A newly disclosed vulnerability in the Linux kernel’s KVM (Kernel-based Virtual Machine) has been published by the National Vulnerability Database (NVD) on May 27, 2026. Tracked as CVE-2026-46071, the flaw resides in KVM’s AMD nested virtualization implementation, specifically in the nSVM path handling of the VMCB (Virtual Machine Control Block). The bug allows a malicious guest VM to manipulate the Last Branch Record (LBR) clean bit, leading to potential information disclosure across nested virtualization boundaries.

The vulnerability stems from an incorrect handling of guest-owned VMCB fields during nested virtualization. In AMD’s SVM architecture, the LBR clean bit indicates whether the LBR buffer has been modified by the hypervisor. KVM’s nested SVM code inadvertently dirties this bit, causing confusion in the guest’s view of LBR state. Attackers could exploit this to leak sensitive data or subvert debugging mechanisms.

Technical Breakdown of CVE-2026-46071

KVM enables hardware-assisted virtualization on Linux, allowing unmodified guest operating systems to run efficiently. When running nested virtualization—a hypervisor inside a guest—KVM must emulate the hardware virtualization extensions. For AMD processors, this involves handling the nested VMCB, a data structure that controls the virtual machine’s execution and state.

The LBR is a CPU debugging feature that records a history of recently executed branches. It aids in performance profiling and security monitoring. In virtualized environments, the hypervisor must manage LBR state to prevent guests from interfering with each other or the host. The VMCB contains a “clean bits” field that tracks which portions of the VMCB have been updated by the hypervisor. When the hypervisor sets the LBR clean bit, it indicates that the LBR data in the VMCB is consistent and doesn’t need to be reloaded.

The flaw occurs in KVM’s nSVM code, which handles nested VMCBs. When processing a guest-owned VMCB, KVM incorrectly writes to the LBR clean bit even when it shouldn’t. This “dirtying” of the bit misleads the nested hypervisor into believing that LBR state has been altered by the VMM. The nested hypervisor then takes incorrect actions—for example, resuming execution with stale LBR values or failing to save/restore LBR context properly.

An attacker with control over a guest VM on a KVM host can craft sequences of instructions to trigger this behavior. By running a nested hypervisor inside the guest, they can observe the discrepancy in LBR clean bit handling. Repeated exploitation could allow them to infer LBR entries from other guests or the host, leading to information disclosure. In some scenarios, the bug might cause denial of service if the nested hypervisor crashes due to inconsistent state.

Affected Systems and Severity

The vulnerability affects Linux kernel versions that include the AMD nested virtualization support for KVM. Specifically, any kernel with the svm module and the nested parameter enabled (kvm_amd.nested=1) is potentially vulnerable. AMD processors supporting SVM and LBR (typically family 0x17 and later, such as EPYC and Ryzen generations) are impacted when running guests with nested virtualization active.

The Common Vulnerability Scoring System (CVSS) score has not yet been assigned in the initial NVD entry, but initial assessments suggest a moderate severity due to the required level of access and the technical complexity of exploitation. An attacker needs local access to a guest VM and the ability to execute privileged instructions within that guest. The impact could be elevated to high if information leakage across VMs is demonstrated in practice.

The Fix and Mitigation

The Linux kernel maintainers have already incorporated a patch to address CVE-2026-46071. The fix ensures that the LBR clean bit is only modified by the hypervisor when it actually alters the LBR state, not during nested VMCB handling. The patch was merged into the mainline kernel and backported to stable releases. System administrators should update their kernels to the latest long-term support (LTS) versions (e.g., 6.1.x, 6.6.x, or later) that contain the backport.

For environments where immediate patching is not feasible, disabling nested virtualization eliminates the attack surface. This can be done by setting the kernel module parameter kvm_amd.nested=0 and reloading the kvm_amd module. Note that this disables the ability to run hypervisors inside guests, which may affect certain cloud and development workflows.

Practical Implications for Windows Environments

Although CVE-2026-46071 is a Linux KVM bug, its implications extend to Windows systems running as guests on KVM hosts. Many enterprises deploy Windows Server virtual machines on Linux-based hypervisors like KVM due to its performance and cost benefits. In such setups, a compromised Linux guest with nested virtualization enabled could potentially extract LBR data from a Windows guest.

Windows systems also use LBR for Hyper-V enlightenments and debugging, but they are not directly affected by this kernel bug. However, the leakage of branch information from a Windows guest could reveal code execution patterns, potentially bypassing KASLR or other security mitigations. Microsoft’s Hyper-V, when running on bare metal, is not vulnerable, but nested Hyper-V on KVM (a supported scenario on Azure) could be impacted if the underlying KVM host is unpatched.

IT administrators managing hybrid environments should audit their KVM infrastructure, especially those hosting multi-tenant workloads. Cloud providers using KVM as the hypervisor (e.g., Azure Linux-based hosts, Google Cloud, AWS Nitro) are likely to have patched their fleets proactively. But private clouds and on-premises KVM deployments may lag behind.

Detection and Response

Detecting exploitation of CVE-2026-46071 is challenging because the attack occurs within the processor’s architectural state and does not generate obvious log entries. However, anomalous behavior in nested virtualization setups—such as unexpected VM exits or performance degradation—could be indicative. Monitoring for unusual nested SVM operations via KVM tracepoints may help.

Security teams should focus on preventive measures: patch management for all KVM hosts, regular kernel updates, and restricting nested virtualization to trusted workloads. Applying the principle of least privilege, avoid giving guests the ability to load kernel modules or execute arbitrary code as root, since that would be necessary to deploy the exploit.

Community Reaction and Industry Response

The vulnerability was responsibly disclosed through the Linux kernel security team before the NVD publication. The public CVE assignment occurred after patches were available, following coordinated disclosure practices. Early discussion on developer mailing lists highlighted the subtlety of clean bit handling in nested virtualization—a complex area where similar bugs have appeared in the past (e.g., CVE-2021-29657 related to clean bit misuse on Intel).

Security researchers on social platforms have expressed concerns about the long tail of unpatched kernels in embedded systems and appliances that use KVM. While enterprise distributions like Red Hat, SUSE, and Canonical have issued advisories, smaller projects may not have immediate updates. The virtualization community has reiterated the importance of disabling nested virtualization unless absolutely needed, a recommendation that may shape future default configurations.

What’s Next for KVM Virtualization Security

CVE-2026-46071 underscores the complexity of maintaining correct architectural state in hypervisors, especially for features like LBR that were not originally designed with deep nesting in mind. As AMD and Intel continue to add advanced profiling and debugging capabilities to their CPUs, the attack surface for side-channel and state confusion bugs expands.

The KVM maintainers are discussing additional safeguards, such as validating clean bits more rigorously or isolating LBR context more strictly during nested transitions. There is also ongoing work to simplify the nested SVM code path to reduce the likelihood of future regressions. For Windows users who rely on KVM hosts, staying informed about these kernel updates and applying them quickly remains the most effective defense.