KVM: SVM: Set/clear CR8 write interception when AVIC is (de)activated

Summary

CVE	CVE-2026-43483
State	PUBLISHED
Assigner	Linux
Source Priority	CVE Program / NVD first with legacy fallback
Published	2026-05-13 16:16:51 UTC
Updated	2026-05-13 16:16:51 UTC
Description	In the Linux kernel, the following vulnerability has been resolved: KVM: SVM: Set/clear CR8 write interception when AVIC is (de)activated Explicitly set/clear CR8 write interception when AVIC is (de)activated to fix a bug where KVM leaves the interception enabled after AVIC is activated. E.g. if KVM emulates INIT=>WFS while AVIC is deactivated, CR8 will remain intercepted in perpetuity. On its own, the dangling CR8 intercept is "just" a performance issue, but combined with the TPR sync bug fixed by commit d02e48830e3f ("KVM: SVM: Sync TPR from LAPIC into VMCB::V_TPR even if AVIC is active"), the danging intercept is fatal to Windows guests as the TPR seen by hardware gets wildly out of sync with reality. Note, VMX isn't affected by the bug as TPR_THRESHOLD is explicitly ignored when Virtual Interrupt Delivery is enabled, i.e. when APICv is active in KVM's world. I.e. there's no need to trigger update_cr8_intercept(), this is firmly an SVM implementation flaw/detail. WARN if KVM gets a CR8 write #VMEXIT while AVIC is active, as KVM should never enter the guest with AVIC enabled and CR8 writes intercepted. [Squash fix to avic_deactivate_vmcb. - Paolo]

Risk And Classification

EPSS: 0.000320000 probability, percentile 0.097730000 (date 2026-05-28)

Vendor Declared Affected Products

Source	Vendor	Product	Version	Platforms
CNA	Linux	Linux	affected 3bbf3565f48ce3999b5a12cde946f81bd4475312 a4123fe5d9122eef9852e4921f7cc463420f30d4 git	Not specified
CNA	Linux	Linux	affected 3bbf3565f48ce3999b5a12cde946f81bd4475312 816fa1dfae4532e851b1fe6b2434c753ecbd86c7 git	Not specified
CNA	Linux	Linux	affected 3bbf3565f48ce3999b5a12cde946f81bd4475312 01651e7751edbbc0fb4598f8367a3dabcfc8c182 git	Not specified
CNA	Linux	Linux	affected 3bbf3565f48ce3999b5a12cde946f81bd4475312 ba3bca40f9f25c053f69413e5f4a41dd0fd762bf git	Not specified
CNA	Linux	Linux	affected 3bbf3565f48ce3999b5a12cde946f81bd4475312 737410b32bd615b321da4fbeda490351b9af5e8b git	Not specified
CNA	Linux	Linux	affected 3bbf3565f48ce3999b5a12cde946f81bd4475312 87d0f901a9bd8ae6be57249c737f20ac0cace93d git	Not specified
CNA	Linux	Linux	affected 4.7	Not specified
CNA	Linux	Linux	unaffected 4.7 semver	Not specified
CNA	Linux	Linux	unaffected 6.1.167 6.1.* semver	Not specified
CNA	Linux	Linux	unaffected 6.6.130 6.6.* semver	Not specified
CNA	Linux	Linux	unaffected 6.12.78 6.12.* semver	Not specified
CNA	Linux	Linux	unaffected 6.18.19 6.18.* semver	Not specified
CNA	Linux	Linux	unaffected 6.19.9 6.19.* semver	Not specified
CNA	Linux	Linux	unaffected 7.0 * original_commit_for_fix	Not specified

References

Reference	Source	Link	Tags
git.kernel.org/stable/c/a4123fe5d9122eef9852e4921f7cc463420f30d4	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/ba3bca40f9f25c053f69413e5f4a41dd0fd762bf	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/816fa1dfae4532e851b1fe6b2434c753ecbd86c7	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/87d0f901a9bd8ae6be57249c737f20ac0cace93d	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/737410b32bd615b321da4fbeda490351b9af5e8b	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/01651e7751edbbc0fb4598f8367a3dabcfc8c182	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.