cvedb.io
CVE-2026-46113
HIGH · CVSS 8.8
EPSS exploitation probability: 3%
Published 2026-05-28T10:16:26.760 · Last modified 2026-06-24T18:23:16.880

Summary

In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Fix shadow paging use-after-free due to unexpected GFN The shadow MMU computes GFNs for direct shadow pages using sp->gfn plus the SPTE index. This assumption breaks for shadow paging if the guest page tables are modified between VM entries (similar to commit aad885e77496, "KVM: x86/mmu: Drop/zap existing present SPTE even when creating an MMIO SPTE", 2026-03-27). The flow is as follows: - a PDE is installed for a 2MB mapping, and a page in that area is accessed. KVM creates a kvm_mmu_page consisting of 512 4KB pages; the kvm_mmu_page is marked by FNAME(fetch) as direct-mapped because the guest's mapping is a huge page (and thus contiguous). - the PDE mapping is changed from outside the guest. - the guest accesses another page in the same 2MB area. KVM installs a new leaf SPTE and rmap entry; the SPTE uses the "correct" GFN (i.e. based on the new mapping, as changed in the previous step) but

Does this affect you?

Add your gear to cvedb and we'll alert you only when a vendor you run ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.