CVE-2026-43045 Overview
CVE-2026-43045 is a Linux kernel vulnerability in the Microsoft Hypervisor (mshv) subsystem. The flaw resides in the mshv_region_pin function, which incorrectly handles return values from pin_user_pages_fast(). When the kernel cannot pin all requested pages, the function may return a short pin count that the current code treats as success. This leads to partially pinned memory regions being used by the hypervisor, resulting in memory corruption. A second issue causes page reference leaks when errors occur mid-loop because already-pinned pages from the current batch are not properly accounted for before cleanup.
Critical Impact
Improper error handling in mshv_region_pin can cause kernel memory corruption and page reference leaks affecting hypervisor stability.
Affected Products
- Linux kernel versions containing the mshv (Microsoft Hypervisor) subsystem prior to the fix
- Stable kernel branches receiving the backport via commit a7d149152bc5
- Stable kernel branches receiving the backport via commit c0e296f25767
Discovery Timeline
- 2026-05-01 - CVE-2026-43045 published to NVD
- 2026-05-01 - Last updated in NVD database
Technical Details for CVE-2026-43045
Vulnerability Analysis
The vulnerability exists in the mshv_region_pin function within the Linux kernel's Microsoft Hypervisor (mshv) driver. This function pins user-space memory pages so the hypervisor can safely use them for guest virtual machine memory regions. The function relies on pin_user_pages_fast() to acquire references to the requested pages.
pin_user_pages_fast() follows a partial-success contract. It can return a positive value smaller than the number of requested pages when it successfully pins some pages but cannot pin all of them. The original mshv_region_pin implementation only checked for negative return values, treating any positive return as full success. The function then assumed all requested pages were pinned and accessible to the hypervisor.
Root Cause
Two defects compound in the same code path. First, the success check fails to compare the returned pin count against the requested count, allowing short pins to pass validation. Second, when an error path is taken mid-loop, the cleanup logic does not account for pages already pinned in the current batch before invoking mshv_region_invalidate_pages(). This produces a page reference leak because those pinned pages are never released.
Attack Vector
The affected code runs in kernel context and is reachable through the mshv interface used to manage guest memory regions. Triggering the short-pin condition requires memory pressure or fault scenarios that prevent pin_user_pages_fast() from pinning the full requested range. Successful triggering causes the hypervisor to operate on partially pinned regions, producing memory corruption, or accumulates leaked page references that exhaust kernel resources over time.
No verified public exploit code exists for this vulnerability. The two upstream patches address the issue by treating short pins as errors and fixing the partial-batch accounting before cleanup. See the Kernel Git Commit Details and Kernel Git Commit Changes for the source-level fix.
Detection Methods for CVE-2026-43045
Indicators of Compromise
- Unexpected kernel oops or panic messages referencing mshv_region_pin or mshv_region_invalidate_pages in dmesg output.
- Steady growth in pinned page counts reported by /proc/meminfo (Unevictable, Mlocked) on hosts running the mshv driver.
- Hypervisor guest instability or memory inconsistencies coinciding with host memory pressure events.
Detection Strategies
- Audit running kernels with uname -r and confirm whether commits a7d149152bc5 or c0e296f25767 are present in the source tree or distribution changelog.
- Monitor kernel ring buffer logs for warnings emitted from the mshv subsystem during VM lifecycle operations.
- Track host page pinning metrics over time and alert on sustained increases that do not correlate with active VM workloads.
Monitoring Recommendations
- Forward kernel logs to a centralized logging or SIEM platform and create alerts for mshv subsystem errors.
- Establish baselines for pinned and unevictable memory on hypervisor hosts and alert on deviations.
- Review VM provisioning failures that report memory pinning errors and correlate them with host memory pressure.
How to Mitigate CVE-2026-43045
Immediate Actions Required
- Apply the upstream kernel patches referenced in commits a7d149152bc5a9119854331c57be35ad31fdf5cc and c0e296f257671ba10249630fe58026f29e4804d9.
- Update to a distribution kernel package that includes the mshv error-handling fix once your vendor publishes it.
- Schedule maintenance windows to reboot hypervisor hosts after patching, since kernel changes require restart.
Patch Information
The fix is delivered through two upstream Linux kernel commits in the stable tree. Commit a7d149152bc5 and commit c0e296f25767 modify mshv_region_pin to treat short pin counts from pin_user_pages_fast() as errors and to correctly account for pages pinned in the current batch before invoking cleanup. Distribution maintainers will backport these commits to supported kernel branches. Verify your kernel changelog references these commit hashes before declaring systems remediated.
Workarounds
- Where patching is not immediately possible, reduce host memory pressure to lower the probability of pin_user_pages_fast() returning short counts.
- Avoid loading the mshv module on hosts that do not require Microsoft Hypervisor functionality until the kernel is updated.
- Limit the number and size of guest memory regions pinned concurrently to reduce exposure to the faulty code path.
# Verify kernel version and check for mshv module status
uname -r
lsmod | grep mshv
# Inspect kernel log for mshv subsystem errors
dmesg | grep -i mshv
# Monitor pinned and unevictable memory on hypervisor hosts
grep -E 'Unevictable|Mlocked' /proc/meminfo
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
