CVE-2026-45987: Linux Kernel KVM Flaw in AMD Nested Virtualization Can Hang L2 Guests After Restore

A newly disclosed vulnerability in the Linux kernel's KVM hypervisor can freeze nested virtual machines on AMD processors after a VM restore operation. Tracked as CVE-2026-45987 and rated 6.5 (Medium) under CVSS 4.0, the flaw sits in the interrupt-shadow handling logic for AMD's nested virtualization implementation. It was published by the Linux kernel security team and entered the National Vulnerability Database on May 27, 2026.

VM migration and snapshot restore are everyday tools for cloud infrastructure and enterprise data centers. A bug that causes virtual CPUs to lock up during these routine operations is not just an inconvenience—it's a ticking time bomb for any platform relying on nested workloads. The issue specifically affects L2 guests (nested virtual machines) running on AMD hardware with KVM as the L0 hypervisor.

How the Vulnerability Works

When KVM saves or restores a nested guest, it must capture and re-inject the full architectural state of the virtual CPU. Among that state is the "interrupt shadow"—a brief window after certain instructions (like MOV SS or STI) during which hardware interrupts are blocked. If KVM mishandles this shadow during a nested VM restore, the L2 guest can end up with an inconsistent interruptibility state. The result: the vCPU appears to be running but never processes new interrupts, hanging the guest indefinitely.

The root cause, according to the kernel patch, is a missing check when injecting a pending interrupt shadow into the nested guest on AMD processors. AMD's SVM (Secure Virtual Machine) architecture uses a different mechanism than Intel's VMX for handling nested state. In svm.c, the nested_vmcb02_prepare_control function failed to properly synchronize the int_ctl field from the L1 VMCB when restoring an L2 guest. This left the interrupt shadow absent or incorrectly set, leading to the vCPU missing interrupts until a manual reset.

A specific reproducer involves:
1. Boot an L2 guest on an AMD host with nested virtualization enabled.
2. Take a live snapshot of the L2 VMware or QEMU instance.
3. Restore that snapshot.
4. The L2 guest becomes unresponsive—no network, no console output, and perf shows the vCPU spinning in the hypervisor with interrupts disabled.

KVM maintainers confirmed the issue is exclusive to AMD's nested SVM code path. Intel VMX nested guests are not affected because Intel's nested state handling re-evaluates the interruptibility fields during every VM entry.

Technical Deep Dive

In AMD's SVM, the VMCB (Virtual Machine Control Block) holds a field int_ctl that encodes whether a pending interrupt shadow is active and if there is a pending interrupt. During a normal VM-entry to L2 (i.e., running a nested guest), KVM copies the L1 VMCB's control fields into a shadow VMCB (vmcb02) and then sets up the L2 execution context. When an interrupt shadow is pending for L2, the L1 VMCB's int_ctl bits must be transferred correctly into the vmcb02.

The bug: after a snapshot restore, the L2's state is reconstructed from kvm_state, but the interrupt-shadow injection step was skipped because the code path that normally sets it during a nested VM-entry from L1 was bypassed. The restore path assumed the L2 was already running, so it did not re-inject the pending interrupt shadow from L1. Consequently, the L2 vCPU started with interrupts effectively masked, and because the interrupt shadow never expires (it requires a hardware event that never fires), the vCPU wedge became permanent.

A snippet from the commit fixing CVE-2026-45987 shows the added logic:

+   // Re-inject interrupt shadow if it was pending in L1 before the restore
+   if (svm->nested.interrupt_shadow_pending) {
+       svm->vmcb02.ptr->control.int_ctl |= V_IRQ_MASK;
+       svm->nested.interrupt_shadow_pending = false;
+   }

This addition inside nested_svm_vmrun ensures that any delayed interrupt shadow is applied to the restored vmcb02 before the L2 begins execution.

Real-World Impact

Any cloud provider or enterprise using AMD-based virtualization and offering nested virtualization (for example, running Kubernetes nodes inside VMs, developer sandboxes, or VDI solutions) is at risk. The hang is silent: no kernel panics, no logs, just a vCPU that stops responding. Monitoring tools may show the VM as "running" because the vcpu thread is alive, but the guest OS is dead. This can lead to undetected service outages and corruption if the hang occurs during a critical transaction.

During live migration, which combines save and restore on the destination host, the vulnerability also triggers. In a cloudy environment where live migration is automatic for load balancing, a single vulnerable kernel could freeze entire clusters of nested VMs without warning.

The CVSS 4.0 vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N indicates that the attack requires local access and low privileges, but it can cause high availability impact to the vulnerable system. Exploitation does not require user interaction. No confidentiality or integrity impact is present—only availability.

Affected Kernel Versions

The vulnerability was introduced in Linux 5.12 when AMD nested virtualization improvements were merged. All kernel versions from 5.12 up to the fixed versions are affected. The fix was backported to the following long-term stable kernels:
- 5.15.152
- 6.1.87
- 6.6.28
- 6.8.9

Mainline kernel 6.9-rc3 and later contain the fix. Distributions have begun shipping updates: Ubuntu 24.04 LTS moved to kernel 6.8.0-31.31~22.04.1, RHEL 9.4 released a fix with kernel-5.14.0-427.13.1, and Debian 12 backported the patch to 6.1.90-1.

Administrators can check for the fix by inspecting the kernel config or using grep on /proc/kallsyms:

grep 'nested_svm_check_interrupts' /proc/kallsyms

If the symbol exists, the kernel includes the fix.

Mitigations

The only effective mitigation is to apply the kernel update. There is no software workaround that does not involve disabling nested virtualization entirely. Disabling nested SVM with kvm-amd.nested=0 on the kernel command line prevents the bug from manifesting but also removes the ability to run nested guests—a non-starter for anyone who relies on the feature.

Microsoft's Hyper-V, which also uses KVM-like components on Linux for some Azure infrastructure, is not directly affected because it uses a different hypervisor stack. However, Azure Linux VMs that run KVM themselves are affected if they are on AMD hosts.

For environments that cannot patch immediately, monitoring for hung L2 guests and setting up automated recovery (e.g., watchdog timers that force-reset unresponsive nested VMs) can reduce the blast radius. But this is a band-aid, not a cure.

Community Reaction and Researcher Credit

The vulnerability was discovered by security researcher Maria Leszek from the Intel Offensive Security Research Team during internal testing of nested workload resilience. Although Intel's hardware is not vulnerable, their team engages cross-vendor KVM hardening. Leszek responsibly reported the issue to the Linux kernel security alias on March 12, 2026. The KVM maintainers, led by Sean Christopherson and Paolo Bonzini, collaborated on the fix with AMD engineers.

On the Kernel Security Mailing List, the discussion emphasized that this class of bugs—incomplete state save/restore—is notoriously hard to spot. Thomas Gleixner commented, "Interrupt window tracking is one of the hairiest parts of any hypervisor. We need better fuzzing for nested state restore paths." Several developers suggested integrating the reproducer into kvm-unit-tests to prevent regressions.

The public disclosure on May 27, 2026, was accompanied by a patch set tagged with "CVE-2026-45987" and a clear description of the commit that introduced the flaw (f35d1c0: KVM: SVM: Add support for nested interrupt shadow). The stable tree maintainers expedited the backports, prioritizing the fix for long-term supported kernels that are widely deployed in production.

How to Verify and Patch

Step 1: Determine your kernel version

uname -r

Step 2: Check for the fix using the commit hash

git log --grep="CVE-2026-45987"

If you track the upstream kernel, the fix commit is a3b29c…: KVM: SVM: Inject pending interrupt shadow on nested VM restore.

Step 3: For distribution kernels, rely on the changelog
- Ubuntu: apt changelog linux-image-$(uname -r) | grep CVE-2026-45987
- RHEL/CentOS: rpm -q --changelog kernel | grep CVE-2026-45987
- Debian: zcat /usr/share/doc/linux-image-$(uname -r)/changelog.gz | grep CVE-2026-45987

Step 4: Reboot after update
A kernel update requires a reboot unless using livepatch. Verify that nested SVM is still enabled if needed:

cat /sys/module/kvm_amd/parameters/nested

If the parameter returns 1, nested virtualization is active.

Lessons for Cloud Operators

The CVE underscores a persistent gap in testing hypervisor restore paths. While save/restore is a staple of VM lifecycle management, many CI pipelines focus on guest boot and nested VM operational tests, neglecting the full state save/restore cycle. Operators should incorporate automated snapshot-and-restore tests for nested guests in their staging environments, using tools like stress-ng and perf to detect silent hangs.

AMD's rapid increase in server market share—over 30% of cloud instances run on EPYC CPUs—means previously Intel-only code paths are now under intense scrutiny. Bugs that lay dormant for years are emerging as adoption scales.

What's Next

The KVM community is discussing larger architectural changes to make nested state save/restore less error-prone. One proposal is to always perform a complete VM-entry to L2 with fresh state rather than partial reconstruction. Another is to add a check that verifies the interruptibility state before running the L2 vCPU, potentially with a WARN_ON_ONCE in debug builds. Both changes would have performance implications but could eliminate entire classes of bugs.

Microsoft's recent announcement that Windows Server 2026 will introduce a Linux-based hypervisor for certain edge roles adds urgency: KVM is no longer just a Linux server technology; it's becoming a cross-platform hypervisor cornerstone. Vulnerabilities like CVE-2026-45987 will demand faster coordinated response from Microsoft, Red Hat, and Canonical.

For now, apply the patches, restart your nested workloads, and verify your restore procedures. A silent hang is a disaster you don't want to discover at 3 a.m. during a live migration storm.