvm] vmx_handle_exit+0x18c/0x5a0 [kvm_intel] kvm_arch_vcpu_ioctl_run+0xc55/0x1c20 [kvm] kvm_vcpu_ioctl+0x2d5/0x980 [kvm] __x64_sys_ioctl+0x8a/0xd0 do_syscall_64+0xb5/0x730 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x47fa3f </TASK> ---[ end trace 0000000000000000 ]---

HighCVSS 8.1Not KEV-listedUpdated
Glexia's TakeAutomated analysishigh

Security readout for executives and security teams

Plain-English summary

This is a high-severity Linux KVM kernel flaw affecting x86 virtualization. Under a specific memory-management transition, KVM can leave stale shadow page-table state when mapping emulated MMIO. For organizations running KVM hosts, the business concern is guest-to-host virtualization risk, but the provided sources do not show active exploitation.

Executive priority

Treat this as a priority patching item for virtualization infrastructure, not a broad internet-facing emergency. Focus first on production KVM hosts, shared hosting platforms, and systems running untrusted or lower-trust guest workloads.

Technical view

KVM x86/mmu installs an emulated MMIO SPTE without first zapping an existing shadow-present SPTE when host userspace changes a shadowed guest PTE from memslot-backed memory to emulated MMIO. The CVE is classified as CWE-416 with CVSS 8.1, AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H.

Likely exposure

Exposure is most relevant to Linux systems using KVM on x86, especially virtualization hosts. The bundle lists Linux kernel versions and stable kernel commits, but exact affected range semantics are incomplete, so confirm against your distribution's advisory.

Exploitation context

The CVE is not listed as KEV in the supplied bundle, and no cited source states active exploitation. The CVSS vector indicates local access, high attack complexity, no required privileges, no user interaction, changed scope, and high confidentiality, integrity, and availability impact.

Researcher notes

The root issue is stale SPTE handling during MMIO SPTE creation after host userspace changes guest page-table backing. The public bundle provides kernel commit references and Red Hat advisories, but does not provide exploitation proof, affected CPEs, or complete distribution-by-distribution impact.

Mitigation direction

  • Apply vendor-provided kernel updates for affected KVM hosts.
  • Review Red Hat errata if running Red Hat Enterprise Linux derivatives.
  • Track the referenced Linux stable commits for upstream fixed kernels.
  • Prioritize hypervisors hosting sensitive or multi-tenant workloads.
  • If no vendor fix is available, seek vendor-specific mitigation guidance.

Validation and detection

  • Inventory Linux KVM hosts and record running kernel versions.
  • Compare kernels against distribution advisories for CVE-2026-23401.
  • Confirm whether x86 KVM modules are loaded on exposed systems.
  • Verify installed kernels include the referenced stable fixes or vendor errata.
  • Document unsupported kernels requiring upgrade or isolation.
Prepared
Confidence
medium
Sources
12

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · low confidence lookup

CWE-416: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2026-23401 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
High
CVSS
8.1 (3.1)
Known Exploited
No
Published

Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
5Timeline events
1ADP providers
29Source links

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
8.1CVSS 3.1HighCVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H1.46redhat-SADP

Vulnerability scoring details

Base CVSS 3.1 score

8.1High
CVSS 3.1 vector shape for CVE-2026-23401Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. ADP timelineredhat-SADP

    Reported to Red Hat.

  3. ADP timelineredhat-SADP

    Made public.

  4. CVE publishedCVE Program

    The CVE record was published.

  5. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

redhat-SADPkernel: Linux kernel KVM: Privilege escalation or denial of service due to improper shadow page table entry handling
other:Red Hat severity ratingcvssV3_1
  • 2026-04-01T00:00:00.000Z: Reported to Red Hat.
  • 2026-04-01T00:00:00.000Z: Made public.

Source materials

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinuxa54aa15c6bda3ca7e2f9e040ba968a1da303e24f, a54aa15c6bda3ca7e2f9e040ba968a1da303e24f, a54aa15c6bda3ca7e2f9e040ba968a1da303e24f, a54aa15c6bda3ca7e2f9e040ba968a1da303e24f, a54aa15c6bda3ca7e2f9e040ba968a1da303e24f, a54aa15c6bda3ca7e2f9e040ba968a1da303e24f, a54aa15c6bda3ca7e2f9e040ba968a1da303e24funaffected
LinuxLinux5.13, 0, 5.15.203, 6.1.168, 6.6.131, 6.12.80, 6.18.21, 6.19.11, 7.0affected
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-416 · source CWE mapping

Use After Free

Use After Free represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.