CVE-2026-52969

Source
https://cve.org/CVERecord?id=CVE-2026-52969
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-52969.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-52969
Downstream
Related
Published
2026-06-24T16:28:48.085Z
Modified
2026-07-11T09:29:26.030071994Z
Severity
  • 7.0 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
KVM: Reject wrapped offset in kvm_reset_dirty_gfn()
Details

In the Linux kernel, the following vulnerability has been resolved:

KVM: Reject wrapped offset in kvmresetdirty_gfn()

kvmresetdirty_gfn() guards the gfn range with

if (!memslot || (offset + __fls(mask)) >= memslot->npages)
    return;

but offset is u64 and the addition is unchecked. The check can be silently bypassed by a u64 wrap.

The dirty ring backing those entries is MAPSHARED at KVMDIRTYLOGPAGEOFFSET of the vcpu fd, so the VMM can rewrite the slot and offset fields of any entry between when the kernel pushes them and when KVMRESETDIRTYRINGS consumes them. On reset, kvmdirtyringreset() re-reads the values via READONCE() and feeds them straight back into this check; only the flags handshake is treated as the handover, the slot/offset payload is taken on trust.

Crafting two entries

entry[i].offset   = 0xffffffffffffffc1
entry[i+1].offset = 0

makes the coalescing loop in kvmdirtyring_reset() compute

delta = (s64)(0 - 0xffffffffffffffc1) = 63

which falls in [0, BITSPERLONG), so it folds entry[i+1] into the existing mask by setting bit 63. The trailing kvmresetdirty_gfn() call then sees offset = 0xffffffffffffffc1 and __fls(mask) = 63; the sum is 0 in u64 and the bounds check passes.

That offset propagates into kvmarchmmuenablelogdirtyptmasked() unchanged. On the legacy MMU path -- kvmmemslotshavermaps() == true, i.e. shadow paging, any VM that has allocated shadow roots, or a write-tracked slot -- it reaches gfntormap(), which indexes slot->arch.rmap[0][] with a near-U64MAX gfn. That is an out-of-bounds load of a kvmrmaphead, followed by a conditional clear of PTWRITABLE_MASK in whatever the loaded pointer points at. The path is reachable from any process holding /dev/kvm.

Range-check offset on its own first, so the addition cannot wrap. memslot->npages is bounded well below U64_MAX, so once offset < npages holds, offset + __fls(mask) (with __fls(mask) < BITSPERLONG) stays in range.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/52xxx/CVE-2026-52969.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
fb04a1eddb1a65b6588a021bdc132270d5ae48bb
Fixed
74f1a22f7a80f03d28ad8551a2d25d563433addf
Fixed
0eb281eb95b2d4eea4db1da5fe91023aecc97095
Fixed
01b71b930f15728aa8599478a7ce90c19dcd9fc2
Fixed
b315b033a877b1ee6d827810b5d7bb4392ffcf8d
Fixed
0d419c23bb11b5c9664de777c47c1f04a235882d
Fixed
ecf9b3ea7847fe14f34b8c41f00de1eb95c747da
Fixed
577a8d3bae0531f0e5ccfac919cd8192f920a804

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-52969.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.209
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.175
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.141
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.91
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.33
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
7.0.10

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-52969.json"