CVE-2026-43265 Overview
CVE-2026-43265 is a Linux kernel vulnerability in the Kernel-based Virtual Machine (KVM) x86 subsystem. The flaw resides in the handling of nested events when a virtual CPU (vCPU) exits a blocking state while an L2 guest is active. KVM did not ignore -EBUSY returns from nested event checks in vcpu_block(), which produced spurious userspace exits with KVM_EXIT_UNKNOWN. These exits could lead to virtual machine termination. Userspace processes can stuff MP_STATE or injected events to put a vCPU into an architecturally impossible state, triggering the bug. The Linux kernel maintainers have resolved the issue across multiple stable branches.
Critical Impact
A misbehaving or malicious userspace VMM can cause guest virtual machines to terminate unexpectedly, resulting in denial of service for nested virtualization workloads.
Affected Products
- Linux kernel x86 KVM subsystem
- Stable kernel branches addressed by commits 1c95777, 1e88b5f, 2657439, 78265cd, ead6364, and ec3be7d
- Hosts running nested virtualization with L2 guests
Discovery Timeline
- 2026-05-06 - CVE-2026-43265 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-43265
Vulnerability Analysis
The defect lives in the KVM x86 nested virtualization path. When a vCPU exits a blocking state while L2 (the nested guest) is active, KVM checks for nested events. If that check returned -EBUSY, KVM propagated the error to userspace as a spurious exit, typically KVM_EXIT_UNKNOWN. Most Virtual Machine Monitors (VMMs) treat unknown exits as fatal and tear down the guest. The fix instructs KVM to ignore -EBUSY in this code path and continue with the wakeup, allowing the VM to survive without major side effects.
Root Cause
The vcpu_block() function did not anticipate a vCPU being awakened in L2 with an injected exception, IRQ, or NMI, or with a nested run already pending. Architecturally these states should be impossible. However, userspace can stuff MP_STATE and injected events through KVM ioctls, forcing the vCPU into the unexpected state. The original code path treated this as an error, propagating -EBUSY outward.
Attack Vector
Exploitation requires a local userspace process with permission to issue KVM ioctls against a VM, typically the VMM hosting the guest. By manipulating MP_STATE and injecting events, the userspace process can drive the vCPU into the impossible state. The resulting KVM_EXIT_UNKNOWN propagates to the VMM, which usually responds by terminating the guest. The issue was also reachable through syzkaller-style fuzzing of the KVM ioctl interface.
No verified public exploit code is available. Refer to the upstream commits for the exact patch logic, including Kernel Patch Commit ec3be7d and Kernel Patch Commit 1c95777.
Detection Methods for CVE-2026-43265
Indicators of Compromise
- Unexpected guest VM terminations correlated with KVM_EXIT_UNKNOWN events in VMM logs (libvirt, QEMU, cloud-hypervisor).
- Kernel ring buffer messages from KVM referencing nested event handling or blocked vCPU wakeups while L2 is active.
- Repeated guest crashes on hosts running unpatched kernels with nested virtualization enabled.
Detection Strategies
- Inventory hosts running KVM with nested virtualization (/sys/module/kvm_intel/parameters/nested or kvm_amd) and compare kernel versions against patched stable releases.
- Monitor host audit logs for unprivileged or unexpected processes issuing KVM_SET_MP_STATE and event-injection ioctls.
- Correlate VMM exit codes with host dmesg output to identify spurious KVM_EXIT_UNKNOWN patterns.
Monitoring Recommendations
- Forward host kernel logs and VMM telemetry to a centralized analytics platform for longitudinal review.
- Alert when guest VMs terminate with non-standard exit reasons across multiple hosts within a short window.
- Track patch compliance for the Linux kernel across the virtualization fleet using configuration management tooling.
How to Mitigate CVE-2026-43265
Immediate Actions Required
- Update the Linux kernel to a stable release that includes the upstream fix commits referenced in the NVD record.
- Restrict access to /dev/kvm to trusted virtualization service accounts only and audit group membership.
- Validate that VMM processes run under least-privilege accounts and cannot be steered by lower-privilege workloads.
Patch Information
The Linux kernel maintainers fixed the issue across multiple stable branches. Apply the patch corresponding to your kernel series: Kernel Patch Commit 1c95777, Kernel Patch Commit 1e88b5f, Kernel Patch Commit 2657439, Kernel Patch Commit 78265cd, Kernel Patch Commit ead6364, and Kernel Patch Commit ec3be7d.
Workarounds
- Disable nested virtualization on hosts that do not require it by setting the nested module parameter to 0 for kvm_intel or kvm_amd.
- Limit which userspace components can call KVM_SET_MP_STATE and event-injection ioctls through SELinux, AppArmor, or seccomp policies.
- Reboot guests on a controlled schedule to ensure VMMs run on patched host kernels before resuming nested workloads.
# Disable nested virtualization on Intel hosts until patched kernels are deployed
sudo modprobe -r kvm_intel
echo "options kvm_intel nested=0" | sudo tee /etc/modprobe.d/kvm-nested.conf
sudo modprobe kvm_intel
cat /sys/module/kvm_intel/parameters/nested # Expect: N or 0
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
