CVE-2026-46071 - Vulnerability Details - OpenCVE

In the Linux kernel, the following vulnerability has been resolved: KVM: nSVM: Avoid clearing VMCB_LBR in vmcb12 svm_copy_lbrs() always marks VMCB_LBR dirty in the destination VMCB. However, nested_svm_vmexit() uses it to copy LBRs to vmcb12, and clearing clean bits in vmcb12 is not architecturally defined. Move vmcb_mark_dirty() to callers and drop it for vmcb12. This also facilitates incoming refactoring that does not pass the entire VMCB to svm_copy_lbrs().

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

Vendors	Products
Linux	Linux Kernel

No data.

No data.

No data.

References

Link	Providers
https://git.kernel.org/stable/c/9efe23568806d1cd06f7d146f9b3037b8d585a9f
https://git.kernel.org/stable/c/a3f0981a5a0e0bd51ad74cc7d9eed32294b24002
https://git.kernel.org/stable/c/b53ab5167a81537777ac780bbd93d32613aa3bda

History

Wed, 27 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: KVM: nSVM: Avoid clearing VMCB_LBR in vmcb12 svm_copy_lbrs() always marks VMCB_LBR dirty in the destination VMCB. However, nested_svm_vmexit() uses it to copy LBRs to vmcb12, and clearing clean bits in vmcb12 is not architecturally defined. Move vmcb_mark_dirty() to callers and drop it for vmcb12. This also facilitates incoming refactoring that does not pass the entire VMCB to svm_copy_lbrs().
Title		KVM: nSVM: Avoid clearing VMCB_LBR in vmcb12
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/9efe23568806d1cd06f7d146f9b3037b8d585a9f https://git.kernel.org/stable/c/a3f0981a5a0e0bd51ad74cc7d9eed32294b24002 https://git.kernel.org/stable/c/b53ab5167a81537777ac780bbd93d32613aa3bda

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-27T12:57:57.316Z

Updated: 2026-05-27T12:57:57.316Z

Reserved: 2026-05-13T15:03:33.095Z

Link: CVE-2026-46071

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:28.397

Modified: 2026-05-27T14:48:03.013

Link: CVE-2026-46071

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-46071", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-05-13T15:03:33.095Z", "datePublished": "2026-05-27T12:57:57.316Z", "dateUpdated": "2026-05-27T12:57:57.316Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-27T12:57:57.316Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: nSVM: Avoid clearing VMCB_LBR in vmcb12\n\nsvm_copy_lbrs() always marks VMCB_LBR dirty in the destination VMCB.\nHowever, nested_svm_vmexit() uses it to copy LBRs to vmcb12, and\nclearing clean bits in vmcb12 is not architecturally defined.\n\nMove vmcb_mark_dirty() to callers and drop it for vmcb12.\n\nThis also facilitates incoming refactoring that does not pass the entire\nVMCB to svm_copy_lbrs()."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["arch/x86/kvm/svm/nested.c", "arch/x86/kvm/svm/svm.c"], "versions": [{"version": "d20c796ca3709801f8a7fa36e8770a3dd8ebd34e", "lessThan": "a3f0981a5a0e0bd51ad74cc7d9eed32294b24002", "status": "affected", "versionType": "git"}, {"version": "d20c796ca3709801f8a7fa36e8770a3dd8ebd34e", "lessThan": "9efe23568806d1cd06f7d146f9b3037b8d585a9f", "status": "affected", "versionType": "git"}, {"version": "d20c796ca3709801f8a7fa36e8770a3dd8ebd34e", "lessThan": "b53ab5167a81537777ac780bbd93d32613aa3bda", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["arch/x86/kvm/svm/nested.c", "arch/x86/kvm/svm/svm.c"], "versions": [{"version": "5.19", "status": "affected"}, {"version": "0", "lessThan": "5.19", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.27", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0.4", "lessThanOrEqual": "7.0.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.1-rc1", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.19", "versionEndExcluding": "6.18.27"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.19", "versionEndExcluding": "7.0.4"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.19", "versionEndExcluding": "7.1-rc1"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/a3f0981a5a0e0bd51ad74cc7d9eed32294b24002"}, {"url": "https://git.kernel.org/stable/c/9efe23568806d1cd06f7d146f9b3037b8d585a9f"}, {"url": "https://git.kernel.org/stable/c/b53ab5167a81537777ac780bbd93d32613aa3bda"}], "title": "KVM: nSVM: Avoid clearing VMCB_LBR in vmcb12", "x_generator": {"engine": "bippy-1.2.0"}}}}