{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23401", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:46.012Z", "datePublished": "2026-04-01T08:36:32.367Z", "dateUpdated": "2026-05-11T22:06:11.775Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:06:11.775Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86/mmu: Drop/zap existing present SPTE even when creating an MMIO SPTE\n\nWhen installing an emulated MMIO SPTE, do so *after* dropping/zapping the\nexisting SPTE (if it's shadow-present). While commit a54aa15c6bda3 was\nright about it being impossible to convert a shadow-present SPTE to an\nMMIO SPTE due to a _guest_ write, it failed to account for writes to guest\nmemory that are outside the scope of KVM.\n\nE.g. if host userspace modifies a shadowed gPTE to switch from a memslot\nto emulted MMIO and then the guest hits a relevant page fault, KVM will\ninstall the MMIO SPTE without first zapping the shadow-present SPTE.\n\n ------------[ cut here ]------------\n is_shadow_present_pte(*sptep)\n WARNING: arch/x86/kvm/mmu/mmu.c:484 at mark_mmio_spte+0xb2/0xc0 [kvm], CPU#0: vmx_ept_stale_r/4292\n Modules linked in: kvm_intel kvm irqbypass\n CPU: 0 UID: 1000 PID: 4292 Comm: vmx_ept_stale_r Not tainted 7.0.0-rc2-eafebd2d2ab0-sink-vm #319 PREEMPT\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015\n RIP: 0010:mark_mmio_spte+0xb2/0xc0 [kvm]\n Call Trace:\n <TASK>\n mmu_set_spte+0x237/0x440 [kvm]\n ept_page_fault+0x535/0x7f0 [kvm]\n kvm_mmu_do_page_fault+0xee/0x1f0 [kvm]\n kvm_mmu_page_fault+0x8d/0x620 [kvm]\n vmx_handle_exit+0x18c/0x5a0 [kvm_intel]\n kvm_arch_vcpu_ioctl_run+0xc55/0x1c20 [kvm]\n kvm_vcpu_ioctl+0x2d5/0x980 [kvm]\n __x64_sys_ioctl+0x8a/0xd0\n do_syscall_64+0xb5/0x730\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n RIP: 0033:0x47fa3f\n </TASK>\n ---[ end trace 0000000000000000 ]---"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["arch/x86/kvm/mmu/mmu.c"], "versions": [{"version": "a54aa15c6bda3ca7e2f9e040ba968a1da303e24f", "lessThan": "20656cd1f243d3a154aac5dd1b823110b6906fe1", "status": "affected", "versionType": "git"}, {"version": "a54aa15c6bda3ca7e2f9e040ba968a1da303e24f", "lessThan": "ed5909992f344a7d3f4024261e9f751d9618a27d", "status": "affected", "versionType": "git"}, {"version": "a54aa15c6bda3ca7e2f9e040ba968a1da303e24f", "lessThan": "fd28c5618699180cd69619801e9ae6a5266c0a22", "status": "affected", "versionType": "git"}, {"version": "a54aa15c6bda3ca7e2f9e040ba968a1da303e24f", "lessThan": "459158151a158a6703b49f3c9de0e536d8bd553f", "status": "affected", "versionType": "git"}, {"version": "a54aa15c6bda3ca7e2f9e040ba968a1da303e24f", "lessThan": "695320de6eadb75aaed8be1787c4ce4c189e4c7b", "status": "affected", "versionType": "git"}, {"version": "a54aa15c6bda3ca7e2f9e040ba968a1da303e24f", "lessThan": "bce7fe59d43531623f3e43779127bfb33804925d", "status": "affected", "versionType": "git"}, {"version": "a54aa15c6bda3ca7e2f9e040ba968a1da303e24f", "lessThan": "aad885e774966e97b675dfe928da164214a71605", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["arch/x86/kvm/mmu/mmu.c"], "versions": [{"version": "5.13", "status": "affected"}, {"version": "0", "lessThan": "5.13", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.203", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.168", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.131", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.80", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.21", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.11", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.13", "versionEndExcluding": "5.15.203"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.13", "versionEndExcluding": "6.1.168"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.13", "versionEndExcluding": "6.6.131"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.13", "versionEndExcluding": "6.12.80"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.13", "versionEndExcluding": "6.18.21"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.13", "versionEndExcluding": "6.19.11"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.13", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/20656cd1f243d3a154aac5dd1b823110b6906fe1"}, {"url": "https://git.kernel.org/stable/c/ed5909992f344a7d3f4024261e9f751d9618a27d"}, {"url": "https://git.kernel.org/stable/c/fd28c5618699180cd69619801e9ae6a5266c0a22"}, {"url": "https://git.kernel.org/stable/c/459158151a158a6703b49f3c9de0e536d8bd553f"}, {"url": "https://git.kernel.org/stable/c/695320de6eadb75aaed8be1787c4ce4c189e4c7b"}, {"url": "https://git.kernel.org/stable/c/bce7fe59d43531623f3e43779127bfb33804925d"}, {"url": "https://git.kernel.org/stable/c/aad885e774966e97b675dfe928da164214a71605"}], "title": "KVM: x86/mmu: Drop/zap existing present SPTE even when creating an MMIO SPTE", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "CC3F58C6-09EC-41E6-8E82-613F5965C0DB", "versionEndExcluding": "5.15.203", "versionStartIncluding": "5.13.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "E2DDDCA1-6DAB-4018-B920-8F045DDD8D3B", "versionEndExcluding": "6.1.168", "versionStartIncluding": "5.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "CE6ED4D4-0046-4573-BFA9-D64143B6A89F", "versionEndExcluding": "6.6.131", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "97EB19EC-A11E-49C6-9D2F-6F6EC6CB98B6", "versionEndExcluding": "6.12.80", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "ED39847A-3B46-4729-B7CA-B2C30B9FA8FE", "versionEndExcluding": "6.18.21", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "4CA2E747-A9EC-4518-9AA2-B4247FC748B7", "versionEndExcluding": "6.19.11", "versionStartIncluding": "6.19", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.13:-:*:*:*:*:*:*", "matchCriteriaId": "8F0E7012-0BA3-4E6A-ADE9-57973CBDEE28", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*", "matchCriteriaId": "512EE3A8-A590-4501-9A94-5D4B268D6138", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86/mmu: Drop/zap existing present SPTE even when creating an MMIO SPTE\n\nWhen installing an emulated MMIO SPTE, do so *after* dropping/zapping the\nexisting SPTE (if it's shadow-present). While commit a54aa15c6bda3 was\nright about it being impossible to convert a shadow-present SPTE to an\nMMIO SPTE due to a _guest_ write, it failed to account for writes to guest\nmemory that are outside the scope of KVM.\n\nE.g. if host userspace modifies a shadowed gPTE to switch from a memslot\nto emulted MMIO and then the guest hits a relevant page fault, KVM will\ninstall the MMIO SPTE without first zapping the shadow-present SPTE.\n\n ------------[ cut here ]------------\n is_shadow_present_pte(*sptep)\n WARNING: arch/x86/kvm/mmu/mmu.c:484 at mark_mmio_spte+0xb2/0xc0 [kvm], CPU#0: vmx_ept_stale_r/4292\n Modules linked in: kvm_intel kvm irqbypass\n CPU: 0 UID: 1000 PID: 4292 Comm: vmx_ept_stale_r Not tainted 7.0.0-rc2-eafebd2d2ab0-sink-vm #319 PREEMPT\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015\n RIP: 0010:mark_mmio_spte+0xb2/0xc0 [kvm]\n Call Trace:\n <TASK>\n mmu_set_spte+0x237/0x440 [kvm]\n ept_page_fault+0x535/0x7f0 [kvm]\n kvm_mmu_do_page_fault+0xee/0x1f0 [kvm]\n kvm_mmu_page_fault+0x8d/0x620 [kvm]\n vmx_handle_exit+0x18c/0x5a0 [kvm_intel]\n kvm_arch_vcpu_ioctl_run+0xc55/0x1c20 [kvm]\n kvm_vcpu_ioctl+0x2d5/0x980 [kvm]\n __x64_sys_ioctl+0x8a/0xd0\n do_syscall_64+0xb5/0x730\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n RIP: 0033:0x47fa3f\n </TASK>\n ---[ end trace 0000000000000000 ]---"}], "id": "CVE-2026-23401", "lastModified": "2026-04-24T15:17:19.790", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-01T09:16:15.260", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/20656cd1f243d3a154aac5dd1b823110b6906fe1"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/459158151a158a6703b49f3c9de0e536d8bd553f"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/695320de6eadb75aaed8be1787c4ce4c189e4c7b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/aad885e774966e97b675dfe928da164214a71605"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/bce7fe59d43531623f3e43779127bfb33804925d"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/ed5909992f344a7d3f4024261e9f751d9618a27d"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/fd28c5618699180cd69619801e9ae6a5266c0a22"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: KVM: x86/mmu: Drop/zap existing present SPTE even when creating an MMIO SPTE", "id": "2453803", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2453803"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.1", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-416", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nKVM: x86/mmu: Drop/zap existing present SPTE even when creating an MMIO SPTE\nWhen installing an emulated MMIO SPTE, do so *after* dropping/zapping the\nexisting SPTE (if it's shadow-present). While commit a54aa15c6bda3 was\nright about it being impossible to convert a shadow-present SPTE to an\nMMIO SPTE due to a _guest_ write, it failed to account for writes to guest\nmemory that are outside the scope of KVM.\nE.g. if host userspace modifies a shadowed gPTE to switch from a memslot\nto emulted MMIO and then the guest hits a relevant page fault, KVM will\ninstall the MMIO SPTE without first zapping the shadow-present SPTE.\n------------[ cut here ]------------\nis_shadow_present_pte(*sptep)\nWARNING: arch/x86/kvm/mmu/mmu.c:484 at mark_mmio_spte+0xb2/0xc0 [kvm], CPU#0: vmx_ept_stale_r/4292\nModules linked in: kvm_intel kvm irqbypass\nCPU: 0 UID: 1000 PID: 4292 Comm: vmx_ept_stale_r Not tainted 7.0.0-rc2-eafebd2d2ab0-sink-vm #319 PREEMPT\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015\nRIP: 0010:mark_mmio_spte+0xb2/0xc0 [kvm]\nCall Trace:\n<TASK>\nmmu_set_spte+0x237/0x440 [kvm]\nept_page_fault+0x535/0x7f0 [kvm]\nkvm_mmu_do_page_fault+0xee/0x1f0 [kvm]\nkvm_mmu_page_fault+0x8d/0x620 [kvm]\nvmx_handle_exit+0x18c/0x5a0 [kvm_intel]\nkvm_arch_vcpu_ioctl_run+0xc55/0x1c20 [kvm]\nkvm_vcpu_ioctl+0x2d5/0x980 [kvm]\n__x64_sys_ioctl+0x8a/0xd0\ndo_syscall_64+0xb5/0x730\nentry_SYSCALL_64_after_hwframe+0x4b/0x53\nRIP: 0033:0x47fa3f\n</TASK>\n---[ end trace 0000000000000000 ]---"], "name": "CVE-2026-23401", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-01T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23401\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23401\nhttps://lore.kernel.org/linux-cve-announce/2026040108-CVE-2026-23401-956d@gregkh/T"], "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[a54aa15c6bda3ca7e2f9e040ba968a1da303e24f,aad885e774966e97b675dfe928da164214a71605)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "5.13"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,5.13)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0-rc6,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-28T09:01:29.808632+00:00", "value": {"mitigation_remediation": ["Apply the latest Linux kernel update that includes the commit fixing the MMIO SPTE handling bug.", "Consider moving virtual machines to a host running a patched kernel as an interim solution.", "If a patch cannot be applied in time, consider disabling KVM for affected workloads until the fix is available."], "summary": {"action": "Patch", "impact": "Potential Remote Code Execution in KVM hypervisor"}, "threat_synthesis": {"affected_systems": "Linux kernel versions affected include all releases up to the kernel snapshot that contains the unpatched code, as indicated by the generic CPE cpe:2.3:o:linux:linux_kernel:*:*. The affected products are all KVM\u2011enabled Linux hosts running any CPU architecture that supports the x86 MMU and EPT, specifically those compiled with the default KVM drivers kvm_intel or kvm_amd. No specific major or minor version limits are listed, so all kernels that have not incorporated the fix remain vulnerable.", "description_and_impact": "The vulnerability occurs when the Linux kernel\u2019s KVM module installs a memory\u2011mapped I/O (MMIO) shadow page table entry (SPTE) without first removing an existing shadow\u2011present SPTE. This oversight can lead to stale or invalid guest page mappings, which may expose host memory corruption paths or mis\u2011directed guest accesses. The defect falls under CWE\u2011416, indicating a use\u2011after\u2011free style fault that can be exploited to disrupt isolation between guest and host, potentially enabling arbitrary code execution or denial of service on the host.", "risk_and_exploitability": "The CVSS score of 5.5 indicates medium severity, while an EPSS score of less than 1% suggests low current exploitation likelihood, possibly due to required kernel privileges or the need for a carefully crafted VM to trigger the fault. The vulnerability is not listed in the CISA KEV catalog, indicating no publicly known exploited instances. The likely attack path involves a guest VM under a KVM hypervisor that performs a page fault on a stale mapping, causing the host to create an MMIO SPTE without clearing previous entries. If leveraged, an attacker could corrupt host memory or execute code in the host context. Mitigation requires a kernel update that introduces the patch correcting the SPTE handling logic."}}}}, "created": "2026-04-02T07:49:43.072275+00:00", "updated": "2026-04-28T09:15:09.676693+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}