PT-2024-7851 · Linux+6 · Linux Kernel+6
Sean Christopherson
·
Published
2024-04-08
·
Updated
2025-09-29
·
CVE-2024-26992
CVSS v2.0
4.6
Medium
| Vector | AV:L/AC:L/Au:S/C:N/I:N/A:C |
Name of the Vulnerable Software and Affected Versions
Linux kernel (affected versions not specified)
Description
The vulnerability is related to the KVM component in the Linux kernel, specifically with the virtualization of adaptive PEBS. The issue arises because KVM's implementation is architecturally broken, and exposing adaptive PEBS can leak host LBRs to the guest, potentially allowing the guest to read host kernel addresses. There are five identified bugs:
- KVM doesn't account for the upper 32 bits of IA32 FIXED CTR CTRL when reprogramming fixed counters.
- KVM always sets precise ip to a non-zero value for PEBS events, causing perf to generate an adaptive record even if the guest requested a basic record.
- The perf function intel pmu disable fixed() doesn't clear the upper bits, leaving ICL FIXED 0 ADAPTIVE set.
- Adaptive PEBS might bypass event filters set by the host, recording information that could be disallowed by userspace via KVM SET PMU EVENT FILTER.
- KVM doesn't ensure LBR MSRs hold guest values when entering a vCPU with adaptive PEBS, allowing the guest to read host LBRs by enabling "LBR Entries" records.
Recommendations
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Exploit
Information Disclosure
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Astra Linux
Linuxmint
Linux Kernel
Red Hat
Red Os
Suse
Ubuntu