FTR, my situation is as follows: - I have "nx_huge_pages=off" on the command line - Right after boot, I see: > cat /sys/devices/system/cpu/vulnerabilities/itlb_multihit > KVM: Mitigation: VMX disabled - Still, VMX is there (`lscpu|grep Flags|grep vmx`) and kvm_intel is loaded - As soon as I start a KVM VM, I see: > cat /sys/devices/system/cpu/vulnerabilities/itlb_multihit > KVM: Vulnerable So, the first "VMX disabled", AFAIUI, only really means that VMX is not in use at that time (e.g., there's no VM running!), not that it's really disabled. In fact, you can start using it and you should get "KVM: Split huge pages". I agree it's a bit confusing, but that's how it is right now. If we want it differently, this should be changed in the kernel.