Vulnerability in KVM Hypervisor Affects Nested Virtualization
CVE-2020-2732

5.8MEDIUM

Key Information:

Vendor

Oracle
Status
Oracle Linux
Vendor
CVE Published:
8 April 2020

What is CVE-2020-2732?

A flaw has been identified in the KVM hypervisor regarding its handling of instruction emulation for L2 guests when nested virtualization is enabled. Under specific conditions, an L2 guest can manipulate the L0 guest into accessing sensitive L1 resources that should otherwise remain inaccessible to the L2 guest. This vulnerability poses significant security risks in environments relying on nested virtualization, as it undermines the expected isolation between virtual machines.

Affected Version(s)

Oracle Linux 7

Oracle Linux 6

References

https://www.openwall.com/lists/oss-security/2020/02/25/3
x_refsource_MISC
https://www.spinics.net/lists/kvm/msg208259.html
x_refsource_MISC
https://git.kernel.org/linus/07721feee46b4b24840213322823...
x_refsource_MISC

CVSS V3.1

Score:
5.8
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Adjacent Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.