{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23425", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:46.015Z", "datePublished": "2026-04-03T13:24:33.384Z", "dateUpdated": "2026-04-03T13:24:33.384Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-04-03T13:24:33.384Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: arm64: Fix ID register initialization for non-protected pKVM guests\n\nIn protected mode, the hypervisor maintains a separate instance of\nthe `kvm` structure for each VM. For non-protected VMs, this structure is\ninitialized from the host's `kvm` state.\n\nCurrently, `pkvm_init_features_from_host()` copies the\n`KVM_ARCH_FLAG_ID_REGS_INITIALIZED` flag from the host without the\nunderlying `id_regs` data being initialized. This results in the\nhypervisor seeing the flag as set while the ID registers remain zeroed.\n\nConsequently, `kvm_has_feat()` checks at EL2 fail (return 0) for\nnon-protected VMs. This breaks logic that relies on feature detection,\nsuch as `ctxt_has_tcrx()` for TCR2_EL1 support. As a result, certain\nsystem registers (e.g., TCR2_EL1, PIR_EL1, POR_EL1) are not\nsaved/restored during the world switch, which could lead to state\ncorruption.\n\nFix this by explicitly copying the ID registers from the host `kvm` to\nthe hypervisor `kvm` for non-protected VMs during initialization, since\nwe trust the host with its non-protected guests' features. Also ensure\n`KVM_ARCH_FLAG_ID_REGS_INITIALIZED` is cleared initially in\n`pkvm_init_features_from_host` so that `vm_copy_id_regs` can properly\ninitialize them and set the flag once done."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["arch/arm64/kvm/hyp/nvhe/pkvm.c"], "versions": [{"version": "41d6028e28bd474298ff10409c292ec46cf43a90", "lessThan": "bce3847f7c51b86332bf2e554c9e80ca3820f16c", "status": "affected", "versionType": "git"}, {"version": "41d6028e28bd474298ff10409c292ec46cf43a90", "lessThan": "858620655c1fbff05997e162fc7d83a3293d5142", "status": "affected", "versionType": "git"}, {"version": "41d6028e28bd474298ff10409c292ec46cf43a90", "lessThan": "7e7c2cf0024d89443a7af52e09e47b1fe634ab17", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["arch/arm64/kvm/hyp/nvhe/pkvm.c"], "versions": [{"version": "6.14", "status": "affected"}, {"version": "0", "lessThan": "6.14", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.17", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.7", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0-rc2", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.14", "versionEndExcluding": "6.18.17"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.14", "versionEndExcluding": "6.19.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.14", "versionEndExcluding": "7.0-rc2"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/bce3847f7c51b86332bf2e554c9e80ca3820f16c"}, {"url": "https://git.kernel.org/stable/c/858620655c1fbff05997e162fc7d83a3293d5142"}, {"url": "https://git.kernel.org/stable/c/7e7c2cf0024d89443a7af52e09e47b1fe634ab17"}], "title": "KVM: arm64: Fix ID register initialization for non-protected pKVM guests", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: arm64: Fix ID register initialization for non-protected pKVM guests\n\nIn protected mode, the hypervisor maintains a separate instance of\nthe `kvm` structure for each VM. For non-protected VMs, this structure is\ninitialized from the host's `kvm` state.\n\nCurrently, `pkvm_init_features_from_host()` copies the\n`KVM_ARCH_FLAG_ID_REGS_INITIALIZED` flag from the host without the\nunderlying `id_regs` data being initialized. This results in the\nhypervisor seeing the flag as set while the ID registers remain zeroed.\n\nConsequently, `kvm_has_feat()` checks at EL2 fail (return 0) for\nnon-protected VMs. This breaks logic that relies on feature detection,\nsuch as `ctxt_has_tcrx()` for TCR2_EL1 support. As a result, certain\nsystem registers (e.g., TCR2_EL1, PIR_EL1, POR_EL1) are not\nsaved/restored during the world switch, which could lead to state\ncorruption.\n\nFix this by explicitly copying the ID registers from the host `kvm` to\nthe hypervisor `kvm` for non-protected VMs during initialization, since\nwe trust the host with its non-protected guests' features. Also ensure\n`KVM_ARCH_FLAG_ID_REGS_INITIALIZED` is cleared initially in\n`pkvm_init_features_from_host` so that `vm_copy_id_regs` can properly\ninitialize them and set the flag once done."}], "id": "CVE-2026-23425", "lastModified": "2026-04-03T16:10:23.730", "metrics": {}, "published": "2026-04-03T14:16:28.747", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/7e7c2cf0024d89443a7af52e09e47b1fe634ab17"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/858620655c1fbff05997e162fc7d83a3293d5142"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/bce3847f7c51b86332bf2e554c9e80ca3820f16c"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: KVM: arm64: Fix ID register initialization for non-protected pKVM guests", "id": "2454778", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2454778"}, "csaw": false, "cwe": "CWE-909", "details": ["A flaw was found in the Linux kernel's KVM (Kernel-based Virtual Machine) for ARM64 architectures. This vulnerability arises from improper initialization of ID registers for non-protected pKVM (protected KVM) guests. A malicious guest operating system could exploit this by causing the hypervisor, the software that manages virtual machines, to fail in saving and restoring critical system registers during virtual machine context switches. This could lead to state corruption within the virtual machine, potentially affecting its stability and integrity."], "name": "CVE-2026-23425", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-03T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23425\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23425\nhttps://lore.kernel.org/linux-cve-announce/2026040305-CVE-2026-23425-80db@gregkh/T"]}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[41d6028e28bd474298ff10409c292ec46cf43a90,bce3847f7c51b86332bf2e554c9e80ca3820f16c)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[41d6028e28bd474298ff10409c292ec46cf43a90,858620655c1fbff05997e162fc7d83a3293d5142)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[41d6028e28bd474298ff10409c292ec46cf43a90,7e7c2cf0024d89443a7af52e09e47b1fe634ab17)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "6.14"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,6.14)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.17,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.7,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0-rc2,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-03T16:36:12.805737+00:00", "value": {"mitigation_remediation": ["Upgrade the Linux kernel to a version that contains the KVM-arm64 ID register initialization fix.", "Verify that the KVM component for Arm64 is compiled with the latest kernel sources that include the patch.", "Restart the host to load the new kernel and optionally restart any affected virtual machines.", "Monitor guest stability to ensure system registers are correctly saved and restored during world switches."], "summary": {"action": "Apply patch", "impact": "State corruption"}, "threat_synthesis": {"affected_systems": "The issue is present on Linux systems that use the KVM virtualisation stack for Arm64 guests, specifically those hosting non-protected VMs. Any Linux kernel that incorporates the affected code path is affected; the exact kernel versions are not listed in the data, so a manual check of the kernel version against the commit that introduced the fix is required.\n", "description_and_impact": "The vulnerability affects the Arm64 KVM hypervisor in the Linux kernel. When a non-protected guest is started, the function that copies the host's kvm structure mistakenly copies a flag indicating that ID registers have already been initialized without copying the register data itself. As a consequence the hypervisor believes the registers are ready and skips saving and restoring them during subsequent world switches. This oversight can cause guest state corruption when features such as TCR2_EL1, PIR_EL1 or POR_EL1 are used, potentially altering the guest\u2019s view of system registers.\n", "risk_and_exploitability": "The flaw does not provide a clear remote code execution path, but it can lead to inconsistent register state inside the guest when the host and guest coordinate through virtualisation. With the lack of a CVSS score or EPSS value, the measurable risk appears moderate, and the vulnerability is not listed in the KEV catalogue. The likely vector involves a misbehaving guest or a trusted attacker with local privileged access to the host who could trigger the misuse of skip-register-save logic during a context switch. This inference is based on the description, as the attack vector is not explicitly documented."}}}}, "created": "2026-04-03T21:14:13.840139+00:00", "updated": "2026-04-03T21:16:29.539106+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"], "weaknesses": ["CWE-665"]}