CVE-2026-53345

Source
https://cve.org/CVERecord?id=CVE-2026-53345
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53345.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-53345
Downstream
Published
2026-07-01T13:32:25.098Z
Modified
2026-07-11T04:04:57.608081459Z
Summary
KVM: Don't WARN if memory is dirtied without a vCPU when the VM is dying
Details

In the Linux kernel, the following vulnerability has been resolved:

KVM: Don't WARN if memory is dirtied without a vCPU when the VM is dying

When marking a page dirty, complain about not having a running/loaded vCPU if and only if the VM is still alive, i.e. its refcount is non-zero. This will allow fixing a memory leak for x86 SEV-ES guests without hitting what is effectively a false positive on the WARN.

For some SEV-ES VM-Exits, KVM keeps a writable mapping of a guest page across an exit to userspace, and typically unmaps the page on the next KVMRUN. But if userspace never calls KVMRUN after such an exit, then KVM needs to unmap the page when the vCPU is destroyed, which in turn triggers the WARN about not having a running vCPU.

Alternatively, SEV-ES could temporarily load the vCPU to suppress the WARN, as is done in nestedvmxfreevcpu() (but for completely unrelated reasons; suppressing WARN from nestedputvmcs12pages() is pure happenstance). But loading a vCPU during destruction is gross (ideally nVMX code would be cleaned up), risks complicating the SEV-ES code (KVM would need to ensure the temporarily load()+put() only runs when the vCPU isn't already loaded), and is ultimately pointless.

The motivation for the WARN is to guard against KVM dirtying guest memory without pushing the corresponding GFN to the active vCPU's dirty ring, e.g. to ensure userspace doesn't miss a dirty page. But for the VM's refcount to reach zero, there can't be any userspace mappings to the dirty ring, as mapping the dirty ring requires doing mmap() on the vCPU FD. I.e. if userspace had a valid mapping for the dirty ring, then the vCPU file and thus the owning VM would still be alive. And so since userspace can't possibly reach the dirty ring, whether or not KVM technically "misses" a push to the dirty ring is irrelevant.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53345.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
2efd61a608b0039911924d2e5d7028eb37496e85
Fixed
033d39e41fc30f484f4e4f37fb4cd76b12cbb18e
Fixed
66a8e7ddd901023c89a2733494d827eca3f9c1b0
Fixed
343e95c8ecc40e0738975ef4ee24c0c35e800e6b
Fixed
99d7d43784ae3235026581e9bf892c036e04c8e6
Fixed
8618004d3e897c0f1b71d9a9ab860461289bb89a

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53345.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.17.0
Fixed
6.6.143
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.94
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.36
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
7.0.13

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53345.json"