Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-53277

CVE-2026-53277: Linux Kernel Privilege Escalation Flaw

CVE-2026-53277 is a privilege escalation vulnerability in the Linux kernel affecting KVM ARM64 page table walks. This security flaw allows potential unauthorized access. This article covers technical details, impact, and mitigations.

Published:

CVE-2026-53277 Overview

CVE-2026-53277 is a Linux kernel vulnerability in the KVM (Kernel-based Virtual Machine) subsystem for arm64. The flaw resides in fault injection and Address Translation (AT) emulation code paths. Specifically, __kvm_at_s12() and __kvm_find_s1_desc_level() invoke the page table walkers walk_s1() and kvm_walk_nested_s2() without holding the kvm->srcu lock. These walkers require SRCU protection to guard against concurrent memslot changes. The fix acquires kvm->srcu before invoking the walkers in both call sites.

Critical Impact

Concurrent memslot modifications during unprotected page table walks can lead to memory safety issues within KVM nested virtualization on arm64 hosts.

Affected Products

  • Linux kernel (arm64 KVM subsystem)
  • Kernel versions containing __kvm_at_s12() and __kvm_find_s1_desc_level() prior to the referenced stable commits
  • Distributions shipping affected stable kernel branches

Discovery Timeline

  • 2026-06-25 - CVE-2026-53277 published to NVD
  • 2026-06-25 - Last updated in NVD database

Technical Details for CVE-2026-53277

Vulnerability Analysis

The Linux kernel's arm64 KVM implementation supports nested virtualization with Stage-1 and Stage-2 page table walks. The functions walk_s1() and kvm_walk_nested_s2() traverse guest page tables to translate intermediate physical addresses. These walkers consult KVM memslots during traversal. Memslots can be modified by userspace via VM ioctls, so walkers must run inside an SRCU (Sleepable Read-Copy-Update) read-side critical section to observe a consistent view.

Two call sites violated this contract. __kvm_at_s12() implements Address Translation instruction emulation for nested guests. __kvm_find_s1_desc_level() supports fault injection by locating the descriptor level for a faulting address. Both invoked the walkers without first calling srcu_read_lock(&kvm->srcu), leaving the traversal exposed to concurrent memslot updates.

Root Cause

The root cause is a missing synchronization primitive [CWE-667]. The walkers document an SRCU precondition that the two callers did not honor. A concurrent memslot update on another vCPU thread could free or reshape the memslot array while the walker dereferences it, producing inconsistent results or memory corruption.

Attack Vector

Exploitation requires the ability to execute guest code or trigger AT emulation and fault injection paths from within a KVM guest on an arm64 host. A malicious or compromised guest with nested virtualization features available could race memslot updates against page table walks to corrupt host kernel state. The vulnerability is local to the virtualization boundary and does not expose a network-reachable surface.

The upstream fix is contained in commits 97706097f9b8, ec42b4ed1b07, and f2ca45b50d42. See the kernel.org commit references for the exact diff.

Detection Methods for CVE-2026-53277

Indicators of Compromise

  • No public indicators of compromise have been reported for CVE-2026-53277.
  • Unexpected KVM host crashes, RCU stall warnings, or BUG: messages referencing walk_s1 or kvm_walk_nested_s2 may indicate triggering of the unsynchronized path.

Detection Strategies

  • Inventory arm64 hypervisor hosts and compare running kernel versions against the patched stable commits referenced above.
  • Audit kernel build logs and distribution advisories for inclusion of the SRCU lock fix in KVM arm64 sources.
  • Monitor dmesg and host kernel logs for lockdep splats or KASAN reports involving KVM page table walk functions.

Monitoring Recommendations

  • Enable CONFIG_PROVE_RCU and CONFIG_LOCKDEP on test kernels to surface SRCU contract violations in pre-production.
  • Centralize host kernel logs and alert on KVM-related oops, warning, or stall signatures.
  • Track CVE feeds and vendor advisories for the affected arm64 distributions used in the fleet.

How to Mitigate CVE-2026-53277

Immediate Actions Required

  • Apply the upstream stable kernel updates that contain commits 97706097f9b8, ec42b4ed1b07, and f2ca45b50d42 on all arm64 KVM hosts.
  • Prioritize patching arm64 hosts that run untrusted guests or expose nested virtualization to tenants.
  • Restrict guest creation and ioctl access on hypervisors that cannot be patched immediately.

Patch Information

The fix acquires kvm->srcu prior to invoking walk_s1() and kvm_walk_nested_s2() from __kvm_at_s12() and __kvm_find_s1_desc_level(). Patch details are available in the upstream commits: 97706097f9b8, ec42b4ed1b07, and f2ca45b50d42.

Workarounds

  • Disable nested virtualization on arm64 KVM hosts where the feature is not required.
  • Limit which principals can create KVM guests or issue AT emulation triggering operations until patches are applied.
  • Reboot hosts after patch installation to ensure the updated kernel is active.
bash
# Verify the running kernel and KVM module version on an arm64 host
uname -r
modinfo kvm | grep -E 'version|srcversion'
# Confirm the stable patch is present in the source tree before building
git log --oneline arch/arm64/kvm/ | grep -E '97706097f9b8|ec42b4ed1b07|f2ca45b50d42'

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.