CVE-2026-23215 Overview
A vulnerability has been identified in the Linux kernel's x86/vmware subsystem related to improper handling of hypercall register states. The issue manifests when the QEMU VMware mouse emulation clears the top 32 bits of the %rdi register, which the kernel uses to store valid pointers. This register corruption leads to kernel panics when the affected memory addresses are subsequently dereferenced.
The vulnerability was discovered through Fedora QA testing, which reported kernel panics characterized by page faults when attempting supervisor write access to non-present pages. The root cause lies in QEMU's vmmouse driver implementation, which saves and restores register state using a uint32_t data[6] array, inadvertently truncating 64-bit addresses to 32 bits.
Critical Impact
This vulnerability can cause kernel panics and system crashes in virtualized environments running Linux guests with VMware mouse emulation, potentially leading to denial of service conditions.
Affected Products
- Linux Kernel (x86/vmware subsystem)
- Systems using QEMU VMware mouse emulation
- Virtualized Linux environments with vmmouse driver
Discovery Timeline
- 2026-02-18 - CVE CVE-2026-23215 published to NVD
- 2026-02-18 - Last updated in NVD database
Technical Details for CVE-2026-23215
Vulnerability Analysis
This vulnerability represents a kernel-level memory corruption issue caused by improper register handling during VMware hypercalls. When the kernel invokes vmware_hypercall4() or vmware_hypercall3(), it expects the %rdi register to retain its complete 64-bit value across the hypercall boundary. However, QEMU's vmmouse driver implementation uses 32-bit integers for register state preservation, causing the upper 32 bits to be zeroed when the state is restored.
The technical manifestation occurs when a valid kernel stack address (such as 0xff5eeb3240003e54) is stored in %rdi before the hypercall. After the hypercall returns, the register contains only 0x40003e54—the lower 32 bits of the original address. When this corrupted pointer is dereferenced, it points to an invalid memory location, triggering a page fault exception that the kernel cannot handle.
The call trace indicates the issue propagates through vmmouse_report_events() → psmouse_handle_byte() → ps2_interrupt(), demonstrating that the vulnerability is triggered during normal mouse event processing in virtualized environments.
Root Cause
The root cause is a combination of two factors: QEMU's vmmouse driver using 32-bit storage (uint32_t data[6]) for register values that should be 64-bit, and the Linux kernel not marking %rdi and %rsi as clobbered registers for the affected hypercalls. While the proper fix belongs in QEMU, the kernel patch provides a workaround by explicitly marking these registers as clobbered in vmware_hypercall3() and vmware_hypercall4(), preventing the compiler from assuming these registers retain their values across the hypercall.
Attack Vector
The vulnerability is triggered locally through normal operation of the vmmouse driver in virtualized environments. While not directly exploitable for code execution, an attacker with local access could potentially trigger the condition to cause denial of service. The issue specifically affects vmware_hypercall3() and vmware_hypercall4() functions, where the compiler may keep live pointers in the %rdi or %rsi registers across the hypercall boundary.
The kernel fix works around this QEMU bug by instructing the compiler to treat %rdi and %rsi as clobbered by these hypercalls, ensuring no important state is kept in these registers. This approach has minimal impact on code generation since it's rare for the compiler to keep values live across hypercalls in these specific contexts.
Detection Methods for CVE-2026-23215
Indicators of Compromise
- Kernel panic messages containing "BUG: unable to handle page fault for address" with addresses showing truncated 64-bit values (e.g., addresses starting with 0x4000 or similar patterns suggesting upper bits cleared)
- Stack traces showing vmware_hypercall4.constprop or vmware_hypercall3 in the call chain
- Page fault error codes indicating supervisor write access to non-present pages (error_code(0x0002))
- System crashes during mouse event processing in VMware-emulated environments
Detection Strategies
- Monitor kernel logs (dmesg) for page fault exceptions occurring within VMware hypercall functions
- Implement automated log parsing to detect patterns matching the specific error signatures (RIP: 0010:vmware_hypercall4 or similar)
- Deploy kernel crash dump analysis tools to identify truncated pointer patterns in register states
- Review system stability reports for recurring crashes in virtualized Linux environments using QEMU with VMware emulation
Monitoring Recommendations
- Configure kdump or crash kernel facilities to capture memory dumps when kernel panics occur for post-incident analysis
- Set up alerting for repeated vmmouse driver failures or PS/2 interrupt handling errors
- Monitor virtual machine stability metrics, particularly focusing on guest kernel crash frequency
- Implement automated kernel version tracking to ensure patched versions are deployed across virtualized infrastructure
How to Mitigate CVE-2026-23215
Immediate Actions Required
- Apply the latest kernel patches that mark %rdi and %rsi as clobbered for vmware_hypercall3() and vmware_hypercall4() functions
- Consider disabling the vmmouse driver temporarily in affected environments by adding psmouse.proto=bare to kernel boot parameters
- Evaluate upgrading to a patched QEMU version that properly handles 64-bit register values in the vmmouse driver
- Review virtualization infrastructure to identify systems running affected kernel and QEMU combinations
Patch Information
Multiple kernel patches have been released to address this vulnerability. The fixes mark the RDI and RSI registers as clobbered for the affected hypercalls, preventing the compiler from keeping live state in these registers across the hypercall boundary. Patches are available through the following commits:
Workarounds
- Disable VMware mouse emulation in QEMU and use alternative input methods such as tablet devices or VNC pointer
- Boot affected systems with kernel parameter psmouse.proto=bare to use a basic PS/2 protocol without vmmouse features
- If possible, switch to KVM-native input device emulation instead of VMware emulation in QEMU configurations
- Consider using libvirt's <input type='tablet'> configuration instead of vmmouse for affected virtual machines
# Workaround: Disable vmmouse driver via kernel parameters
# Add to GRUB configuration or boot command line
GRUB_CMDLINE_LINUX="psmouse.proto=bare"
# After modifying /etc/default/grub, regenerate configuration
sudo grub2-mkconfig -o /boot/grub2/grub.cfg
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
