A newly published Linux kernel vulnerability, CVE-2026-46076, corrects a critical flaw in the Kernel-based Virtual Machine (KVM) hypervisor’s handling of nested virtualization on AMD processors. The flaw, disclosed on May 27, 2026, by the kernel.org security team and catalogued by the National Vulnerability Database (NVD), involves improper routing of the VMMCALL hypercall instruction when AMD Secure Virtual Machine (SVM) nested paging is active. Attackers with control over a nested guest virtual machine could exploit this to cause unexpected behavior in the hypervisor stack, potentially escalating privileges or leaking sensitive data from the host or other guests.

KVM administrators running nested virtualization on AMD hardware should update their kernels immediately. The flaw highlights the complexities of nested virtualization security and the need for rigorous hypercall filtering in multi-level hypervisor designs. For Windows users and administrators who rely on KVM-based infrastructure—whether in homelabs, cloud deployments, or enterprise environments—this vulnerability underscores the importance of tracking Linux security updates even when managing primarily Windows workloads.

Technical Breakdown

CVE-2026-46076 resides in the KVM module’s SVM nested virtualization code. When KVM acts as a level-0 (L0) hypervisor and hosts a level-1 (L1) hypervisor as a guest, the L1 hypervisor may in turn run its own guests (L2). In such a nested setup, the L0 hypervisor must emulate certain privileged instructions that the L1 hypervisor expects to handle itself, but which must actually be intercepted and managed by L0 to ensure correct and secure operation.

Among these instructions is VMMCALL, an AMD-specific hypercall used by a guest to request services from the hypervisor. Under normal (non-nested) virtualization, VMMCALL trapped by KVM is handled directly by the L0 hypervisor. In a nested environment, however, the L1 hypervisor expects to intercept VMMCALLs coming from its own guests (L2). The L0 hypervisor must therefore decide whether to handle the VMMCALL itself or inject it into the L1 hypervisor for processing. The vulnerability arose because KVM’s decision logic for this injection was flawed under certain conditions.

The VMMCALL Instruction and Nested Virtualization

The VMMCALL instruction triggers a VM exit, handing control to the hypervisor. On AMD SVM, a hypervisor can configure the processor to intercept VMMCALLs and define which exit code to use. In nested virtualization, KVM uses nested_svm_vmexit() to process exits while the L2 guest is running. When an L2 guest executes VMMCALL, the exit is first caught by L0. If the nested configuration indicates that L1 wants to intercept VMMCALL, KVM should inject a nested VM exit into the L1 guest, simulating what would have occurred if L1 were running directly on hardware.

The bug caused KVM to mishandle specific cases where the L1 hypervisor’s intercept bit for VMMCALL was set but the exit reason was not correctly mapped to the nested exit code. This could result in the L1 hypervisor receiving an invalid or unexpected exit reason, or the VMMCALL being dropped entirely. The root cause was a missing is_guest_mode() check in the VMMCALL handler, leading to either a premature exit or a direct handling by L0 that bypassed L1’s intended policy.

Security Impact and Risk Assessment

The NVD entry for CVE-2026-46076 did not immediately assign a CVSS score, but the nature of the flaw suggests a high severity rating when combined with other vulnerabilities. An attacker in control of an L2 guest could craft a malicious VMMCALL that triggers the misrouting. Depending on the L1 hypervisor’s configuration, this could lead to:

  • Hypervisor confusion: L1 receives incorrect state, potentially crashing or causing undefined behavior. In a worst case, this could be leveraged to escape the nested sandbox.
  • Information disclosure: If the misrouted VMMCALL causes L0 to leak data intended only for L1, a nested attacker might read sensitive content from the L1 hypervisor’s memory.
  • Privilege escalation: In combined with other bugs, incorrect exit injection could allow an L2 guest to interact with L0 resources directly, bypassing L1 security controls.

Proof-of-concept code was not publicly released at the time of disclosure, but the kernel.org security advisory recommended immediate patching. The fix, committed to the mainline Linux kernel, ensures that when is_guest_mode(vcpu) is true, the VMMCALL exit is correctly injected into the L1 hypervisor with the proper nested exit reason SVM_EXIT_VMMCALL. The patch also adds sanity checks to prevent similar routing errors for other hypercalls.

Mitigation and Remediation

Systems running Linux with KVM and AMD CPUs supporting nested virtualization (almost all modern AMD Ryzen and EPYC processors) are affected. The following steps should be taken:

  1. Update the kernel: Distributions have backported the fix to their respective stable kernels. Check your distribution’s security advisory for the exact patched version (e.g., Linux kernel 6.7.x, 5.15.x LTS, etc.).
  2. Reboot: A kernel update requires a reboot to take effect. For hypervisors hosting many VMs, schedule maintenance windows accordingly.
  3. Verify by checking the kernel version or confirming that the commit (kvm: svm: fix nested VMMCALL injection) is present.

For systems that cannot be immediately updated, a short-term workaround is to disable nested virtualization entirely if not needed. This can be done by setting the kvm_amd module parameter nested=0. However, this will prevent any L1 guests from running their own VMs, so it may not be feasible for production environments that rely on nesting.

Relevance for Windows Environments

While CVE-2026-46076 is a Linux kernel vulnerability, it has direct implications for Windows users in several scenarios:

  • Windows as a guest under KVM: Many cloud providers and on-premises virtualization setups use KVM to host Windows Server and Windows 10/11 VMs. If those hypervisors run with nested virtualization enabled (for example, to run Hyper-V inside a Windows Server VM for nested testing), an attacker who compromises a nested Linux VM on the same host could exploit this flaw to attack the KVM host, potentially impacting all VMs including Windows guests.
  • Windows Subsystem for Linux (WSL2): WSL2 uses a lightweight Hyper-V-based VM with a Linux kernel. While WSL2 does not directly use KVM, developers who install KVM inside their WSL2 environment for nested virtualization (e.g., to run Android emulators) could be affected if the WSL2 kernel is vulnerable. Microsoft ships custom WSL2 kernels; users should ensure they are updated to include the fix.
  • Hybrid cloud administrators: IT professionals managing both Linux KVM hosts and Windows VMs need to track such CVEs to maintain a secure virtualization stack. A compromised KVM host is a threat to all workloads running on it.

Windows Server administrators who run Hyper-V as the primary hypervisor are not directly affected, but those who use Linux-based virtual appliances or third-party KVM solutions should apply updates to those components as well.

The Broader Context of Nested Virtualization Security

Nested virtualization adds an extra layer of complexity to hypervisor design. Each level of nesting multiplies the interfaces that must be secured. Hypercalls like VMMCALL, VMCALL (Intel), and Hyper-V’s hypercall interface are critical vectors that, if mismanaged, can undermine the isolation guarantees between nested guests and the ultimate host.

The community has seen several nested virtualization bugs over the years, including CVE-2022-1852 and others affecting Intel VMX. AMD SVM nested support, while generally robust, can harbor subtle flaws due to differences in how hardware assists handle intercepts. The KVM maintainers’ prompt response to this CVE underscores the importance of coordinated disclosure and the maturity of the Linux kernel security process.

Timeline and Disclosure

  • Discovery: The flaw was identified by a security researcher (name not disclosed in the NVD entry) during routine fuzzing of nested SVM operations.
  • May 27, 2026: Kernel.org published the security advisory and the patch was merged into the mainline kernel. The NVD assigned CVE-2026-46076.
  • May–June 2026: Distribution maintainers began backporting the fix to their stable and long-term support kernels.

No reports of active exploitation have surfaced, but as with any hypervisor vulnerability, the window between disclosure and weaponization can be short. Organizations that rely on KVM for critical infrastructure should treat this as a high-priority update.

Conclusion

CVE-2026-46076 is a stern reminder that even mature virtualization stacks require constant scrutiny. The incorrect handling of VMMCALL in AMD nested virtualization could have been a foothold for sophisticated breakout attacks. Timely patching eliminates this risk and restores the integrity of the nested hypervisor boundary. For the Windows ecosystem, staying informed about Linux CVEs that affect shared infrastructure is not optional—it’s essential for end-to-end security. Administrators should audit their environments for AMD-based KVM hosts, verify nested virtualization settings, and apply the kernel updates without delay.