Maxim Levitsky

**Name of the Vulnerable Software and Affected Versions** KVM (affected versions not specified) **Description** A flaw was found in KVM, related to an improper check in the `svm set x2apic msr interception()` function. This may allow direct access to host x2apic msrs when the guest resets its apic, potentially leading to a denial of service condition. The issue is associated with an incorrect sequence of actions when switching to xapic mode. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** KVM (affected versions not specified) **Description** A flaw was found in KVM's AMD nested virtualization (SVM). A malicious L1 guest could purposely fail to intercept the shutdown of a cooperative nested guest (L2), possibly leading to a page fault and kernel panic in the host (L0). The issue is related to the incorrect handling of nested shutdown execution. Exploitation of the issue may allow an attacker to cause a denial of service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a potential NULL dereference on nested migration in the KVM component of the Linux kernel, specifically in the nSVM functionality. This is caused by the `nested svm load cr3` function being called too early, before the NPT is enabled, which prevents KVM from accessing guest memory and initializing the `walk mmu`. The exploitation of this issue may allow an attacker to cause a denial of service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 5.14-rc7 **Description** A flaw was found in the KVM's AMD code for supporting SVM nested virtualization. The flaw occurs when processing the VMCB (virtual machine control block) provided by the L1 guest to spawn/handle a nested guest (L2). Due to improper validation of the `int ctl` field, this issue could allow a malicious L1 to enable AVIC support (Advanced Virtual Interrupt Controller) for the L2 guest. As a result, the L2 guest would be allowed to read/write physical pages of the host, resulting in a crash of the entire system, leak of sensitive data or potential guest-to-host escape. **Recommendations** For Linux kernel versions prior to 5.14-rc7, update to version 5.14-rc7 or later to resolve the issue. As a temporary workaround, consider disabling the nested virtualization feature until a patch is available. Restrict access to the VMCB to minimize the risk of exploitation. Avoid using the `int ctl` field in the VMCB until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A flaw was found in the KVM's AMD code for supporting SVM nested virtualization. The issue occurs when processing the VMCB (virtual machine control block) provided by the L1 guest to spawn/handle a nested guest (L2). Due to improper validation of the `virt ext` field, this issue could allow a malicious L1 to disable both VMLOAD/VMSAVE intercepts and VLS (Virtual VMLOAD/VMSAVE) for the L2 guest. As a result, the L2 guest would be allowed to read/write physical pages of the host, resulting in a crash of the entire system, leak of sensitive data, or potential guest-to-host escape. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.