CVE-2026-43351 Overview
CVE-2026-43351 is a Linux kernel vulnerability in the KVM (Kernel-based Virtual Machine) subsystem on arm64 architectures. The flaw resides in the Virtual Generic Interrupt Controller (vGIC) creation path. When vgic_allocate_private_irqs_locked() fails, kvm_vgic_create() exits early and leaves the distributor's rd_regions field uninitialized. A subsequent call to kvm_vgic_dist_destroy() then attempts to free these uninitialized redistributor regions, resulting in kernel memory corruption or denial of service. The vulnerability requires local access with low privileges and affects the integrity of the host kernel.
Critical Impact
A local user with the ability to create KVM virtual machines can trigger a high-availability impact through uninitialized memory dereference in the host kernel's vGIC teardown path.
Affected Products
- Linux Kernel 6.14 (including rc3 through rc7 release candidates)
- Linux Kernel 7.0 (rc1, rc2, rc3 release candidates)
- Linux kernels running KVM on arm64 architectures with vGIC enabled
Discovery Timeline
- 2026-05-08 - CVE-2026-43351 published to NVD
- 2026-05-15 - Last updated in NVD database
Technical Details for CVE-2026-43351
Vulnerability Analysis
The vulnerability exists in the arm64 KVM vGIC initialization logic. The kvm_vgic_create() function performs guest virtual interrupt controller setup, including private interrupt allocation through vgic_allocate_private_irqs_locked(). When this private IRQ allocation fails, the function returns early without initializing the dist->rd_regions field of the distributor structure.
Later, when teardown logic invokes kvm_vgic_dist_destroy(), the destructor walks the uninitialized rd_regions pointer and attempts to free memory at indeterminate addresses. This results in kernel-mode access to memory that was never set up by the allocator, producing undefined behavior and potential availability loss.
The upstream fix moves all static initialization earlier in kvm_vgic_create() to ensure the distributor structure is in a consistent state before any failure path can be taken. The patch also resets the vGIC model on failure so partial state cannot mislead the destroy path.
Root Cause
The root cause is an initialization-order defect [NVD-CWE-noinfo]. Static distributor fields are set up after fallible allocation operations rather than before them. An early failure leaves data structures in a state where destructor code assumes initialization but encounters uninitialized memory.
Attack Vector
A local, low-privileged user must have permission to create KVM virtual machines, typically through /dev/kvm access. The attacker triggers the failure path in vgic_allocate_private_irqs_locked(), for example by exhausting kernel resources, and then forces vGIC teardown. The impact is host kernel instability, including panic and denial of service. No code execution or information disclosure has been demonstrated.
No public proof-of-concept or exploit code is available for this vulnerability.
Detection Methods for CVE-2026-43351
Indicators of Compromise
- Unexpected kernel oops or panic messages referencing kvm_vgic_dist_destroy or vgic symbols in host dmesg output
- Repeated KVM ioctl failures from unprivileged or low-privileged user accounts followed by host instability
- Virtual machine creation attempts that consistently fail during interrupt controller setup
Detection Strategies
- Monitor host kernel logs for crashes referencing the vGIC subsystem on arm64 hosts running affected 6.14 or 7.0 kernels
- Audit users and processes invoking KVM_CREATE_DEVICE and KVM_DEV_TYPE_ARM_VGIC_* ioctls
- Track virtual machine lifecycle events that show abnormal creation-then-destruction patterns from the same UID
Monitoring Recommendations
- Enable kernel crash dump collection on arm64 KVM hosts so vGIC-related panics can be analyzed
- Forward host kernel logs to a centralized log platform and alert on BUG, Oops, or general protection fault events tagged with KVM symbols
- Restrict and audit membership of the kvm group and any other groups granting /dev/kvm access
How to Mitigate CVE-2026-43351
Immediate Actions Required
- Apply the upstream Linux kernel patches referenced in the Kernel Git Commit a24f1d80, Kernel Git Commit ac6769c8, and Kernel Git Commit b7493f48 trees
- Restrict /dev/kvm access to trusted administrators on arm64 hosts until patches are deployed
- Inventory all arm64 hypervisor hosts running kernel 6.14.x or 7.0 release candidates and prioritize them for patching
Patch Information
Fixes are merged into the mainline Linux kernel and the stable trees. The patches move static initialization of dist->rd_regions and related fields to the start of kvm_vgic_create() and reset the vGIC model on failure. Reference the three commit logs in the vendor advisories for the precise code changes and apply the appropriate stable backport for your kernel branch.
Workarounds
- Disable KVM functionality on arm64 hosts where virtualization is not required by unloading or blacklisting the kvm module
- Remove user accounts from the kvm group to prevent unprivileged virtual machine creation until the kernel is updated
- Use mandatory access control policies such as SELinux or AppArmor to restrict which processes may open /dev/kvm
# Configuration example: restrict KVM access on arm64 hosts pending patch deployment
sudo chmod 0660 /dev/kvm
sudo chown root:kvm /dev/kvm
# Audit current members of the kvm group
getent group kvm
# Verify running kernel version on arm64 hosts
uname -rm
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
