CVE-2024-26990 is a vulnerability identified in the Linux kernel's KVM (Kernel-based Virtual Machine) subsystem, specifically related to the x86 architecture's memory management unit (MMU) handling of nested virtualization. The issue concerns the handling of write-protection on Level 2 (L2) shadow page table entries (SPTEs) within the Two-Dimensional Paging (TDP) MMU when clearing the dirty status bits. In nested virtualization, L1 is the first-level guest hypervisor, and L2 is the nested guest running under L1. The vulnerability arises because the KVM implementation does not properly write-protect L2 SPTEs in scenarios where the TDP MMU is used to run L2 guests and Page Modification Logging (PML) is enabled. PML is a feature that tracks memory pages modified by the guest to optimize memory management and migration. The kernel function kvm_mmu_page_ad_need_write_protect() is responsible for deciding when to write-protect or clear dirty bits on TDP MMU SPTEs. However, the vulnerability occurs because KVM disables PML when running L2 guests, even if L1 and L2 guest physical addresses (GPAs) are in the same domain, but fails to write-protect the TDP MMU SPTEs accordingly. This failure causes writes made by L2 guests to not be properly reflected in the dirty log, potentially leading to inconsistencies in memory tracking. This can affect the correctness of memory management operations such as live migration, snapshotting, or dirty page tracking in nested virtualization environments. The vulnerability was addressed by ensuring that TDP MMU SPTEs are write-protected when running L2 guests with PML enabled, thus maintaining accurate dirty logging. No known exploits are reported in the wild as of the publication date. The affected versions are specific Linux kernel commits identified by their hashes, indicating this is a recent kernel-level fix.

For European organizations, especially those utilizing nested virtualization on Linux-based infrastructure, this vulnerability could undermine the integrity of memory management in virtualized environments. Nested virtualization is commonly used in cloud service providers, research institutions, and enterprises running complex multi-tenant or development environments. The failure to accurately track dirty pages can lead to issues in live migration, snapshot consistency, and memory deduplication, potentially causing data corruption or service disruption. While this vulnerability does not directly enable code execution or privilege escalation, the resulting inconsistencies could degrade the reliability and availability of virtualized workloads. Organizations relying on nested virtualization for critical services or cloud infrastructure could experience operational instability or data integrity issues if the vulnerability is exploited or triggered inadvertently. Given the lack of known exploits, the immediate risk is moderate, but the potential for impact in complex virtualization scenarios is significant.

European organizations should prioritize updating their Linux kernel versions to include the patch that addresses CVE-2024-26990. Specifically, they should track kernel releases or backported patches from their Linux distribution vendors that fix the write-protection handling in KVM's TDP MMU for nested virtualization. For environments where updating the kernel is not immediately feasible, administrators should consider disabling nested virtualization or PML features temporarily to mitigate the risk of dirty page tracking inconsistencies. Additionally, organizations should audit their virtualization infrastructure to identify nested virtualization usage and assess the impact of this vulnerability on their workloads. Monitoring for unusual behavior in live migration or snapshot operations can help detect potential exploitation or issues arising from this vulnerability. Finally, implementing strict access controls and limiting the ability to run nested guests to trusted users can reduce the attack surface.