KVM Vulnerability in Linux Kernel Affects Virtual CPU Management
CVE-2024-58083
Summary
The vulnerability in KVM within the Linux kernel involves a failure to properly verify whether the target virtual CPU (vCPU) is online before clamping its index. This oversight may result in KVM mistakenly providing access to a non-existent vCPU, specifically vCPU0, instead of returning NULL. Such a scenario is particularly concerning as it can lead to a use-after-free condition if vCPU0 is referenced while it’s not fully initialized. This vulnerability primarily affects systems where userspace or guest operations misbehave, potentially allowing erroneous interrupts to be sent to an unready vCPU, which can trigger severe integrity issues within the virtualization layer.
Affected Version(s)
Linux 1d487e9bf8ba66a7174c56a0029c54b1eca8f99c
Linux 1d487e9bf8ba66a7174c56a0029c54b1eca8f99c < 125da53b3c0c9d7f58353aea0076e9efd6498ba7
Linux 1d487e9bf8ba66a7174c56a0029c54b1eca8f99c
References
Timeline
Vulnerability published
Vulnerability Reserved