A use-after-free vulnerability in KVM's shadow paging code was disclosed after researchers Alexander Bulekov and Fred Griffoul of Amazon found stale reverse mappings in shadow EPT through fuzzing. The flaw affects x86 guests and is exploitable when nested virtualization is enabled on Intel or AMD processors, or when systems use shadow paging with EPT or NPT disabled. Maintainers said the bug can lead to kernel memory corruption and denial of service on the host, making it a guest-to-host risk in affected virtualization setups.
The disclosure was coordinated by Sandipan Roy, who said reporters and maintainers agreed to an embargo that ended on March 29, 2026 at 16:00 UTC. Solar Designer said the issue had first been shared with the linux-distros list on March 10, 2026 and acknowledged the embargo exceeded that list's usual 14-day limit without prior approval, though it was allowed because the overrun was moderate and multiple stakeholders were already involved. The discussion also noted that on Linux kernels 6.16 and newer, the reproducer hits a WARN introduced by commit 11d45175111d, raising questions about whether panic_on_warn could reduce exploitability.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
4 events from the most recent confirmed update back to the earliest known activity.
Follow-up discussion on oss-sec said the issue was discovered through fuzzing and noted that on Linux kernel 6.16 and newer, the reproducer triggers a WARN introduced by commit 11d45175111d. Participants discussed whether panic_on_warn could reduce exploitability.
An oss-security mailing list thread publicly described a use-after-free vulnerability in KVM's shadow paging code affecting x86 guests. The discussion said the bug is exploitable from guests with nested virtualization enabled on Intel or AMD systems, or with shadow paging when EPT or NPT is disabled, and can cause kernel memory corruption and denial of service.
Sandipan Roy said the reporters and maintainers agreed to an embargo for the KVM shadow EPT stale rmap use-after-free vulnerability, with disclosure scheduled for 2026-03-29 at 16:00 UTC. Solar Designer noted this embargo exceeded the linux-distros list's usual 14-day limit but was allowed despite the policy overrun.
Solar Designer said the KVM shadow paging use-after-free issue was first brought to the linux-distros list on 2026-03-10. The flaw had been reported by Alexander Bulekov and Fred Griffoul of Amazon.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.