CVE-2024-40953

In the Linux kernel, the following vulnerability has been resolved: KVM: Fix a data race on last_boosted_vcpu in kvm_vcpu_on_spin() Use {READ,WRITE}_ONCE() to access kvm->last_boosted_vcpu to ensure the loads and stores are atomic. In the extremely unlikely scenario the compiler tears the stores, it's theoretically possible for KVM to attempt to get a vCPU using an out-of-bounds index, e.g. if the write is split into multiple 8-bit stores, and is paired with a 32-bit load on a VM with 257 vCPUs: CPU0 CPU1 last_boosted_vcpu = 0xff; (last_boosted_vcpu = 0x100) last_boosted_vcpu[15:8] = 0x01; i = (last_boosted_vcpu = 0x1ff) last_boosted_vcpu[7:0] = 0x00; vcpu = kvm->vcpu_array[0x1ff]; As detected by KCSAN: BUG: KCSAN: data-race in kvm_vcpu_on_spin [kvm] / kvm_vcpu_on_spin [kvm] write to 0xffffc90025a92344 of 4 bytes by task 4340 on cpu 16: kvm_vcpu_on_spin (arch/x86/kvm/../../../virt/kvm/kvm_main.c:4112) kvm handle_pause (arch/x86/kvm/vmx/vmx.c:5929) kvm_intel vmx_handle_exit (arch/x86/kvm/vmx/vmx.c:? arch/x86/kvm/vmx/vmx.c:6606) kvm_intel vcpu_run (arch/x86/kvm/x86.c:11107 arch/x86/kvm/x86.c:11211) kvm kvm_arch_vcpu_ioctl_run (arch/x86/kvm/x86.c:?) kvm kvm_vcpu_ioctl (arch/x86/kvm/../../../virt/kvm/kvm_main.c:?) kvm __se_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:904 fs/ioctl.c:890) __x64_sys_ioctl (fs/ioctl.c:890) x64_sys_call (arch/x86/entry/syscall_64.c:33) do_syscall_64 (arch/x86/entry/common.c:?) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) read to 0xffffc90025a92344 of 4 bytes by task 4342 on cpu 4: kvm_vcpu_on_spin (arch/x86/kvm/../../../virt/kvm/kvm_main.c:4069) kvm handle_pause (arch/x86/kvm/vmx/vmx.c:5929) kvm_intel vmx_handle_exit (arch/x86/kvm/vmx/vmx.c:? arch/x86/kvm/vmx/vmx.c:6606) kvm_intel vcpu_run (arch/x86/kvm/x86.c:11107 arch/x86/kvm/x86.c:11211) kvm kvm_arch_vcpu_ioctl_run (arch/x86/kvm/x86.c:?) kvm kvm_vcpu_ioctl (arch/x86/kvm/../../../virt/kvm/kvm_main.c:?) kvm __se_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:904 fs/ioctl.c:890) __x64_sys_ioctl (fs/ioctl.c:890) x64_sys_call (arch/x86/entry/syscall_64.c:33) do_syscall_64 (arch/x86/entry/common.c:?) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) value changed: 0x00000012 -> 0x00000000

CVSS v3 4.7 MEDIUM

4.7^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.0 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://git.kernel.org/stable/c/11a772d5376aa6d3e2e69b5b5c585f79b60c0e17	Patch
https://git.kernel.org/stable/c/49f683b41f28918df3e51ddc0d928cb2e934ccdb	Patch
https://git.kernel.org/stable/c/4c141136a28421b78f34969b25a4fa32e06e2180	Patch
https://git.kernel.org/stable/c/71fbc3af3dacb26c3aa2f30bb3ab05c44d082c84	Patch
https://git.kernel.org/stable/c/82bd728a06e55f5b5f93d10ce67f4fe7e689853a	Patch
https://git.kernel.org/stable/c/92c77807d938145c7c3350c944ef9f39d7f6017c	Patch
https://git.kernel.org/stable/c/95c8dd79f3a14df96b3820b35b8399bd91b2be60	Patch
https://git.kernel.org/stable/c/a937ef951bba72f48d2402451419d725d70dba20	Patch
https://git.kernel.org/stable/c/49f683b41f28918df3e51ddc0d928cb2e934ccdb	Patch
https://git.kernel.org/stable/c/92c77807d938145c7c3350c944ef9f39d7f6017c	Patch
https://git.kernel.org/stable/c/95c8dd79f3a14df96b3820b35b8399bd91b2be60	Patch
https://git.kernel.org/stable/c/a937ef951bba72f48d2402451419d725d70dba20	Patch

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:6.10:rc1::::::
	cpe:2.3:o:linux:linux_kernel:6.10:rc2::::::
	cpe:2.3:o:linux:linux_kernel:6.10:rc3::::::
	cpe:2.3:o:linux:linux_kernel:6.10:rc4::::::

History

17 Sep 2025, 15:02

Type	Values Removed	Values Added
References	~~() https://git.kernel.org/stable/c/11a772d5376aa6d3e2e69b5b5c585f79b60c0e17 -~~	() https://git.kernel.org/stable/c/11a772d5376aa6d3e2e69b5b5c585f79b60c0e17 - Patch
References	~~() https://git.kernel.org/stable/c/49f683b41f28918df3e51ddc0d928cb2e934ccdb -~~	() https://git.kernel.org/stable/c/49f683b41f28918df3e51ddc0d928cb2e934ccdb - Patch
References	~~() https://git.kernel.org/stable/c/4c141136a28421b78f34969b25a4fa32e06e2180 -~~	() https://git.kernel.org/stable/c/4c141136a28421b78f34969b25a4fa32e06e2180 - Patch
References	~~() https://git.kernel.org/stable/c/71fbc3af3dacb26c3aa2f30bb3ab05c44d082c84 -~~	() https://git.kernel.org/stable/c/71fbc3af3dacb26c3aa2f30bb3ab05c44d082c84 - Patch
References	~~() https://git.kernel.org/stable/c/82bd728a06e55f5b5f93d10ce67f4fe7e689853a -~~	() https://git.kernel.org/stable/c/82bd728a06e55f5b5f93d10ce67f4fe7e689853a - Patch
References	~~() https://git.kernel.org/stable/c/92c77807d938145c7c3350c944ef9f39d7f6017c -~~	() https://git.kernel.org/stable/c/92c77807d938145c7c3350c944ef9f39d7f6017c - Patch
References	~~() https://git.kernel.org/stable/c/95c8dd79f3a14df96b3820b35b8399bd91b2be60 -~~	() https://git.kernel.org/stable/c/95c8dd79f3a14df96b3820b35b8399bd91b2be60 - Patch
References	~~() https://git.kernel.org/stable/c/a937ef951bba72f48d2402451419d725d70dba20 -~~	() https://git.kernel.org/stable/c/a937ef951bba72f48d2402451419d725d70dba20 - Patch
First Time		Linux Linux linux Kernel
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 4.7
CWE		CWE-362
CPE		cpe:2.3:o:linux:linux_kernel:6.10:rc3:::::: cpe:2.3:o:linux:linux_kernel:6.10:rc4:::::: cpe:2.3:o:linux:linux_kernel:::::::: cpe:2.3:o:linux:linux_kernel:6.10:rc1:::::: cpe:2.3:o:linux:linux_kernel:6.10:rc2::::::

21 Nov 2024, 09:31

Type	Values Removed	Values Added
References	~~() https://git.kernel.org/stable/c/49f683b41f28918df3e51ddc0d928cb2e934ccdb -~~	() https://git.kernel.org/stable/c/49f683b41f28918df3e51ddc0d928cb2e934ccdb -
References	~~() https://git.kernel.org/stable/c/92c77807d938145c7c3350c944ef9f39d7f6017c -~~	() https://git.kernel.org/stable/c/92c77807d938145c7c3350c944ef9f39d7f6017c -
References	~~() https://git.kernel.org/stable/c/95c8dd79f3a14df96b3820b35b8399bd91b2be60 -~~	() https://git.kernel.org/stable/c/95c8dd79f3a14df96b3820b35b8399bd91b2be60 -
References	~~() https://git.kernel.org/stable/c/a937ef951bba72f48d2402451419d725d70dba20 -~~	() https://git.kernel.org/stable/c/a937ef951bba72f48d2402451419d725d70dba20 -

08 Nov 2024, 16:15

Type	Values Removed	Values Added
References		() https://git.kernel.org/stable/c/11a772d5376aa6d3e2e69b5b5c585f79b60c0e17 - () https://git.kernel.org/stable/c/4c141136a28421b78f34969b25a4fa32e06e2180 -

22 Oct 2024, 15:15

Type	Values Removed	Values Added
References		() https://git.kernel.org/stable/c/71fbc3af3dacb26c3aa2f30bb3ab05c44d082c84 - () https://git.kernel.org/stable/c/82bd728a06e55f5b5f93d10ce67f4fe7e689853a -
Summary		(es) En el kernel de Linux, se resolvió la siguiente vulnerabilidad: KVM: solucione una ejecución de datos en last_boosted_vcpu en kvm_vcpu_on_spin() Utilice {READ,WRITE}_ONCE() para acceder a kvm->last_boosted_vcpu para garantizar que las cargas y los almacenes sean atómicos. En el escenario extremadamente improbable de que el compilador rompa los almacenes, es teóricamente posible que KVM intente obtener una vCPU utilizando un índice fuera de los límites, por ejemplo, si la escritura se divide en varios almacenes de 8 bits y se combina con un 32 -carga de bits en una VM con 257 vCPU: CPU0 CPU1 last_boosted_vcpu = 0xff; (last_boosted_vcpu = 0x100) last_boosted_vcpu[15:8] = 0x01; i = (last_boosted_vcpu = 0x1ff) last_boosted_vcpu[7:0] = 0x00; vcpu = kvm->vcpu_array[0x1ff]; Según lo detectado por KCSAN: ERROR: KCSAN: ejecución de datos en kvm_vcpu_on_spin [kvm] / kvm_vcpu_on_spin [kvm] escribe en 0xffffc90025a92344 de 4 bytes por tarea 4340 en la CPU 16: kvm_vcpu_on_spin (arch/x86/kvm/../../. ./virt/kvm/kvm_main.c:4112) kvm handle_pause (arch/x86/kvm/vmx/vmx.c:5929) kvm_intel vmx_handle_exit (arch/x86/kvm/vmx/vmx.c:? arch/x86/kvm /vmx/vmx.c:6606) kvm_intel vcpu_run (arch/x86/kvm/x86.c:11107 arch/x86/kvm/x86.c:11211) kvm kvm_arch_vcpu_ioctl_run (arch/x86/kvm/x86.c:?) kvm kvm_vcpu_ioctl (arch/x86/kvm/../../../virt/kvm/kvm_main.c:?) kvm __se_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:904 fs/ioctl.c :890) __x64_sys_ioctl (fs/ioctl.c:890) x64_sys_call (arch/x86/entry/syscall_64.c:33) do_syscall_64 (arch/x86/entry/common.c:?) Entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64 .S:130) leído en 0xffffc90025a92344 de 4 bytes por la tarea 4342 en la CPU 4: kvm_vcpu_on_spin (arch/x86/kvm/../../../virt/kvm/kvm_main.c:4069) kvm handle_pause (arch/ x86/kvm/vmx/vmx.c:5929) kvm_intel vmx_handle_exit (arch/x86/kvm/vmx/vmx.c:? arch/x86/kvm/vmx/vmx.c:6606) kvm_intel vcpu_run (arch/x86/kvm/x86.c:11107 arch/x86/kvm/x86.c:11211) kvm kvm_arch_vcpu_ioctl_run (arch/x86/kvm/x86 .c:?) kvm kvm_vcpu_ioctl (arch/x86/kvm/../../../virt/kvm/kvm_main.c:?) kvm __se_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:904 fs/ioctl.c:890) __x64_sys_ioctl (fs/ioctl.c:890) x64_sys_call (arch/x86/entry/syscall_64.c:33) do_syscall_64 (arch/x86/entry/common.c:?) Entry_SYSCALL_64_after_hwframe (arch/ x86/entry/entry_64.S:130) valor cambiado: 0x00000012 -> 0x00000000

12 Jul 2024, 16:34

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-07-12 13:15

Updated : 2025-09-17 15:02

NVD link : CVE-2024-40953

Mitre link : CVE-2024-40953

CVE.ORG link : CVE-2024-40953

JSON object : View

Products Affected

linux

linux_kernel

CWE

CWE-362

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

4.7 /10