Tom Lendacky

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a bug in the x86/kexec component of the Linux kernel, where the call to `cc platform has()` triggers a fault and system crash if call depth tracking is active. This occurs because the GS segment has been reset by `load segments()` and `GS BASE` is now 0, but call depth tracking uses per-CPU variables to operate. The fix involves calling `cc platform has()` earlier in the function when GS is still valid. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a bug in the Linux kernel's amd-xgbe component, which can cause a kernel panic due to inconsistencies in hardware descriptors. When the skb length underflow is detected, it triggers a BUG ON() in include/linux/skbuff.h, leading to intermittent kernel panic. The fix involves dropping the packet if such length underflows are seen. This issue may allow an attacker to impact the confidentiality, integrity, and availability of protected information. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to the KVM: SVM component of the Linux kernel. Access to the GHCB (Guest-to-Host Communication Buffer) is mainly in the VMGEXIT path and it is known that the GHCB will be mapped. However, there are two paths where it is possible the GHCB might not be mapped. The `sev vcpu deliver sipi vector()` routine will update the GHCB to inform the caller of the AP Reset Hold NAE event that a SIPI has been delivered. If a SIPI is performed without a corresponding AP Reset Hold, then the GHCB might not be mapped, which will result in a NULL pointer dereference. The `svm complete emulated msr()` routine will update the GHCB to inform the caller of a RDMSR/WRMSR operation about any errors. A safe guard has been added in this path to be certain a NULL pointer dereference is not encountered. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.