Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1325 CNY

100%
Buy Us a Coffee

CVE-2026-46295— KVM: x86: Do IRR scan in __kvm_apic_update_irr even if PIR is empty

AI Predicted 5.5 Difficulty: Trivial EPSS 0.15% · P5

Possible ATT&CK Techniques 1AI

T1498.001 · Direct Network Flood

Affected Version Matrix 8

VendorProductVersion RangeStatus
LinuxLinuxb41f8638b9d30fbe045b4ef83ff4136c56a57397< bb1703949dcaa9a49c338dee075f659f4634214daffected
b41f8638b9d30fbe045b4ef83ff4136c56a57397< 4b6b06a8b12bfd95f9015074b1430c1480908073affected
b41f8638b9d30fbe045b4ef83ff4136c56a57397< 33fd0ccd2590b470b65adcca288615ad3b5e3e06affected
6.16affected
< 6.16unaffected
6.18.30≤ 6.18.*unaffected
7.0.7≤ 7.0.*unaffected
7.1≤ *unaffected
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-46295

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
KVM: x86: Do IRR scan in __kvm_apic_update_irr even if PIR is empty
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Do IRR scan in __kvm_apic_update_irr even if PIR is empty Fall back to apic_find_highest_vector() when PID.ON is set but PIR turns out to be empty, to correctly report the highest pending interrupt from the existing IRR. In a nested VM stress test, the following WARNING fires in vmx_check_nested_events() when kvm_cpu_has_interrupt() reports a pending interrupt but the subsequent kvm_apic_has_interrupt() (which invokes vmx_sync_pir_to_irr() again) returns -1: WARNING: CPU: 99 PID: 57767 at arch/x86/kvm/vmx/nested.c:4449 vmx_check_nested_events+0x6bf/0x6e0 [kvm_intel] Call Trace: kvm_check_and_inject_events vcpu_enter_guest.constprop.0 vcpu_run kvm_arch_vcpu_ioctl_run kvm_vcpu_ioctl __x64_sys_ioctl do_syscall_64 entry_SYSCALL_64_after_hwframe The root cause is a race between vmx_sync_pir_to_irr() on the target vCPU and __vmx_deliver_posted_interrupt() on a sender vCPU. The sender performs two individually-atomic operations that are not a single transaction: 1. pi_test_and_set_pir(vector) -- sets the PIR bit 2. pi_test_and_set_on() -- sets PID.ON The following interleaving triggers the bug: Sender vCPU (IPI): Target vCPU (1st sync_pir_to_irr): B1: set PIR[vector] A1: pi_clear_on() A2: pi_harvest_pir() -> sees B1 bit A3: xchg() -> consumes bit, PIR=0 (1st sync returns correct max_irr) B2: set PID.ON = 1 Target vCPU (2nd sync_pir_to_irr): C1: pi_test_on() -> TRUE (from B2) C2: pi_clear_on() -> ON=0 C3: pi_harvest_pir() -> PIR empty C4: *max_irr = -1, early return IRR NOT SCANNED The interrupt is not lost (it resides in the IRR from the first sync and is recovered on the next vcpu_enter_guest() iteration), but the incorrect max_irr causes a spurious WARNING and a wasted L2 VM-Enter/VM-Exit cycle.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于KVM中IRR扫描竞争条件,可能导致系统崩溃。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
LinuxLinux b41f8638b9d30fbe045b4ef83ff4136c56a57397 ~ bb1703949dcaa9a49c338dee075f659f4634214d -
LinuxLinux 6.16 -

II. Public POCs for CVE-2026-46295

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-46295

登录查看更多情报信息。

Patches & Fixes for CVE-2026-46295 (3)

Same Patch Batch · Linux · 2026-06-08 · 41 CVEs total

CVE-2026-462899.8 CRITICALlib/scatterlist: fix length calculations in extract_kvec_to_sg
CVE-2026-462888.4 HIGHof: unittest: fix use-after-free in of_unittest_changeset()
CVE-2026-463078.3 HIGHwifi: ath5k: do not access array OOB
CVE-2026-463038.2 HIGHisofs: validate Rock Ridge CE continuation extent against volume size
CVE-2026-462747.8 HIGHio-wq: check that the predecessor is hashed in io_wq_remove_pending()
CVE-2026-463117.8 HIGHdrm/amdgpu/userq: fix access to stale wptr mapping
CVE-2026-462757.8 HIGHBluetooth: hci_uart: fix UAFs and race conditions in close and init paths
CVE-2026-462777.8 HIGHmm/zone_device: do not touch device folio after calling ->folio_free()
CVE-2026-462807.8 HIGHlib: test_hmm: evict device pages on file close to avoid use-after-free
CVE-2026-463067.5 HIGHflow_dissector: do not dissect PPPoE PFC frames
CVE-2026-463047.5 HIGHnvmet: avoid recursive nvmet-wq flush in nvmet_ctrl_free
CVE-2026-462997.0 HIGHhfsplus: fix held lock freed on hfsplus_fill_super()
CVE-2026-46287net: txgbe: fix RTNL assertion warning when remove module
CVE-2026-46286leds: qcom-lpg: Check for array overflow when selecting the high resolution
CVE-2026-46279mm/alloc_tag: clear codetag for pages allocated before page_ext initialization
CVE-2026-46285mtd: docg3: fix use-after-free in docg3_release()
CVE-2026-46284mm/hugetlb: fix early boot crash on parameters without '=' separator
CVE-2026-46283tpm: Use kfree_sensitive() to free auth session in tpm_dev_release()
CVE-2026-46282iio: frequency: admv1013: fix NULL pointer dereference on str
CVE-2026-46281vmalloc: fix buffer overflow in vrealloc_node_align()

Showing top 20 of 41 CVEs. View all on vendor page &rarr; →

IV. Related Vulnerabilities

Same product: Linux
Same vendor: Linux

V. Comments for CVE-2026-46295

No comments yet

Leave a comment