{"api_version":"1","generated_at":"2026-06-18T14:32:22+00:00","cve":"CVE-2026-46295","urls":{"html":"https://cve.report/CVE-2026-46295","api":"https://cve.report/api/cve/CVE-2026-46295.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-46295","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-46295"},"summary":{"title":"KVM: x86: Do IRR scan in __kvm_apic_update_irr even if PIR is empty","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86: Do IRR scan in __kvm_apic_update_irr even if PIR is empty\n\nFall back to apic_find_highest_vector() when PID.ON is set but PIR\nturns out to be empty, to correctly report the highest pending interrupt\nfrom the existing IRR.\n\nIn a nested VM stress test, the following WARNING fires in\nvmx_check_nested_events() when kvm_cpu_has_interrupt() reports a pending\ninterrupt but the subsequent kvm_apic_has_interrupt() (which invokes\nvmx_sync_pir_to_irr() again) returns -1:\n\n WARNING: CPU: 99 PID: 57767 at arch/x86/kvm/vmx/nested.c:4449 vmx_check_nested_events+0x6bf/0x6e0 [kvm_intel]\n Call Trace:\n kvm_check_and_inject_events\n vcpu_enter_guest.constprop.0\n vcpu_run\n kvm_arch_vcpu_ioctl_run\n kvm_vcpu_ioctl\n __x64_sys_ioctl\n do_syscall_64\n entry_SYSCALL_64_after_hwframe\n\nThe root cause is a race between vmx_sync_pir_to_irr() on the target vCPU\nand __vmx_deliver_posted_interrupt() on a sender vCPU. The sender\nperforms two individually-atomic operations that are not a single\ntransaction:\n\n 1. pi_test_and_set_pir(vector) -- sets the PIR bit\n 2. pi_test_and_set_on() -- sets PID.ON\n\nThe following interleaving triggers the bug:\n\n Sender vCPU (IPI): Target vCPU (1st sync_pir_to_irr):\n B1: set PIR[vector]\n A1: pi_clear_on()\n A2: pi_harvest_pir() -> sees B1 bit\n A3: xchg() -> consumes bit, PIR=0\n (1st sync returns correct max_irr)\n B2: set PID.ON = 1\n\n Target vCPU (2nd sync_pir_to_irr):\n C1: pi_test_on() -> TRUE (from B2)\n C2: pi_clear_on() -> ON=0\n C3: pi_harvest_pir() -> PIR empty\n C4: *max_irr = -1, early return\n IRR NOT SCANNED\n\nThe interrupt is not lost (it resides in the IRR from the first sync and\nis recovered on the next vcpu_enter_guest() iteration), but the incorrect\nmax_irr causes a spurious WARNING and a wasted L2 VM-Enter/VM-Exit cycle.","state":"PUBLISHED","assigner":"Linux","published_at":"2026-06-08 17:16:47","updated_at":"2026-06-08 17:16:47"},"problem_types":[],"metrics":[],"references":[{"url":"https://git.kernel.org/stable/c/33fd0ccd2590b470b65adcca288615ad3b5e3e06","name":"https://git.kernel.org/stable/c/33fd0ccd2590b470b65adcca288615ad3b5e3e06","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/4b6b06a8b12bfd95f9015074b1430c1480908073","name":"https://git.kernel.org/stable/c/4b6b06a8b12bfd95f9015074b1430c1480908073","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/bb1703949dcaa9a49c338dee075f659f4634214d","name":"https://git.kernel.org/stable/c/bb1703949dcaa9a49c338dee075f659f4634214d","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-46295","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-46295","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected b41f8638b9d30fbe045b4ef83ff4136c56a57397 bb1703949dcaa9a49c338dee075f659f4634214d git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected b41f8638b9d30fbe045b4ef83ff4136c56a57397 4b6b06a8b12bfd95f9015074b1430c1480908073 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected b41f8638b9d30fbe045b4ef83ff4136c56a57397 33fd0ccd2590b470b65adcca288615ad3b5e3e06 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6.16","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.16 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.18.30 6.18.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.0.7 7.0.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.1-rc3 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"46295","cve":"CVE-2026-46295","epss":"0.000220000","percentile":"0.063970000","score_date":"2026-06-14","updated_at":"2026-06-15 00:14:09"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["arch/x86/kvm/lapic.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"bb1703949dcaa9a49c338dee075f659f4634214d","status":"affected","version":"b41f8638b9d30fbe045b4ef83ff4136c56a57397","versionType":"git"},{"lessThan":"4b6b06a8b12bfd95f9015074b1430c1480908073","status":"affected","version":"b41f8638b9d30fbe045b4ef83ff4136c56a57397","versionType":"git"},{"lessThan":"33fd0ccd2590b470b65adcca288615ad3b5e3e06","status":"affected","version":"b41f8638b9d30fbe045b4ef83ff4136c56a57397","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["arch/x86/kvm/lapic.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"6.16"},{"lessThan":"6.16","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"6.18.*","status":"unaffected","version":"6.18.30","versionType":"semver"},{"lessThanOrEqual":"7.0.*","status":"unaffected","version":"7.0.7","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"7.1-rc3","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.18.30","versionStartIncluding":"6.16","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0.7","versionStartIncluding":"6.16","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.1-rc3","versionStartIncluding":"6.16","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86: Do IRR scan in __kvm_apic_update_irr even if PIR is empty\n\nFall back to apic_find_highest_vector() when PID.ON is set but PIR\nturns out to be empty, to correctly report the highest pending interrupt\nfrom the existing IRR.\n\nIn a nested VM stress test, the following WARNING fires in\nvmx_check_nested_events() when kvm_cpu_has_interrupt() reports a pending\ninterrupt but the subsequent kvm_apic_has_interrupt() (which invokes\nvmx_sync_pir_to_irr() again) returns -1:\n\n WARNING: CPU: 99 PID: 57767 at arch/x86/kvm/vmx/nested.c:4449 vmx_check_nested_events+0x6bf/0x6e0 [kvm_intel]\n Call Trace:\n kvm_check_and_inject_events\n vcpu_enter_guest.constprop.0\n vcpu_run\n kvm_arch_vcpu_ioctl_run\n kvm_vcpu_ioctl\n __x64_sys_ioctl\n do_syscall_64\n entry_SYSCALL_64_after_hwframe\n\nThe root cause is a race between vmx_sync_pir_to_irr() on the target vCPU\nand __vmx_deliver_posted_interrupt() on a sender vCPU. The sender\nperforms two individually-atomic operations that are not a single\ntransaction:\n\n 1. pi_test_and_set_pir(vector) -- sets the PIR bit\n 2. pi_test_and_set_on() -- sets PID.ON\n\nThe following interleaving triggers the bug:\n\n Sender vCPU (IPI): Target vCPU (1st sync_pir_to_irr):\n B1: set PIR[vector]\n A1: pi_clear_on()\n A2: pi_harvest_pir() -> sees B1 bit\n A3: xchg() -> consumes bit, PIR=0\n (1st sync returns correct max_irr)\n B2: set PID.ON = 1\n\n Target vCPU (2nd sync_pir_to_irr):\n C1: pi_test_on() -> TRUE (from B2)\n C2: pi_clear_on() -> ON=0\n C3: pi_harvest_pir() -> PIR empty\n C4: *max_irr = -1, early return\n IRR NOT SCANNED\n\nThe interrupt is not lost (it resides in the IRR from the first sync and\nis recovered on the next vcpu_enter_guest() iteration), but the incorrect\nmax_irr causes a spurious WARNING and a wasted L2 VM-Enter/VM-Exit cycle."}],"providerMetadata":{"dateUpdated":"2026-06-08T15:46:22.494Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/bb1703949dcaa9a49c338dee075f659f4634214d"},{"url":"https://git.kernel.org/stable/c/4b6b06a8b12bfd95f9015074b1430c1480908073"},{"url":"https://git.kernel.org/stable/c/33fd0ccd2590b470b65adcca288615ad3b5e3e06"}],"title":"KVM: x86: Do IRR scan in __kvm_apic_update_irr even if PIR is empty","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-46295","datePublished":"2026-06-08T15:46:22.494Z","dateReserved":"2026-05-13T15:03:33.110Z","dateUpdated":"2026-06-08T15:46:22.494Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-06-08 17:16:47","lastModifiedDate":"2026-06-08 17:16:47","problem_types":[],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"46295","Ordinal":"1","Title":"KVM: x86: Do IRR scan in __kvm_apic_update_irr even if PIR is em","CVE":"CVE-2026-46295","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"46295","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86: Do IRR scan in __kvm_apic_update_irr even if PIR is empty\n\nFall back to apic_find_highest_vector() when PID.ON is set but PIR\nturns out to be empty, to correctly report the highest pending interrupt\nfrom the existing IRR.\n\nIn a nested VM stress test, the following WARNING fires in\nvmx_check_nested_events() when kvm_cpu_has_interrupt() reports a pending\ninterrupt but the subsequent kvm_apic_has_interrupt() (which invokes\nvmx_sync_pir_to_irr() again) returns -1:\n\n WARNING: CPU: 99 PID: 57767 at arch/x86/kvm/vmx/nested.c:4449 vmx_check_nested_events+0x6bf/0x6e0 [kvm_intel]\n Call Trace:\n kvm_check_and_inject_events\n vcpu_enter_guest.constprop.0\n vcpu_run\n kvm_arch_vcpu_ioctl_run\n kvm_vcpu_ioctl\n __x64_sys_ioctl\n do_syscall_64\n entry_SYSCALL_64_after_hwframe\n\nThe root cause is a race between vmx_sync_pir_to_irr() on the target vCPU\nand __vmx_deliver_posted_interrupt() on a sender vCPU. The sender\nperforms two individually-atomic operations that are not a single\ntransaction:\n\n 1. pi_test_and_set_pir(vector) -- sets the PIR bit\n 2. pi_test_and_set_on() -- sets PID.ON\n\nThe following interleaving triggers the bug:\n\n Sender vCPU (IPI): Target vCPU (1st sync_pir_to_irr):\n B1: set PIR[vector]\n A1: pi_clear_on()\n A2: pi_harvest_pir() -> sees B1 bit\n A3: xchg() -> consumes bit, PIR=0\n (1st sync returns correct max_irr)\n B2: set PID.ON = 1\n\n Target vCPU (2nd sync_pir_to_irr):\n C1: pi_test_on() -> TRUE (from B2)\n C2: pi_clear_on() -> ON=0\n C3: pi_harvest_pir() -> PIR empty\n C4: *max_irr = -1, early return\n IRR NOT SCANNED\n\nThe interrupt is not lost (it resides in the IRR from the first sync and\nis recovered on the next vcpu_enter_guest() iteration), but the incorrect\nmax_irr causes a spurious WARNING and a wasted L2 VM-Enter/VM-Exit cycle.","Type":"Description","Title":"KVM: x86: Do IRR scan in __kvm_apic_update_irr even if PIR is em"}]}}}