CVE-2023-52597: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: KVM: s390: fix setting of fpc register kvm_arch_vcpu_ioctl_set_fpu() allows to set the floating point control (fpc) register of a guest cpu. The new value is tested for validity by temporarily loading it into the fpc register. This may lead to corruption of the fpc register of the host process: if an interrupt happens while the value is temporarily loaded into the fpc register, and within interrupt context floating point or vector registers are used, the current fp/vx registers are saved with save_fpu_regs() assuming they belong to user space and will be loaded into fp/vx registers when returning to user space. test_fp_ctl() restores the original user space / host process fpc register value, however it will be discarded, when returning to user space. In result the host process will incorrectly continue to run with the value that was supposed to be used for a guest cpu. Fix this by simply removing the test. There is another test right before the SIE context is entered which will handles invalid values. This results in a change of behaviour: invalid values will now be accepted instead of that the ioctl fails with -EINVAL. This seems to be acceptable, given that this interface is most likely not used anymore, and this is in addition the same behaviour implemented with the memory mapped interface (replace invalid values with zero) - see sync_regs() in kvm-s390.c.
AI Analysis
Technical Summary
CVE-2023-52597 is a vulnerability identified in the Linux kernel's KVM (Kernel-based Virtual Machine) implementation for the s390 architecture, which is IBM's mainframe platform. The vulnerability arises in the function kvm_arch_vcpu_ioctl_set_fpu(), which is responsible for setting the floating point control (fpc) register of a guest virtual CPU. The function attempts to validate the new fpc value by temporarily loading it into the fpc register. However, if an interrupt occurs during this temporary loading and floating point or vector registers are used within the interrupt context, the host process's fpc register can become corrupted. This happens because the current floating point/vector registers are saved assuming they belong to user space and will be restored accordingly, but the test_fp_ctl() function that restores the original fpc register value discards this restoration upon returning to user space. Consequently, the host process continues running with the guest CPU's fpc register value, which is incorrect and can lead to integrity and availability issues. The fix implemented removes the temporary loading test, relying instead on another validation step before entering the SIE context, which handles invalid values. This change means invalid fpc values are now accepted rather than causing the ioctl call to fail, aligning with behavior in the memory-mapped interface where invalid values are replaced with zero. The vulnerability has a CVSS v3.1 score of 4.0 (medium severity), with an attack vector of local (AV:L), high attack complexity (AC:H), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), no confidentiality impact (C:N), low integrity impact (I:L), and low availability impact (A:L). There are no known exploits in the wild, and the affected versions correspond to specific Linux kernel commits. This vulnerability is specific to the s390 KVM subsystem and does not affect other architectures or general Linux kernel usage.
Potential Impact
For European organizations running Linux on IBM mainframe hardware (s390 architecture) with KVM virtualization enabled, this vulnerability could lead to corruption of the host process's floating point control register. Although the impact on confidentiality is negligible, the integrity and availability of host processes could be compromised, potentially causing unpredictable behavior or crashes in critical virtualized environments. This is particularly relevant for enterprises relying on mainframe virtualization for critical workloads such as banking, government, and large-scale enterprise resource planning (ERP) systems. The medium severity rating reflects the limited attack vector (local access required) and high complexity, reducing the likelihood of exploitation. However, the potential for subtle corruption in host processes could lead to difficult-to-diagnose failures or data integrity issues in virtualized guest environments. Since no known exploits exist in the wild, the immediate risk is low, but organizations should prioritize patching to prevent future exploitation, especially those with compliance requirements or high availability needs.
Mitigation Recommendations
1. Apply the official Linux kernel patches that address CVE-2023-52597 as soon as they become available from trusted Linux distribution vendors or the Linux kernel mainline. 2. For organizations using s390 KVM virtualization, review and restrict local access to systems to trusted administrators only, minimizing the risk of local exploitation. 3. Monitor system logs and kernel messages for unusual floating point or vector register errors or crashes that could indicate exploitation attempts or instability. 4. Implement strict access controls and auditing on virtualization management interfaces to detect and prevent unauthorized ioctl calls that could trigger this vulnerability. 5. Consider isolating critical virtual machines and host processes to reduce the blast radius in case of exploitation. 6. Coordinate with hardware and software vendors to ensure firmware and hypervisor components are up to date and compatible with patched kernels. 7. Conduct thorough testing of patched kernels in staging environments to verify stability and compatibility before deployment in production.
Affected Countries
Germany, United Kingdom, France, Netherlands, Italy, Spain, Sweden, Switzerland
CVE-2023-52597: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: KVM: s390: fix setting of fpc register kvm_arch_vcpu_ioctl_set_fpu() allows to set the floating point control (fpc) register of a guest cpu. The new value is tested for validity by temporarily loading it into the fpc register. This may lead to corruption of the fpc register of the host process: if an interrupt happens while the value is temporarily loaded into the fpc register, and within interrupt context floating point or vector registers are used, the current fp/vx registers are saved with save_fpu_regs() assuming they belong to user space and will be loaded into fp/vx registers when returning to user space. test_fp_ctl() restores the original user space / host process fpc register value, however it will be discarded, when returning to user space. In result the host process will incorrectly continue to run with the value that was supposed to be used for a guest cpu. Fix this by simply removing the test. There is another test right before the SIE context is entered which will handles invalid values. This results in a change of behaviour: invalid values will now be accepted instead of that the ioctl fails with -EINVAL. This seems to be acceptable, given that this interface is most likely not used anymore, and this is in addition the same behaviour implemented with the memory mapped interface (replace invalid values with zero) - see sync_regs() in kvm-s390.c.
AI-Powered Analysis
Technical Analysis
CVE-2023-52597 is a vulnerability identified in the Linux kernel's KVM (Kernel-based Virtual Machine) implementation for the s390 architecture, which is IBM's mainframe platform. The vulnerability arises in the function kvm_arch_vcpu_ioctl_set_fpu(), which is responsible for setting the floating point control (fpc) register of a guest virtual CPU. The function attempts to validate the new fpc value by temporarily loading it into the fpc register. However, if an interrupt occurs during this temporary loading and floating point or vector registers are used within the interrupt context, the host process's fpc register can become corrupted. This happens because the current floating point/vector registers are saved assuming they belong to user space and will be restored accordingly, but the test_fp_ctl() function that restores the original fpc register value discards this restoration upon returning to user space. Consequently, the host process continues running with the guest CPU's fpc register value, which is incorrect and can lead to integrity and availability issues. The fix implemented removes the temporary loading test, relying instead on another validation step before entering the SIE context, which handles invalid values. This change means invalid fpc values are now accepted rather than causing the ioctl call to fail, aligning with behavior in the memory-mapped interface where invalid values are replaced with zero. The vulnerability has a CVSS v3.1 score of 4.0 (medium severity), with an attack vector of local (AV:L), high attack complexity (AC:H), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), no confidentiality impact (C:N), low integrity impact (I:L), and low availability impact (A:L). There are no known exploits in the wild, and the affected versions correspond to specific Linux kernel commits. This vulnerability is specific to the s390 KVM subsystem and does not affect other architectures or general Linux kernel usage.
Potential Impact
For European organizations running Linux on IBM mainframe hardware (s390 architecture) with KVM virtualization enabled, this vulnerability could lead to corruption of the host process's floating point control register. Although the impact on confidentiality is negligible, the integrity and availability of host processes could be compromised, potentially causing unpredictable behavior or crashes in critical virtualized environments. This is particularly relevant for enterprises relying on mainframe virtualization for critical workloads such as banking, government, and large-scale enterprise resource planning (ERP) systems. The medium severity rating reflects the limited attack vector (local access required) and high complexity, reducing the likelihood of exploitation. However, the potential for subtle corruption in host processes could lead to difficult-to-diagnose failures or data integrity issues in virtualized guest environments. Since no known exploits exist in the wild, the immediate risk is low, but organizations should prioritize patching to prevent future exploitation, especially those with compliance requirements or high availability needs.
Mitigation Recommendations
1. Apply the official Linux kernel patches that address CVE-2023-52597 as soon as they become available from trusted Linux distribution vendors or the Linux kernel mainline. 2. For organizations using s390 KVM virtualization, review and restrict local access to systems to trusted administrators only, minimizing the risk of local exploitation. 3. Monitor system logs and kernel messages for unusual floating point or vector register errors or crashes that could indicate exploitation attempts or instability. 4. Implement strict access controls and auditing on virtualization management interfaces to detect and prevent unauthorized ioctl calls that could trigger this vulnerability. 5. Consider isolating critical virtual machines and host processes to reduce the blast radius in case of exploitation. 6. Coordinate with hardware and software vendors to ensure firmware and hypervisor components are up to date and compatible with patched kernels. 7. Conduct thorough testing of patched kernels in staging environments to verify stability and compatibility before deployment in production.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-03-02T21:55:42.572Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682cd0fa1484d88663aebfa9
Added to database: 5/20/2025, 6:59:06 PM
Last enriched: 7/4/2025, 5:57:38 AM
Last updated: 8/8/2025, 8:35:36 AM
Views: 11
Related Threats
CVE-2025-8834: Cross Site Scripting in JCG Link-net LW-N915R
MediumCVE-2025-55159: CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer in tokio-rs slab
MediumCVE-2025-55161: CWE-918: Server-Side Request Forgery (SSRF) in Stirling-Tools Stirling-PDF
HighCVE-2025-25235: CWE-918 Server-Side Request Forgery (SSRF) in Omnissa Secure Email Gateway
HighCVE-2025-55151: CWE-918: Server-Side Request Forgery (SSRF) in Stirling-Tools Stirling-PDF
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.