{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-23402","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-01-13T15:37:46.012Z","datePublished":"2026-04-01T08:36:33.366Z","dateUpdated":"2026-05-11T22:06:12.992Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T22:06:12.992Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86/mmu: Only WARN in direct MMUs when overwriting shadow-present SPTE\n\nAdjust KVM's sanity check against overwriting a shadow-present SPTE with a\nanother SPTE with a different target PFN to only apply to direct MMUs,\ni.e. only to MMUs without shadowed gPTEs. While it's impossible for KVM\nto overwrite a shadow-present SPTE in response to a guest write, writes\nfrom outside the scope of KVM, e.g. from host userspace, aren't detected\nby KVM's write tracking and so can break KVM's shadow paging rules.\n\n ------------[ cut here ]------------\n pfn != spte_to_pfn(*sptep)\n WARNING: arch/x86/kvm/mmu/mmu.c:3069 at mmu_set_spte+0x1e4/0x440 [kvm], CPU#0: vmx_ept_stale_r/872\n Modules linked in: kvm_intel kvm irqbypass\n CPU: 0 UID: 1000 PID: 872 Comm: vmx_ept_stale_r Not tainted 7.0.0-rc2-eafebd2d2ab0-sink-vm #319 PREEMPT\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015\n RIP: 0010:mmu_set_spte+0x1e4/0x440 [kvm]\n Call Trace:\n \n ept_page_fault+0x535/0x7f0 [kvm]\n kvm_mmu_do_page_fault+0xee/0x1f0 [kvm]\n kvm_mmu_page_fault+0x8d/0x620 [kvm]\n vmx_handle_exit+0x18c/0x5a0 [kvm_intel]\n kvm_arch_vcpu_ioctl_run+0xc55/0x1c20 [kvm]\n kvm_vcpu_ioctl+0x2d5/0x980 [kvm]\n __x64_sys_ioctl+0x8a/0xd0\n do_syscall_64+0xb5/0x730\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n \n ---[ end trace 0000000000000000 ]---"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["arch/x86/kvm/mmu/mmu.c"],"versions":[{"version":"11d45175111d933c5175acc28e56af2213dd5cd6","lessThan":"bab090e8fd5607f77379ea78b9d0c683cb1538a9","status":"affected","versionType":"git"},{"version":"11d45175111d933c5175acc28e56af2213dd5cd6","lessThan":"a1e0f7150639bc30a8e75476d1c7daab77d44992","status":"affected","versionType":"git"},{"version":"11d45175111d933c5175acc28e56af2213dd5cd6","lessThan":"df83746075778958954aa0460cca55f4b3fc9c02","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["arch/x86/kvm/mmu/mmu.c"],"versions":[{"version":"6.16","status":"affected"},{"version":"0","lessThan":"6.16","status":"unaffected","versionType":"semver"},{"version":"6.18.21","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"6.19.11","lessThanOrEqual":"6.19.*","status":"unaffected","versionType":"semver"},{"version":"7.0","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.16","versionEndExcluding":"6.18.21"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.16","versionEndExcluding":"6.19.11"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.16","versionEndExcluding":"7.0"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/bab090e8fd5607f77379ea78b9d0c683cb1538a9"},{"url":"https://git.kernel.org/stable/c/a1e0f7150639bc30a8e75476d1c7daab77d44992"},{"url":"https://git.kernel.org/stable/c/df83746075778958954aa0460cca55f4b3fc9c02"}],"title":"KVM: x86/mmu: Only WARN in direct MMUs when overwriting shadow-present SPTE","x_generator":{"engine":"bippy-1.2.0"}}}}