Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-53360

CVE-2026-53360: Linux Kernel Use-After-Free Vulnerability

CVE-2026-53360 is a use-after-free vulnerability in Linux Kernel KVM SEV that enables malicious SNP guests to corrupt host kernel heap memory and leak sensitive information. This article covers technical details, impact, and mitigation.

Published:

CVE-2026-53360 Overview

CVE-2026-53360 affects the Linux kernel's KVM Secure Encrypted Virtualization (SEV) implementation. The flaw resides in the handling of the Guest Hypervisor Communication Block (GHCB) scratch area when a SEV-SNP guest uses GHCB v2 or higher. The kernel fails to require the software scratch area to reside inside the GHCB shared buffer, allowing a malicious guest to influence host-side allocation size and iteration bounds. This produces out-of-bounds reads and writes into adjacent kmalloc-cg-32 slab objects. A malicious guest can leak host kernel heap layout and corrupt neighboring allocations.

Critical Impact

A malicious SEV-SNP guest can corrupt host kernel heap memory, leak host heap layout information, and trigger use-after-free conditions across VMGEXITs, breaking the isolation guarantees SEV-SNP is designed to provide.

Affected Products

  • Linux kernel with KVM SEV-SNP support enabled
  • Host systems running AMD SEV-SNP guests using GHCB v2 or later
  • Stable kernel trees prior to the commits referenced in the patch set

Discovery Timeline

  • 2026-07-04 - CVE-2026-53360 published to the National Vulnerability Database (NVD)
  • 2026-07-04 - Last updated in NVD database

Technical Details for CVE-2026-53360

Vulnerability Analysis

The vulnerability sits in the SEV-SNP Page State Change (PSC) handling path inside the KVM subsystem. The function setup_vmgexit_scratch() allocates a buffer using kvzalloc(exit_info_2), where exit_info_2 is fully guest-controlled. When the guest supplies exit_info_2=24, the host allocates 24 bytes in the kmalloc-cg-32 cache. That buffer stores an 8-byte psc_hdr followed by 8-byte psc_entry structs, so only entries[0] and entries[1] are within bounds.

The follow-on function snp_begin_psc() validates end_entry against VMGEXIT_PSC_MAX_COUNT (253), but never checks it against the actual allocated buffer size. When the guest sets end_entry to a value such as 10 or higher, the host iterates entries[2] through entries[end_entry], all of which land in adjacent slab objects.

Each out-of-bounds entry produces an 8-byte read that acts as an information leak oracle. When the read data satisfies PSC validation, __snp_complete_one_psc() writes cur_page = 1 or 512 into the entry, corrupting neighboring objects. When validation fails, the error response reveals whether adjacent memory is zero or non-zero, disclosing further host state to the guest.

Root Cause

The root cause is missing bounds enforcement on a guest-controlled length. The GHCB v2+ specification requires the scratch area to live inside the GHCB shared buffer, whose size is bounded. The Linux implementation neither enforced that placement nor validated end_entry against the actual allocation size. This produces an [CWE-125] out-of-bounds read and [CWE-787] out-of-bounds write in the SEV-SNP PSC handler.

Attack Vector

A malicious SEV-SNP guest issues crafted VMGEXIT calls with a small exit_info_2 value to force the host allocator into a small slab cache. The guest then sets cur_entry and end_entry so PSC iteration extends past the allocated buffer into adjacent objects. Repeated VMGEXITs let the attacker sweep different slab positions, producing 62 out-of-bounds reads and writes, 7 slab-use-after-free reports, and 4 use-after-free reports in a single KASAN-enabled reproducer run. The reproducer demonstrates heap disclosure and heap corruption from an unprivileged guest.

Detection Methods for CVE-2026-53360

Indicators of Compromise

  • KASAN reports referencing snp_begin_psc+0x126/0x890 (read) or snp_begin_psc+0x468/0x890 (write) with a kmalloc-cg-32 cache in the buggy address message.
  • Unexpected kernel oops, general protection faults, or use-after-free panics on SEV-SNP hosts running untrusted guest workloads.
  • Anomalous high-frequency VMGEXIT traffic from a single guest with small exit_info_2 values.

Detection Strategies

  • Enable KASAN on test kernels and run guest workloads to surface out-of-bounds accesses in snp_begin_psc and setup_vmgexit_scratch.
  • Audit kernel logs for slab-out-of-bounds messages tied to the SEV code path.
  • Track kernel version and patch state across the host fleet against the upstream stable commits listed in the references.

Monitoring Recommendations

  • Collect host kernel dmesg and syslog into a centralized log store and alert on KASAN, BUG:, and WARNING: entries from arch/x86/kvm/svm/sev.c.
  • Monitor SEV-SNP guest exit rates and flag guests that issue abnormally high VMGEXIT volumes.
  • Correlate host kernel panics with tenant identity in multi-tenant confidential-computing environments.

How to Mitigate CVE-2026-53360

Immediate Actions Required

Patch Information

The fix requires the software scratch area to reside in the GHCB's shared buffer when a guest uses GHCB v2 or later, aligning the implementation with the GHCB specification. The patched code also validates end_entry against the real allocation, preventing iteration past entries[1] on a 24-byte allocation. Distribution kernels should pick up the four stable commits listed above.

Workarounds

  • Disable SEV-SNP on hosts where confidential computing is not required until patched kernels are installed.
  • Limit guest workloads on affected hosts to trusted tenants only.
  • Enable KASAN in staging environments to surface exploitation attempts during validation of the patch rollout.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.