Linux Kernel KVM: nSVM VMEXIT host state corruption — AWAITING NVD (CVE-2026-46032)

CISO Take

CVE-2026-46032 is a Linux kernel KVM/AMD-V vulnerability where a failed CR3 restoration during a nested hypervisor exit leaves the host VM running with corrupted page table state rather than triggering the expected hardware shutdown — a silent failure that is far more dangerous than an overt crash. For CISOs operating AI training clusters, multi-tenant inference endpoints, or cloud-hosted AI pipelines on KVM-based infrastructure, the threat is a potential guest-to-host escape: an attacker with code execution inside a nested VM could manipulate host memory or cause cascading failures across all co-located AI workloads. No CVSS score has been assigned, the CVE is not in CISA KEV, and no public exploit exists, keeping immediate urgency moderate — but nested virtualization is ubiquitous in AI compute environments, widening the potential blast radius. Mitigate by applying the upstream kernel patch commits referenced in the advisory; if nested SVM is not operationally required, disable it immediately via `kvm-amd.nested=0`.

Sources: NVD ATLAS

What is the risk?

Medium risk for AI infrastructure operators. Exploitation requires prior code execution within a nested VM (L2 guest), which limits opportunistic attack surface but is realistic in shared AI compute environments. The absence of CVSS data, KEV listing, and public exploits reduces immediate urgency. However, successful exploitation targets the hypervisor layer itself — affecting isolation boundaries that protect all co-located AI workloads. Cloud-hosted AI training and inference deployments where multiple tenants share KVM hosts represent the highest-risk configurations.

Attack Kill Chain

Initial Access

Attacker gains code execution inside a nested VM (L2 guest) on a KVM host running AI workloads, via a compromised inference endpoint, vulnerable AI service, or stolen tenant credentials.

AML.T0012

Exploitation

Attacker triggers AMD-V nested VMEXIT conditions that cause CR3 restoration to fail; the pre-patch kernel ignores the error and continues L1 execution with corrupted page table state.

AML.T0049

Host Escape

With corrupted CR3 state, the attacker manipulates host memory mappings to escalate from L2 guest context to L1 host hypervisor privileges, breaking VM isolation boundaries.

AML.T0105

Impact

Adversary achieves host-level access or triggers a kernel panic, disrupting or compromising all co-located AI training and inference workloads on the affected machine.

AML.T0112

Initial Access

Attacker gains code execution inside a nested VM (L2 guest) on a KVM host running AI workloads, via a compromised inference endpoint, vulnerable AI service, or stolen tenant credentials.

AML.T0012

Exploitation

Attacker triggers AMD-V nested VMEXIT conditions that cause CR3 restoration to fail; the pre-patch kernel ignores the error and continues L1 execution with corrupted page table state.

AML.T0049

Host Escape

With corrupted CR3 state, the attacker manipulates host memory mappings to escalate from L2 guest context to L1 host hypervisor privileges, breaking VM isolation boundaries.

AML.T0105

Impact

Adversary achieves host-level access or triggers a kernel panic, disrupting or compromising all co-located AI training and inference workloads on the affected machine.

AML.T0112

Severity & Risk

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Advanced

What should I do?

5 steps

Apply the upstream kernel patches: https://git.kernel.org/stable/c/5d291ef0585ed880ed4dd71ea1a5965e0a65fb53 and https://git.kernel.org/stable/c/9a738cf170a4a2332ea3a15e23ec65b5757fe4a1 — track your distro's advisory for packaged kernel updates.
If nested virtualization is not required, disable it immediately: add options kvm-amd nested=0 to /etc/modprobe.d/kvm-amd.conf and reload the module.
Audit all KVM hosts running AI workloads for nested SVM exposure — query with cat /sys/module/kvm_amd/parameters/nested.
Enforce strict tenant isolation at the physical host level for multi-tenant AI inference environments until patched.
Monitor kernel logs for unexpected VMEXIT errors or hypervisor panics that could indicate exploitation attempts.

Classification

Code Execution DoS Inference AML.T0105 - Escape to Host AML.T0112 - Machine Compromise

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 9 - Risk management system

ISO 42001

A.6.2 - AI system operational environment

NIST AI RMF

MANAGE-2.2 - Risk treatment for AI system infrastructure

Frequently Asked Questions

What is CVE-2026-46032?

CVE-2026-46032 is a Linux kernel KVM/AMD-V vulnerability where a failed CR3 restoration during a nested hypervisor exit leaves the host VM running with corrupted page table state rather than triggering the expected hardware shutdown — a silent failure that is far more dangerous than an overt crash. For CISOs operating AI training clusters, multi-tenant inference endpoints, or cloud-hosted AI pipelines on KVM-based infrastructure, the threat is a potential guest-to-host escape: an attacker with code execution inside a nested VM could manipulate host memory or cause cascading failures across all co-located AI workloads. No CVSS score has been assigned, the CVE is not in CISA KEV, and no public exploit exists, keeping immediate urgency moderate — but nested virtualization is ubiquitous in AI compute environments, widening the potential blast radius. Mitigate by applying the upstream kernel patch commits referenced in the advisory; if nested SVM is not operationally required, disable it immediately via `kvm-amd.nested=0`.

Is CVE-2026-46032 actively exploited?

No confirmed active exploitation of CVE-2026-46032 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-46032?

1. Apply the upstream kernel patches: https://git.kernel.org/stable/c/5d291ef0585ed880ed4dd71ea1a5965e0a65fb53 and https://git.kernel.org/stable/c/9a738cf170a4a2332ea3a15e23ec65b5757fe4a1 — track your distro's advisory for packaged kernel updates. 2. If nested virtualization is not required, disable it immediately: add `options kvm-amd nested=0` to `/etc/modprobe.d/kvm-amd.conf` and reload the module. 3. Audit all KVM hosts running AI workloads for nested SVM exposure — query with `cat /sys/module/kvm_amd/parameters/nested`. 4. Enforce strict tenant isolation at the physical host level for multi-tenant AI inference environments until patched. 5. Monitor kernel logs for unexpected VMEXIT errors or hypervisor panics that could indicate exploitation attempts.

What systems are affected by CVE-2026-46032?

This vulnerability affects the following AI/ML architecture patterns: AI training clusters on KVM hypervisors, Multi-tenant AI inference serving, Nested virtualization environments, Cloud-hosted AI/ML pipelines.

What is the CVSS score for CVE-2026-46032?

No CVSS score has been assigned yet.

AI Security Impact

Affected AI Architectures

AI training clusters on KVM hypervisorsMulti-tenant AI inference servingNested virtualization environmentsCloud-hosted AI/ML pipelines

MITRE ATLAS Techniques

AML.T0105 Escape to Host

AML.T0112 Machine Compromise

Compliance Controls Affected

EU AI Act: Article 9

ISO 42001: A.6.2

NIST AI RMF: MANAGE-2.2

Technical Details

Original Advisory

In the Linux kernel, the following vulnerability has been resolved: KVM: nSVM: Triple fault if restore host CR3 fails on nested #VMEXIT If loading L1's CR3 fails on a nested #VMEXIT, nested_svm_vmexit() returns an error code that is ignored by most callers, and continues to run L1 with corrupted state. A sane recovery is not possible in this case, and HW behavior is to cause a shutdown. Inject a triple fault instead, and do not return early from nested_svm_vmexit(). Continue cleaning up the vCPU state (e.g. clear pending exceptions), to handle the failure as gracefully as possible. From the APM: Upon #VMEXIT, the processor performs the following actions in order to return to the host execution context: ... if (illegal host state loaded, or exception while loading host state) shutdown else execute first host instruction following the VMRUN Remove the return value of nested_svm_vmexit(), which is mostly unchecked anyway.

Exploitation Scenario

An adversary with initial code execution inside a nested VM (L2 guest) on a KVM host — achieved via a compromised AI service container, a vulnerable model inference endpoint, or stolen tenant credentials — deliberately triggers AMD-V VMEXIT conditions that cause CR3 restoration to fail. Before the patch, the kernel's `nested_svm_vmexit()` ignores the error return and continues L1 host execution with a corrupted page table base register. The attacker exploits the corrupted CR3 to read or write arbitrary host memory, potentially injecting code into the hypervisor, escalating to host-level privileges, or forcing a kernel panic that terminates all AI workloads on the host — including model training jobs with hours of accumulated state.