Zero Day MonitorZDM
DashboardVulnerabilitiesTrendingZero-DaysNewsAbout
Login
ImpressumPrivacy Policy
Zero Day Monitor © 2026
3112 articles · 171983 vulns · 36/41 feeds (7d)
← Back to list
0.0
CVE-2026-53360EXPLOITEDPATCHED
linux · linux kernel

KVM: SEV: Require in-GHCB scratch area if GHCB v2+ is in use

Description

In the Linux kernel, the following vulnerability has been resolved: KVM: SEV: Require in-GHCB scratch area if GHCB v2+ is in use As per the GHCB spec, when using GHCB v2+ require the software scratch area to reside in the GHCB's shared buffer. Note, things like Page State Change (PSC) requests _rely_ on this behavior, as the guest can't provide a length when making the request, i.e. the size of the guest payload is bounded by the size of the shared buffer. Failure to force usage of the GHCB, and a slew of other flaws, lets a malicious SNP guest corrupt host kernel heap memory, and leak host heap layout information. setup_vmgexit_scratch() allocates a buffer via kvzalloc(exit_info_2), where exit_info_2 is guest-controlled. With exit_info_2=24, this yields a 24-byte allocation in kmalloc-cg-32 (32-byte slab objects). The buffer holds an 8-byte psc_hdr followed by 8-byte psc_entry structs, so only entries[0] and entries[1] are in-bounds. snp_begin_psc() validates end_entry against VMGEXIT_PSC_MAX_COUNT (253) but NOT against the actual buffer size: idx_end = hdr->end_entry; if (idx_end >= VMGEXIT_PSC_MAX_COUNT) { // checks 253, not buffer snp_complete_psc(svm, ...); return 1; } for (idx = idx_start; idx <= idx_end; idx++) { entry_start = entries[idx]; // OOB when idx >= 2 The guest sets end_entry=10+, causing the host to iterate entries[2+] which are OOB into adjacent slab objects. For each OOB entry: - The host reads 8 bytes (OOB READ / info leak oracle) - If the data passes PSC validation, __snp_complete_one_psc() writes cur_page = 1 or 512 into the entry (OOB WRITE, sev.c:3806) - If validation fails, the error response reveals whether adjacent memory is zero vs non-zero (information disclosure to guest) The guest controls allocation size (exit_info_2), entry range (cur_entry/end_entry), and can fire unlimited VMGEXITs to repeatedly hit different slab positions. By exploiting the variety of bugs, a malicious SEV-SNP guest can: - OOB read adjacent kmalloc-cg-32 objects (heap layout disclosure) - OOB write cur_page bits into adjacent objects (heap corruption) - Trigger use-after-free conditions across VMGEXITs E.g. with KASAN enabled, a single insmod of the PoC guest module produces 73 KASAN reports: BUG: KASAN: slab-out-of-bounds in snp_begin_psc+0x126/0x890 Read of size 8 at addr ffff888219ffb5e0 by task qemu-system-x86/2199 BUG: KASAN: slab-out-of-bounds in snp_begin_psc+0x468/0x890 Write of size 8 at addr ffff888351566648 by task qemu-system-x86/2199 The buggy address belongs to the object at ffff888XXXXXXXXX which belongs to the cache kmalloc-cg-32 of size 32 The buggy address is located N bytes to the right of allocated 32-byte region [ffff888XXXXXXXXX, ffff888XXXXXXXXX) Breakdown: 62 slab-out-of-bounds (reads + writes past allocation) 7 slab-use-after-free 4 use-after-free All credit to Stan for the wonderful description and reproducer! [sean: write changelog]

Affected Products

VendorProductVersions
linuxlinux kernel4af663c2f64a8d252e690c60cf8b8abf22dc2951, 4af663c2f64a8d252e690c60cf8b8abf22dc2951, 4af663c2f64a8d252e690c60cf8b8abf22dc2951, 4af663c2f64a8d252e690c60cf8b8abf22dc2951, 6.10, 6.12.92, 6.18.34, 7.0.11

Also Affects

Downstream vendors/products affected by this vulnerability

VendorProductSourceConfidence
debiandebian linuxcert_advisory90%
linuxlinuxmitre_affected90%
open sourceopen source linux kernelcert_advisory90%

References

  • https://git.kernel.org/stable/c/bf9ba093fbb83c0c9a3dedd50efec29424eca2fc
  • https://git.kernel.org/stable/c/c9b4198fbc6ed99a9da4bee9f74bb730f926c9ae
  • https://git.kernel.org/stable/c/b328ede59ac34e7998e1eee5e5f0cc26c2a91846
  • https://git.kernel.org/stable/c/db3f2195d29344a3cf1e9dd9ab7f21ced7308cf7

Related News (3 articles)

Tier B
BSI Advisories1d ago
[NEU] [mittel] Linux Kernel: Mehrere Schwachstellen
→ No new info (linked only)
Tier C
VulDB3d ago
CVE-2026-53360 | Linux Kernel up to 6.12.92/6.18.34/7.0.11 KVM setup_vmgexit_scratch end_entry use after free
→ No new info (linked only)
Tier C
Linux Kernel CVEs3d ago
CVE-2026-53360: KVM: SEV: Require in-GHCB scratch area if GHCB v2+ is in use
→ No new info (linked only)
CVSS 3.10.0 CRITICAL
CISA KEV❌ No
Actively exploited✅ Yes
Patch available
bf9ba093fbb83c0c9a3dedd50efec29424eca2fcc9b4198fbc6ed99a9da4bee9f74bb730f926c9aeb328ede59ac34e7998e1eee5e5f0cc26c2a91846db3f2195d29344a3cf1e9dd9ab7f21ced7308cf706.12.936.18.357.0.127.1
PublishedJul 4, 2026
Last enriched3d agov3
Tags
CVE-2026-53360
Trending Score56
Source articles3
Independent3
Info Completeness8/14
Missing: epss, cwe, kev, exploit, iocs, mitre_attack

Community Vote

0
Login to vote
0 upvotes0 downvotes
No votes yet

Related CVEs (5)

HIGHCVE-2026-43284EXPKEV
xfrm: esp: avoid in-place decrypt on shared skb frags
Trending: 149
HIGHCVE-2026-43500EXPKEV
rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present
Trending: 141
HIGHCVE-2026-53359EXP
KVM: x86: Fix shadow paging use-after-free due to unexpected role
Trending: 81
HIGHCVE-2026-46242EXP
eventpoll: fix ep_remove struct eventpoll / struct file UAF
Trending: 63
HIGHCVE-2026-46300EXP
net: skbuff: preserve shared-frag marker during coalescing
Trending: 49

Pin to Dashboard

Verification

State: verified
Confidence: 0%

Vulnerability Timeline

CVE Published
Jul 4, 2026
Discovered by ZDM
Jul 4, 2026
Updated: affectedVersions, cvssEstimate, cweIds
Jul 4, 2026
Actively Exploited
Jul 4, 2026
Exploit Available
Jul 4, 2026
Patch Available
Jul 4, 2026
Updated: severity, affectedVersions, tags
Jul 4, 2026

Version History

v3
Last enriched 3d ago
v3Tier C3d ago

Updated severity to CRITICAL, added new affected versions, and corrected exploit availability.

severityaffectedVersionstags
via VulDB
v2Tier C3d ago

Updated description with detailed technical content, added affected version 6.10, changed severity to HIGH, and marked the vulnerability as actively exploited.

affectedVersionscvssEstimatecweIds
via Linux Kernel CVEs
v13d ago

Initial creation