In the Linux kernel, the following vulnerability has been resolved:
KVM: Reject wrapped offset in kvmresetdirty_gfn()
kvmresetdirty_gfn() guards the gfn range with
if (!memslot || (offset + __fls(mask)) >= memslot->npages)
return;
but offset is u64 and the addition is unchecked. The check can be silently bypassed by a u64 wrap.
The dirty ring backing those entries is MAPSHARED at KVMDIRTYLOGPAGEOFFSET of the vcpu fd, so the VMM can rewrite the slot and offset fields of any entry between when the kernel pushes them and when KVMRESETDIRTYRINGS consumes them. On reset, kvmdirtyringreset() re-reads the values via READONCE() and feeds them straight back into this check; only the flags handshake is treated as the handover, the slot/offset payload is taken on trust.
Crafting two entries
entry[i].offset = 0xffffffffffffffc1
entry[i+1].offset = 0
makes the coalescing loop in kvmdirtyring_reset() compute
delta = (s64)(0 - 0xffffffffffffffc1) = 63
which falls in [0, BITSPERLONG), so it folds entry[i+1] into the existing mask by setting bit 63. The trailing kvmresetdirty_gfn() call then sees offset = 0xffffffffffffffc1 and __fls(mask) = 63; the sum is 0 in u64 and the bounds check passes.
That offset propagates into kvmarchmmuenablelogdirtyptmasked() unchanged. On the legacy MMU path -- kvmmemslotshavermaps() == true, i.e. shadow paging, any VM that has allocated shadow roots, or a write-tracked slot -- it reaches gfntormap(), which indexes slot->arch.rmap[0][] with a near-U64MAX gfn. That is an out-of-bounds load of a kvmrmaphead, followed by a conditional clear of PTWRITABLE_MASK in whatever the loaded pointer points at. The path is reachable from any process holding /dev/kvm.
Range-check offset on its own first, so the addition cannot wrap. memslot->npages is bounded well below U64_MAX, so once offset < npages holds, offset + __fls(mask) (with __fls(mask) < BITSPERLONG) stays in range.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/52xxx/CVE-2026-52969.json",
"cna_assigner": "Linux"
}