CVE-2026-23402 Overview
A vulnerability has been identified in the Linux kernel's KVM (Kernel-based Virtual Machine) x86/mmu subsystem related to the handling of shadow-present SPTEs (Shadow Page Table Entries). The issue occurs in KVM's sanity check mechanism when overwriting a shadow-present SPTE with another SPTE that has a different target PFN (Page Frame Number). While KVM properly tracks guest writes, writes from outside the scope of KVM, such as those from host userspace, are not detected by KVM's write tracking mechanism. This can lead to violations of KVM's shadow paging rules.
The vulnerability specifically affects direct MMUs (Memory Management Units) that do not have shadowed guest page tables. When exploited, this flaw can cause kernel warnings and potentially disrupt virtual machine operations by triggering unexpected behavior in the memory management unit.
Critical Impact
Host userspace writes can bypass KVM's write tracking mechanism, potentially breaking shadow paging rules and causing kernel warnings during virtual machine execution.
Affected Products
- Linux Kernel (KVM x86/mmu subsystem)
- Systems running KVM virtualization with Intel VMX/EPT
Discovery Timeline
- 2026-04-01 - CVE CVE-2026-23402 published to NVD
- 2026-04-02 - Last updated in NVD database
Technical Details for CVE-2026-23402
Vulnerability Analysis
The vulnerability resides in the KVM x86/mmu subsystem, specifically in the mmu_set_spte function located at arch/x86/kvm/mmu/mmu.c. The core issue stems from KVM's sanity check that validates whether a shadow-present SPTE is being overwritten with another SPTE containing a different target PFN.
Under normal operation, KVM's write tracking mechanism detects guest writes and handles SPTE updates appropriately. However, this tracking does not extend to writes originating from outside KVM's scope, particularly those from host userspace. When such writes occur, they can modify memory in ways that violate KVM's shadow paging assumptions.
The fix adjusts the sanity check to only apply to direct MMUs (those without shadowed guest page tables), recognizing that indirect MMUs may legitimately encounter this scenario due to host userspace activity. The kernel warning message indicates the specific condition being violated: pfn != spte_to_pfn(*sptep).
Root Cause
The root cause is an overly broad sanity check in KVM's MMU code that triggers warnings for SPTE overwrites in scenarios that are actually valid for indirect MMUs. The original implementation assumed all SPTE overwrites with different PFNs were invalid, but this assumption only holds true for direct MMUs where KVM has complete visibility into all page table modifications. For indirect MMUs with shadowed guest page tables, host userspace writes can legitimately cause this condition without representing a security violation.
Attack Vector
The attack vector involves host userspace making memory writes that are not tracked by KVM's write tracking infrastructure. When a virtual machine subsequently triggers an EPT (Extended Page Tables) page fault, the ept_page_fault handler processes the fault and eventually calls mmu_set_spte. At this point, the sanity check detects a PFN mismatch between the existing SPTE and the new SPTE being written.
The call trace demonstrates the execution flow:
- entry_SYSCALL_64_after_hwframe - System call entry
- kvm_vcpu_ioctl - VCPU ioctl handling
- kvm_arch_vcpu_ioctl_run - VCPU run loop
- vmx_handle_exit - VMX exit handling
- kvm_mmu_page_fault - MMU page fault handling
- ept_page_fault - EPT-specific page fault processing
- mmu_set_spte - Where the warning triggers
Detection Methods for CVE-2026-23402
Indicators of Compromise
- Kernel warning messages containing pfn != spte_to_pfn(*sptep) in system logs
- Warnings originating from mmu_set_spte function in the KVM module
- Unexpected SPTE-related warnings during virtual machine operation with EPT enabled
Detection Strategies
- Monitor kernel logs (dmesg, /var/log/kern.log) for warnings from the KVM module, specifically from arch/x86/kvm/mmu/mmu.c
- Implement syslog forwarding rules to capture and alert on KVM MMU-related kernel warnings
- Use kernel tracing tools (ftrace, eBPF) to monitor mmu_set_spte function calls and detect anomalous behavior
Monitoring Recommendations
- Configure centralized logging to aggregate kernel messages from all KVM hosts for correlation analysis
- Implement alerting for any KVM module warnings that indicate SPTE consistency violations
- Monitor virtual machine stability metrics to detect potential impacts from this vulnerability
How to Mitigate CVE-2026-23402
Immediate Actions Required
- Update the Linux kernel to a patched version that includes the fix for this vulnerability
- Review host userspace applications that interact with memory regions used by virtual machines
- Monitor systems for kernel warnings while awaiting patch deployment
Patch Information
The vulnerability has been resolved in the Linux kernel through multiple commits that adjust the sanity check to only warn for direct MMUs. The following kernel commits address this issue:
Organizations should apply these patches by updating to a kernel version that includes these fixes.
Workarounds
- Restrict host userspace access to memory regions actively used by virtual machines until the kernel is patched
- Limit KVM-related ioctl access to trusted processes to reduce the attack surface
- Consider temporarily disabling EPT on affected systems if experiencing significant issues, though this will impact performance
# Check current kernel version
uname -r
# Verify KVM module version
modinfo kvm | grep -E "^version|^filename"
# Monitor for SPTE-related warnings
dmesg | grep -i "mmu_set_spte\|spte_to_pfn"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
