Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-53359

CVE-2026-53359: Linux Kernel Use-After-Free Vulnerability

CVE-2026-53359 is a use-after-free flaw in Linux kernel KVM x86 shadow paging caused by role mismatches in page table handling. This vulnerability can lead to memory corruption. This article covers technical details.

Published:

CVE-2026-53359 Overview

CVE-2026-53359 is a use-after-free vulnerability in the Linux kernel's Kernel-based Virtual Machine (KVM) subsystem for x86. The flaw resides in the shadow paging logic, where kvm_mmu_get_child_sp() fails to compare the role of a reused kvm_mmu_page structure. When a guest Page Directory Entry (PDE) is modified from outside the guest and the mapping transitions from a 2MB large page (direct=1) to a 4KB page (direct=0), stale reverse map (rmap) entries persist after the underlying shadow page is freed. Subsequent memslot deletion followed by dirty logging or Memory Management Unit (MMU) notifier walks dereferences a freed sptep, triggering the use-after-free [CWE-416].

Critical Impact

A local attacker with the ability to modify guest PDE mappings and manipulate memslots can trigger a kernel use-after-free, leading to memory corruption, denial of service, or potential privilege escalation on the host.

Affected Products

  • Linux kernel (KVM x86 subsystem) — stable branches referenced in kernel.org commits
  • Distributions shipping vulnerable KVM x86 code prior to backported fixes
  • Virtualization hosts running affected Linux kernel versions with KVM enabled

Discovery Timeline

  • 2026-07-04 - CVE-2026-53359 published to the National Vulnerability Database (NVD)
  • 2026-07-06 - Advisory posted to the Openwall OSS-Security mailing list
  • 2026-07-08 - Last updated in NVD database

Technical Details for CVE-2026-53359

Vulnerability Analysis

The defect extends a class of bugs previously addressed by commit 0cb2af2ea66ad ("KVM: x86: Fix shadow paging use-after-free due to unexpected GFN"). That earlier fix resolved a mismatch between the stored Guest Frame Number (GFN) and the computed GFN when a leaf Shadow Page Table Entry (SPTE) was created after a PDE change. CVE-2026-53359 covers the analogous case in which the modified PDE points to a non-leaf page.

In this scenario, the GFN can match, but the role of the shadow page does not. The original 2MB large page is backed by a kvm_mmu_page with direct=1, while the new 4KB path requires direct=0. Because kvm_mmu_get_child_sp() does not compare the role, the existing page is reused improperly.

Root Cause

The root cause is missing role validation during shadow page reuse. When a leaf 4KB SPTE is installed on the new path, its rmap entry is recorded under the GFN resolved by the walk. On zap, kvm_mmu_page_get_gfn() computes the GFN using sp->gfn + index because the parent has direct=1, rather than consulting sp->shadowed_translation[] or sp->gfns[] in older kernels. The rmap entry is therefore never removed.

Attack Vector

When the associated memslot is subsequently dropped, the shadow page is freed while the orphaned rmap entry survives. Any later operation that walks that GFN — dirty logging, MMU notifier invalidation, or memory reclaim — dereferences an sptep located in freed memory. This produces the use-after-free condition that can be leveraged to corrupt kernel state.

The vulnerability manifests in the KVM MMU role-tracking logic. See the referenced kernel.org commits for technical details of the fix.

Detection Methods for CVE-2026-53359

Indicators of Compromise

  • Kernel oops or panic messages referencing KVM MMU functions such as kvm_mmu_page_get_gfn, rmap_remove, or kvm_mmu_notifier_invalidate_range.
  • Unexpected KVM guest termination correlated with memslot deletion events on the host.
  • KASAN (Kernel Address Sanitizer) reports flagging use-after-free access to struct kvm_mmu_page allocations.

Detection Strategies

  • Monitor host kernel logs for KVM MMU stack traces following live migration, memory hotplug, or guest reconfiguration operations.
  • Enable KASAN in test environments to surface use-after-free access patterns in the shadow paging code paths.
  • Correlate host crash telemetry with guest activity that modifies large-page PDE mappings, which is characteristic of the trigger sequence.

Monitoring Recommendations

  • Ingest host kernel logs and hypervisor telemetry into a centralized detection pipeline for anomaly review.
  • Alert on repeated KVM subsystem faults across the fleet, which may indicate exploitation attempts against unpatched hosts.
  • Track kernel version inventory of virtualization hosts to identify systems still exposed to CVE-2026-53359.

How to Mitigate CVE-2026-53359

Immediate Actions Required

  • Apply the upstream Linux kernel patches referenced in the kernel.org stable commits and reboot affected virtualization hosts.
  • Prioritize patching multi-tenant KVM hosts where untrusted workloads share hardware with sensitive tenants.
  • Audit kernel versions across the virtualization estate and schedule remediation for any host running an unpatched KVM x86 build.

Patch Information

Fixes are available in the mainline and stable Linux kernel trees. Refer to the following kernel.org commits: 1ae7d5a6db6c, 2ad3afa40ac6, 5e470998a23e, 81ccda30b4e8, 9291654d69e0, and b1337aae5e19. The fix adds role comparison during shadow page reuse to prevent the mismatched direct bit condition.

Workarounds

  • No supported workaround exists that fully mitigates the flaw without patching; the vulnerability lives in core KVM MMU logic.
  • Where patching is delayed, restrict host access so that only trusted operators can create or delete memslots and reconfigure guest memory topology.
  • Consider migrating sensitive workloads to already-patched hosts until all systems complete remediation.
bash
# Verify running kernel and KVM module version on affected hosts
uname -r
modinfo kvm | grep -E '^(version|srcversion|filename):'

# After applying vendor updates, reboot and confirm the new kernel is active
sudo reboot

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.