CVE-2026-23425
Published: 03 April 2026
Summary
CVE-2026-23425 is a high-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 2.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Deeper analysis
CVE-2026-23425 is a vulnerability in the Linux kernel's KVM hypervisor on arm64 architectures, specifically affecting the initialization of ID registers for non-protected pKVM guests. In protected mode, the hypervisor maintains separate kvm structures per VM, but for non-protected VMs, these are initialized from the host's kvm state. The issue arises because the KVM_ARCH_FLAG_ID_REGS_INITIALIZED flag is copied from the host without properly initializing the underlying id_regs data, leaving them zeroed. This causes kvm_has_feat() checks at EL2 to fail for non-protected VMs, breaking feature detection logic such as ctxt_has_tcrx() for TCR2_EL1 support, which prevents proper save/restore of system registers like TCR2_EL1, PIR_EL1, and POR_EL1 during world switches, potentially leading to state corruption.
The vulnerability has a CVSS v3.1 base score of 8.8 (AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H), indicating it can be exploited by a local attacker with low privileges. Such an attacker could leverage the flawed initialization in non-protected pKVM guest environments to trigger failed feature detection and incomplete register handling during VM world switches. This achieves high impacts on confidentiality, integrity, and availability, with a changed scope due to the hypervisor's involvement, potentially allowing state corruption that escalates effects across host and guest boundaries.
Mitigation involves applying the provided kernel patches, as detailed in the stable commit references: https://git.kernel.org/stable/c/7e7c2cf0024d89443a7af52e09e47b1fe634ab17, https://git.kernel.org/stable/c/858620655c1fbff05997e162fc7d83a3293d5142, and https://git.kernel.org/stable/c/bce3847f7c51b86332bf2e554c9e80ca3820f16c. These fixes explicitly copy ID registers from the host kvm to the hypervisor kvm for non-protected VMs during pkvm_init_features_from_host(), clear the KVM_ARCH_FLAG_ID_REGS_INITIALIZED flag initially, and ensure proper initialization via vm_copy_id_regs(). Security practitioners should update affected Linux kernels hosting arm64 KVM environments with non-protected pKVM guests.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-18647
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Fix ID register initialization for non-protected pKVM guests In protected mode, the hypervisor maintains a separate instance of the `kvm` structure for each VM. For non-protected VMs, this…
more
structure is initialized from the host's `kvm` state. Currently, `pkvm_init_features_from_host()` copies the `KVM_ARCH_FLAG_ID_REGS_INITIALIZED` flag from the host without the underlying `id_regs` data being initialized. This results in the hypervisor seeing the flag as set while the ID registers remain zeroed. Consequently, `kvm_has_feat()` checks at EL2 fail (return 0) for non-protected VMs. This breaks logic that relies on feature detection, such as `ctxt_has_tcrx()` for TCR2_EL1 support. As a result, certain system registers (e.g., TCR2_EL1, PIR_EL1, POR_EL1) are not saved/restored during the world switch, which could lead to state corruption. Fix this by explicitly copying the ID registers from the host `kvm` to the hypervisor `kvm` for non-protected VMs during initialization, since we trust the host with its non-protected guests' features. Also ensure `KVM_ARCH_FLAG_ID_REGS_INITIALIZED` is cleared initially in `pkvm_init_features_from_host` so that `vm_copy_id_regs` can properly initialize them and set the flag once done.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in KVM hypervisor initialization enables local low-priv exploitation leading to state corruption across host/guest boundaries, directly facilitating privilege escalation and VM escape to host.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely identification, reporting, and patching of the Linux kernel flaw in KVM ID register initialization to prevent state corruption during world switches in non-protected pKVM guests.
Vulnerability scanning detects CVE-2026-23425 in arm64 Linux kernels hosting KVM, enabling prioritization for remediation.
Monitoring security alerts and advisories identifies notifications for CVE-2026-23425, prompting patch deployment in affected KVM environments.