How is CVE-2026-46076 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host (or inside a guest VM); no network access to the target is required. Authentication (required): Any low-privilege account inside the L2 guest is sufficient to execute the VMMCALL instruction that triggers the flaw. Victim interaction (not-required): No interaction from another user or administrator is needed; the attacker executes the exploit entirely on their own. Attack complexity (info): Attack complexity is low: the exploit is reliable and requires no special race conditions, memory-layout knowledge, or other environmental factors beyond meeting the nested-SVM configuration conditions.

What is the impact of CVE-2026-46076?

Reads limited hypervisor or host memory regions exposed through the unintended hypercall path, potentially disclosing confidential virtualization state. Modifies virtualization-layer state by issuing hypercalls that should have been reserved for the L1 hypervisor, potentially corrupting TLB or VM control structures. Crashes the affected guest VM or the hypervisor layer handling the malformed hypercall, causing sustained service disruption for all workloads running on that host. Undermines the isolation boundary between nested guest (L2) and hypervisor (L1), weakening the security guarantees of any multi-tenant or nested-virtualization deployment.

Back to search

HIGHCVE-2026-46076Published 2026-05-27Modified 2026-05-30CNA Linux

CVE-2026-46076: KVM: nSVM: Raise #UD if unhandled VMMCALL isn't intercepted by L1

In the Linux kernel, the following vulnerability has been resolved: KVM: nSVM: Raise #UD if unhandled VMMCALL isn't intercepted by L1 Explicitly synthesize a #UD for VMMCALL if L2 is active, L1 does NOT want to intercept VMMCALL, nested_svm_l2_tlb_flush_enabled() is true, and the hypercall is something other than one of the supported Hyper-V hypercalls. When all of the above conditions are met, KVM will intercept VMMCALL but never forward it to L1, i.e. will let L2 make hypercalls as if it were L1. The TLFS says a whole lot of nothing about this scenario, so go with the architectural behavior, which says that VMMCALL #UDs if it's not intercepted. Opportunistically do a 2-for-1 stub trade by stub-ifying the new API instead of the helpers it uses. The last remaining "single" stub will soon be dropped as well. [sean: rewrite changelog and comment, tag for stable, remove defunct stubs]

HarborGuard Analysis

HarborGuard analysis

Synopsis

A virtualization logic flaw in the Linux kernel's KVM nested SVM (nSVM) subsystem allows a guest virtual machine running as L2 to make hypercalls as if it were the L1 hypervisor when L1 has not intercepted VMMCALL and nested TLB flush is enabled. An attacker with a low-privilege account who can execute code inside an L2 guest can trigger the flaw locally, without any network access or victim interaction. Successful exploitation allows the attacker to read limited host or hypervisor data, tamper with virtualization state, and crash the affected VM or hypervisor layer, causing a significant availability disruption. Patched-image rebuilds at versions 6.12.86, 6.18.27, and the identified upstream commits are available on HarborGuard for environments running an affected kernel version.

HarborGuard Coverage

Detection

Detection of CVE-2026-46076 is available across every HarborGuard environment: the CVE is ingested from upstream Linux kernel feeds within minutes of publication and matched against customer images, including custom-built images that bundle an affected kernel version. Any container image whose kernel package falls within the vulnerable range is flagged automatically in both registry scans and CI/CD pipeline checks.

Available

Triage

HarborGuard scores this CVE at 7.9 HIGH using the published CVSS v3.1 vector, and per-environment compliance policy weighting can escalate or adjust priority based on each organization's exposure profile (for example, environments running nested virtualization workloads). Triage findings are routed to the appropriate team inbox within each customer organization according to configured policy.

Available

Patch

A patched-image rebuild at the fixed kernel versions (6.12.86, 6.18.27, and the corresponding upstream commits) becomes available on HarborGuard for customer images confirmed to carry an affected kernel package. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled.

Available

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host (or inside a guest VM); no network access to the target is required.
AuthenticationRequired
Any low-privilege account inside the L2 guest is sufficient to execute the VMMCALL instruction that triggers the flaw.
Victim interactionNot required
No interaction from another user or administrator is needed; the attacker executes the exploit entirely on their own.
Attack complexityDetail
Attack complexity is low: the exploit is reliable and requires no special race conditions, memory-layout knowledge, or other environmental factors beyond meeting the nested-SVM configuration conditions.

Blast Radius

Reads limited hypervisor or host memory regions exposed through the unintended hypercall path, potentially disclosing confidential virtualization state.
Modifies virtualization-layer state by issuing hypercalls that should have been reserved for the L1 hypervisor, potentially corrupting TLB or VM control structures.
Crashes the affected guest VM or the hypervisor layer handling the malformed hypercall, causing sustained service disruption for all workloads running on that host.
Undermines the isolation boundary between nested guest (L2) and hypervisor (L1), weakening the security guarantees of any multi-tenant or nested-virtualization deployment.

How HarborGuard Handles This

Available on HarborGuard: detection fires within minutes of image ingestion for any image carrying a kernel package in the affected version range, covering both standard distribution images and custom-built kernels. For environments where compliance policy permits auto-remediation, HarborGuard rebuilds the image against the patched kernel (6.12.86, 6.18.27, or the pinned upstream commits), runs regression tests, and opens a pull request against affected workloads; the median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes. For environments that do not opt into auto-remediation, HarborGuard surfaces the finding with remediation guidance pointing to the exact fix versions. If immediate kernel upgrade is not feasible, consider isolating workloads that use nested virtualization (L2 guests) behind strict network and process policies, and review whether nested_svm_l2_tlb_flush is required in your environment, as disabling it removes one of the preconditions for this flaw.

See how HarborGuard automates this

CVSS v3.1: 7.9
Severity: HIGH
Fixed in: 0
Affected Products: 2

Fix available

0009c0f726abeaa67aad1d96b883bdce01d405ce25fb4a5f361565f5b629d8a8fe5288ce8463c57276.12.866.18.277.0.47.1-rc1924d721fae95687acedbaf624a094ed0e8b67104c36991c6f8d2ab56ee67aff04e3c357f45cfc76c

Affected packages

Linux / Linux
< 924d721fae95687acedbaf624a094ed0e8b67104 (from 3f4a812edf5cb0a50e65fbdfafdb3e688da18f16) · < 009c0f726abeaa67aad1d96b883bdce01d405ce2 (from 3f4a812edf5cb0a50e65fbdfafdb3e688da18f16) · < 5fb4a5f361565f5b629d8a8fe5288ce8463c5727 (from 3f4a812edf5cb0a50e65fbdfafdb3e688da18f16) · < c36991c6f8d2ab56ee67aff04e3c357f45cfc76c (from 3f4a812edf5cb0a50e65fbdfafdb3e688da18f16)
Linux / Linux
6.2
Fixed in 0, 6.12.86, 6.18.27, 7.0.4, 7.1-rc1

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:H

References

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Metrics

Fix available