Cyber Resilience

CVE-2026-23425

High

Published: 03 April 2026

Published
03 April 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0012 2.1th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-23425 is a high-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 2.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2026-23425 is a vulnerability in the Linux kernel's KVM hypervisor on arm64 architectures, specifically affecting the initialization of ID registers for non-protected pKVM guests. In protected mode, the hypervisor maintains separate kvm structures per VM, but for non-protected VMs, these are initialized from the host's kvm state. The issue arises because the KVM_ARCH_FLAG_ID_REGS_INITIALIZED flag is copied from the host without properly initializing the underlying id_regs data, leaving them zeroed. This causes kvm_has_feat() checks at EL2 to fail for non-protected VMs, breaking feature detection logic such as ctxt_has_tcrx() for TCR2_EL1 support, which prevents proper save/restore of system registers like TCR2_EL1, PIR_EL1, and POR_EL1 during world switches, potentially leading to state corruption.

The vulnerability has a CVSS v3.1 base score of 8.8 (AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H), indicating it can be exploited by a local attacker with low privileges. Such an attacker could leverage the flawed initialization in non-protected pKVM guest environments to trigger failed feature detection and incomplete register handling during VM world switches. This achieves high impacts on confidentiality, integrity, and availability, with a changed scope due to the hypervisor's involvement, potentially allowing state corruption that escalates effects across host and guest boundaries.

Mitigation involves applying the provided kernel patches, as detailed in the stable commit references: https://git.kernel.org/stable/c/7e7c2cf0024d89443a7af52e09e47b1fe634ab17, https://git.kernel.org/stable/c/858620655c1fbff05997e162fc7d83a3293d5142, and https://git.kernel.org/stable/c/bce3847f7c51b86332bf2e554c9e80ca3820f16c. These fixes explicitly copy ID registers from the host kvm to the hypervisor kvm for non-protected VMs during pkvm_init_features_from_host(), clear the KVM_ARCH_FLAG_ID_REGS_INITIALIZED flag initially, and ensure proper initialization via vm_copy_id_regs(). Security practitioners should update affected Linux kernels hosting arm64 KVM environments with non-protected pKVM guests.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Fix ID register initialization for non-protected pKVM guests In protected mode, the hypervisor maintains a separate instance of the `kvm` structure for each VM. For non-protected VMs, this…

more

structure is initialized from the host's `kvm` state. Currently, `pkvm_init_features_from_host()` copies the `KVM_ARCH_FLAG_ID_REGS_INITIALIZED` flag from the host without the underlying `id_regs` data being initialized. This results in the hypervisor seeing the flag as set while the ID registers remain zeroed. Consequently, `kvm_has_feat()` checks at EL2 fail (return 0) for non-protected VMs. This breaks logic that relies on feature detection, such as `ctxt_has_tcrx()` for TCR2_EL1 support. As a result, certain system registers (e.g., TCR2_EL1, PIR_EL1, POR_EL1) are not saved/restored during the world switch, which could lead to state corruption. Fix this by explicitly copying the ID registers from the host `kvm` to the hypervisor `kvm` for non-protected VMs during initialization, since we trust the host with its non-protected guests' features. Also ensure `KVM_ARCH_FLAG_ID_REGS_INITIALIZED` is cleared initially in `pkvm_init_features_from_host` so that `vm_copy_id_regs` can properly initialize them and set the flag once done.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1611 Escape to Host Privilege Escalation
Adversaries may break out of a container or virtualized environment to gain access to the underlying host.
Why these techniques?

Vulnerability in KVM hypervisor initialization enables local low-priv exploitation leading to state corruption across host/guest boundaries, directly facilitating privilege escalation and VM escape to host.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-31553Same product: Linux Linux Kernel
CVE-2026-31788Same product: Linux Linux Kernel
CVE-2026-31569Same product: Linux Linux Kernel
CVE-2026-31474Same product: Linux Linux Kernel
CVE-2026-31516Same product: Linux Linux Kernel
CVE-2024-57792Same product: Linux Linux Kernel
CVE-2026-23326Same product: Linux Linux Kernel
CVE-2026-23280Same product: Linux Linux Kernel
CVE-2025-71123Same product: Linux Linux Kernel
CVE-2026-31570Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
6.14, 7.0 · 6.14.1 — 6.18.17 · 6.19 — 6.19.7

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely identification, reporting, and patching of the Linux kernel flaw in KVM ID register initialization to prevent state corruption during world switches in non-protected pKVM guests.

detect

Vulnerability scanning detects CVE-2026-23425 in arm64 Linux kernels hosting KVM, enabling prioritization for remediation.

detect

Monitoring security alerts and advisories identifies notifications for CVE-2026-23425, prompting patch deployment in affected KVM environments.

References