{"api_version":"1","generated_at":"2026-07-16T16:34:14+00:00","cve":"CVE-2026-53345","urls":{"html":"https://cve.report/CVE-2026-53345","api":"https://cve.report/api/cve/CVE-2026-53345.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-53345","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-53345"},"summary":{"title":"KVM: Don't WARN if memory is dirtied without a vCPU when the VM is dying","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: Don't WARN if memory is dirtied without a vCPU when the VM is dying\n\nWhen marking a page dirty, complain about not having a running/loaded vCPU\nif and only if the VM is still alive, i.e. its refcount is non-zero.  This\nwill allow fixing a memory leak for x86 SEV-ES guests without hitting what\nis effectively a false positive on the WARN.\n\nFor some SEV-ES VM-Exits, KVM keeps a writable mapping of a guest page\nacross an exit to userspace, and typically unmaps the page on the next\nKVM_RUN.  But if userspace never calls KVM_RUN after such an exit, then KVM\nneeds to unmap the page when the vCPU is destroyed, which in turn triggers\nthe WARN about not having a running vCPU.\n\nAlternatively, SEV-ES could temporarily load the vCPU to suppress the WARN,\nas is done in nested_vmx_free_vcpu() (but for completely unrelated reasons;\nsuppressing WARN from nested_put_vmcs12_pages() is pure happenstance).  But\nloading a vCPU during destruction is gross (ideally nVMX code would be\ncleaned up), risks complicating the SEV-ES code (KVM would need to ensure\nthe temporarily load()+put() only runs when the vCPU isn't already loaded),\nand is ultimately pointless.\n\nThe motivation for the WARN is to guard against KVM dirtying guest memory\nwithout pushing the corresponding GFN to the active vCPU's dirty ring, e.g.\nto ensure userspace doesn't miss a dirty page.  But for the VM's refcount\nto reach zero, there can't be _any_ userspace mappings to the dirty ring,\nas mapping the dirty ring requires doing mmap() on the vCPU FD.  I.e. if\nuserspace had a valid mapping for the dirty ring, then the vCPU file and\nthus the owning VM would still be alive.  And so since userspace can't\npossibly reach the dirty ring, whether or not KVM technically \"misses\" a\npush to the dirty ring is irrelevant.","state":"PUBLISHED","assigner":"Linux","published_at":"2026-07-01 14:16:42","updated_at":"2026-07-14 15:26:52"},"problem_types":[],"metrics":[],"references":[{"url":"https://git.kernel.org/stable/c/8618004d3e897c0f1b71d9a9ab860461289bb89a","name":"https://git.kernel.org/stable/c/8618004d3e897c0f1b71d9a9ab860461289bb89a","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/033d39e41fc30f484f4e4f37fb4cd76b12cbb18e","name":"https://git.kernel.org/stable/c/033d39e41fc30f484f4e4f37fb4cd76b12cbb18e","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/99d7d43784ae3235026581e9bf892c036e04c8e6","name":"https://git.kernel.org/stable/c/99d7d43784ae3235026581e9bf892c036e04c8e6","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/343e95c8ecc40e0738975ef4ee24c0c35e800e6b","name":"https://git.kernel.org/stable/c/343e95c8ecc40e0738975ef4ee24c0c35e800e6b","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/66a8e7ddd901023c89a2733494d827eca3f9c1b0","name":"https://git.kernel.org/stable/c/66a8e7ddd901023c89a2733494d827eca3f9c1b0","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-53345","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-53345","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 2efd61a608b0039911924d2e5d7028eb37496e85 033d39e41fc30f484f4e4f37fb4cd76b12cbb18e git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 2efd61a608b0039911924d2e5d7028eb37496e85 66a8e7ddd901023c89a2733494d827eca3f9c1b0 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 2efd61a608b0039911924d2e5d7028eb37496e85 343e95c8ecc40e0738975ef4ee24c0c35e800e6b git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 2efd61a608b0039911924d2e5d7028eb37496e85 99d7d43784ae3235026581e9bf892c036e04c8e6 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 2efd61a608b0039911924d2e5d7028eb37496e85 8618004d3e897c0f1b71d9a9ab860461289bb89a git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 5.17","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.17 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.6.143 6.6.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.12.94 6.12.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.18.36 6.18.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.0.13 7.0.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.1 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"53345","cve":"CVE-2026-53345","epss":"0.001560000","percentile":"0.051980000","score_date":"2026-07-14","updated_at":"2026-07-15 00:14:55"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["virt/kvm/kvm_main.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"033d39e41fc30f484f4e4f37fb4cd76b12cbb18e","status":"affected","version":"2efd61a608b0039911924d2e5d7028eb37496e85","versionType":"git"},{"lessThan":"66a8e7ddd901023c89a2733494d827eca3f9c1b0","status":"affected","version":"2efd61a608b0039911924d2e5d7028eb37496e85","versionType":"git"},{"lessThan":"343e95c8ecc40e0738975ef4ee24c0c35e800e6b","status":"affected","version":"2efd61a608b0039911924d2e5d7028eb37496e85","versionType":"git"},{"lessThan":"99d7d43784ae3235026581e9bf892c036e04c8e6","status":"affected","version":"2efd61a608b0039911924d2e5d7028eb37496e85","versionType":"git"},{"lessThan":"8618004d3e897c0f1b71d9a9ab860461289bb89a","status":"affected","version":"2efd61a608b0039911924d2e5d7028eb37496e85","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["virt/kvm/kvm_main.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"5.17"},{"lessThan":"5.17","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"6.6.*","status":"unaffected","version":"6.6.143","versionType":"semver"},{"lessThanOrEqual":"6.12.*","status":"unaffected","version":"6.12.94","versionType":"semver"},{"lessThanOrEqual":"6.18.*","status":"unaffected","version":"6.18.36","versionType":"semver"},{"lessThanOrEqual":"7.0.*","status":"unaffected","version":"7.0.13","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"7.1","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.6.143","versionStartIncluding":"5.17","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.12.94","versionStartIncluding":"5.17","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.18.36","versionStartIncluding":"5.17","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0.13","versionStartIncluding":"5.17","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.1","versionStartIncluding":"5.17","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: Don't WARN if memory is dirtied without a vCPU when the VM is dying\n\nWhen marking a page dirty, complain about not having a running/loaded vCPU\nif and only if the VM is still alive, i.e. its refcount is non-zero.  This\nwill allow fixing a memory leak for x86 SEV-ES guests without hitting what\nis effectively a false positive on the WARN.\n\nFor some SEV-ES VM-Exits, KVM keeps a writable mapping of a guest page\nacross an exit to userspace, and typically unmaps the page on the next\nKVM_RUN.  But if userspace never calls KVM_RUN after such an exit, then KVM\nneeds to unmap the page when the vCPU is destroyed, which in turn triggers\nthe WARN about not having a running vCPU.\n\nAlternatively, SEV-ES could temporarily load the vCPU to suppress the WARN,\nas is done in nested_vmx_free_vcpu() (but for completely unrelated reasons;\nsuppressing WARN from nested_put_vmcs12_pages() is pure happenstance).  But\nloading a vCPU during destruction is gross (ideally nVMX code would be\ncleaned up), risks complicating the SEV-ES code (KVM would need to ensure\nthe temporarily load()+put() only runs when the vCPU isn't already loaded),\nand is ultimately pointless.\n\nThe motivation for the WARN is to guard against KVM dirtying guest memory\nwithout pushing the corresponding GFN to the active vCPU's dirty ring, e.g.\nto ensure userspace doesn't miss a dirty page.  But for the VM's refcount\nto reach zero, there can't be _any_ userspace mappings to the dirty ring,\nas mapping the dirty ring requires doing mmap() on the vCPU FD.  I.e. if\nuserspace had a valid mapping for the dirty ring, then the vCPU file and\nthus the owning VM would still be alive.  And so since userspace can't\npossibly reach the dirty ring, whether or not KVM technically \"misses\" a\npush to the dirty ring is irrelevant."}],"providerMetadata":{"dateUpdated":"2026-07-10T11:53:49.955Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/033d39e41fc30f484f4e4f37fb4cd76b12cbb18e"},{"url":"https://git.kernel.org/stable/c/66a8e7ddd901023c89a2733494d827eca3f9c1b0"},{"url":"https://git.kernel.org/stable/c/343e95c8ecc40e0738975ef4ee24c0c35e800e6b"},{"url":"https://git.kernel.org/stable/c/99d7d43784ae3235026581e9bf892c036e04c8e6"},{"url":"https://git.kernel.org/stable/c/8618004d3e897c0f1b71d9a9ab860461289bb89a"}],"title":"KVM: Don't WARN if memory is dirtied without a vCPU when the VM is dying","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-53345","datePublished":"2026-07-01T13:32:25.098Z","dateReserved":"2026-06-09T07:44:35.399Z","dateUpdated":"2026-07-10T11:53:49.955Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-07-01 14:16:42","lastModifiedDate":"2026-07-14 15:26:52","problem_types":[],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"53345","Ordinal":"1","Title":"KVM: Don't WARN if memory is dirtied without a vCPU when the VM ","CVE":"CVE-2026-53345","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"53345","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: Don't WARN if memory is dirtied without a vCPU when the VM is dying\n\nWhen marking a page dirty, complain about not having a running/loaded vCPU\nif and only if the VM is still alive, i.e. its refcount is non-zero.  This\nwill allow fixing a memory leak for x86 SEV-ES guests without hitting what\nis effectively a false positive on the WARN.\n\nFor some SEV-ES VM-Exits, KVM keeps a writable mapping of a guest page\nacross an exit to userspace, and typically unmaps the page on the next\nKVM_RUN.  But if userspace never calls KVM_RUN after such an exit, then KVM\nneeds to unmap the page when the vCPU is destroyed, which in turn triggers\nthe WARN about not having a running vCPU.\n\nAlternatively, SEV-ES could temporarily load the vCPU to suppress the WARN,\nas is done in nested_vmx_free_vcpu() (but for completely unrelated reasons;\nsuppressing WARN from nested_put_vmcs12_pages() is pure happenstance).  But\nloading a vCPU during destruction is gross (ideally nVMX code would be\ncleaned up), risks complicating the SEV-ES code (KVM would need to ensure\nthe temporarily load()+put() only runs when the vCPU isn't already loaded),\nand is ultimately pointless.\n\nThe motivation for the WARN is to guard against KVM dirtying guest memory\nwithout pushing the corresponding GFN to the active vCPU's dirty ring, e.g.\nto ensure userspace doesn't miss a dirty page.  But for the VM's refcount\nto reach zero, there can't be _any_ userspace mappings to the dirty ring,\nas mapping the dirty ring requires doing mmap() on the vCPU FD.  I.e. if\nuserspace had a valid mapping for the dirty ring, then the vCPU file and\nthus the owning VM would still be alive.  And so since userspace can't\npossibly reach the dirty ring, whether or not KVM technically \"misses\" a\npush to the dirty ring is irrelevant.","Type":"Description","Title":"KVM: Don't WARN if memory is dirtied without a vCPU when the VM "}]}}}