-

CVE-2026-53345

KVM: Don't WARN if memory is dirtied without a vCPU when the VM is dying

In the Linux kernel, the following vulnerability has been resolved:

KVM: Don't WARN if memory is dirtied without a vCPU when the VM is dying

When marking a page dirty, complain about not having a running/loaded vCPU
if and only if the VM is still alive, i.e. its refcount is non-zero.  This
will allow fixing a memory leak for x86 SEV-ES guests without hitting what
is effectively a false positive on the WARN.

For some SEV-ES VM-Exits, KVM keeps a writable mapping of a guest page
across an exit to userspace, and typically unmaps the page on the next
KVM_RUN.  But if userspace never calls KVM_RUN after such an exit, then KVM
needs to unmap the page when the vCPU is destroyed, which in turn triggers
the WARN about not having a running vCPU.

Alternatively, SEV-ES could temporarily load the vCPU to suppress the WARN,
as is done in nested_vmx_free_vcpu() (but for completely unrelated reasons;
suppressing WARN from nested_put_vmcs12_pages() is pure happenstance).  But
loading a vCPU during destruction is gross (ideally nVMX code would be
cleaned up), risks complicating the SEV-ES code (KVM would need to ensure
the temporarily load()+put() only runs when the vCPU isn't already loaded),
and is ultimately pointless.

The motivation for the WARN is to guard against KVM dirtying guest memory
without pushing the corresponding GFN to the active vCPU's dirty ring, e.g.
to ensure userspace doesn't miss a dirty page.  But for the VM's refcount
to reach zero, there can't be _any_ userspace mappings to the dirty ring,
as mapping the dirty ring requires doing mmap() on the vCPU FD.  I.e. if
userspace had a valid mapping for the dirty ring, then the vCPU file and
thus the owning VM would still be alive.  And so since userspace can't
possibly reach the dirty ring, whether or not KVM technically "misses" a
push to the dirty ring is irrelevant.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerLinux
Produkt Linux
Default Statusunaffected
Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version < 033d39e41fc30f484f4e4f37fb4cd76b12cbb18e
Status affected
Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version < 66a8e7ddd901023c89a2733494d827eca3f9c1b0
Status affected
Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version < 343e95c8ecc40e0738975ef4ee24c0c35e800e6b
Status affected
Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version < 99d7d43784ae3235026581e9bf892c036e04c8e6
Status affected
Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version < 8618004d3e897c0f1b71d9a9ab860461289bb89a
Status affected
Version 0
Version < 6.6.143
Status affected
Version 0
Version < 6.12.94
Status affected
Version 0
Version < 6.18.36
Status affected
Version 0
Version < 7.0.13
Status affected
HerstellerLinux
Produkt Linux
Default Statusaffected
Version <= 6.6.*
Version 6.6.143
Status unaffected
Version <= 6.12.*
Version 6.12.94
Status unaffected
Version <= 6.18.*
Version 6.18.36
Status unaffected
Version <= 7.0.*
Version 7.0.13
Status unaffected
Version <= *
Version 7.1
Status unaffected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.16% 0.052
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
Es wurden noch keine Informationen zu CWE veröffentlicht.
https://git.kernel.org/stable/c/033d39e41fc30f484f4e4f37fb4cd76b12cbb18e
https://git.kernel.org/stable/c/66a8e7ddd901023c89a2733494d827eca3f9c1b0
https://git.kernel.org/stable/c/343e95c8ecc40e0738975ef4ee24c0c35e800e6b
https://git.kernel.org/stable/c/99d7d43784ae3235026581e9bf892c036e04c8e6
https://git.kernel.org/stable/c/8618004d3e897c0f1b71d9a9ab860461289bb89a