CVE-2026-53277
HighCVSS 8.8Exploitation Probability (EPSS)
Low risk2th percentile — higher than 2% of all known CVEs
Summary
A vulnerability was found in the Linux kernel's KVM for ARM64, where page table walk functions for fault injection and AT emulation did not hold the SRCU lock. This could lead to a race condition with memslot changes, potentially destabilizing virtual machines.
Risk Assessment
The risk involves potential memory integrity violations in virtual machines, which could lead to unpredictable guest behavior or privilege escalation within the virtualized environment.
Recommendation
Immediately update the Linux kernel to a version containing the fix that adds the required SRCU locks before page table operations.
Original NVD description (English source)
In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Take the SRCU lock for page table walks in fault injection and AT emulation walk_s1() and kvm_walk_nested_s2() expect to be called while holding kvm->srcu to guard against memslot changes. While this is generally the case, __kvm_at_s12() and __kvm_find_s1_desc_level() call into the respective walkers without taking kvm->srcu. Fix by acquiring kvm->srcu prior to the table walk in both instances.

