CVE-2024-26992: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: KVM: x86/pmu: Disable support for adaptive PEBS Drop support for virtualizing adaptive PEBS, as KVM's implementation is architecturally broken without an obvious/easy path forward, and because exposing adaptive PEBS can leak host LBRs to the guest, i.e. can leak host kernel addresses to the guest. Bug #1 is that KVM doesn't account for the upper 32 bits of IA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.g fixed_ctrl_field() drops the upper bits, reprogram_fixed_counters() stores local variables as u8s and truncates the upper bits too, etc. Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero value for PEBS events, perf will _always_ generate an adaptive record, even if the guest requested a basic record. Note, KVM will also enable adaptive PEBS in individual *counter*, even if adaptive PEBS isn't exposed to the guest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero, i.e. the guest will only ever see Basic records. Bug #3 is in perf. intel_pmu_disable_fixed() doesn't clear the upper bits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, and intel_pmu_enable_fixed() effectively doesn't clear ICL_FIXED_0_ADAPTIVE either. I.e. perf _always_ enables ADAPTIVE counters, regardless of what KVM requests. Bug #4 is that adaptive PEBS *might* effectively bypass event filters set by the host, as "Updated Memory Access Info Group" records information that might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER. Bug #5 is that KVM doesn't ensure LBR MSRs hold guest values (or at least zeros) when entering a vCPU with adaptive PEBS, which allows the guest to read host LBRs, i.e. host RIPs/addresses, by enabling "LBR Entries" records. Disable adaptive PEBS support as an immediate fix due to the severity of the LBR leak in particular, and because fixing all of the bugs will be non-trivial, e.g. not suitable for backporting to stable kernels. Note! This will break live migration, but trying to make KVM play nice with live migration would be quite complicated, wouldn't be guaranteed to work (i.e. KVM might still kill/confuse the guest), and it's not clear that there are any publicly available VMMs that support adaptive PEBS, let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn't support PEBS in any capacity.
AI Analysis
Technical Summary
CVE-2024-26992 is a vulnerability in the Linux kernel's KVM (Kernel-based Virtual Machine) subsystem related to the handling of adaptive Precise Event-Based Sampling (PEBS) on x86 architectures. Adaptive PEBS is a performance monitoring feature that allows detailed tracing of CPU events. The vulnerability arises because KVM's implementation of adaptive PEBS is fundamentally flawed and exposes sensitive host kernel information to guest virtual machines (VMs). Specifically, several bugs cause improper handling of performance monitoring registers and counters, leading to leakage of host Last Branch Records (LBRs) to guest VMs. This leakage can reveal host kernel addresses, which are critical for attackers aiming to bypass kernel address space layout randomization (KASLR) and escalate privileges. The key technical issues include: 1) KVM failing to manage the upper 32 bits of IA32_FIXED_CTR_CTRL MSR correctly, causing truncation and misconfiguration of fixed counters; 2) KVM always enabling adaptive PEBS records regardless of guest requests, leading to unintended exposure; 3) the Linux perf subsystem not properly disabling adaptive PEBS counters, which results in them being enabled even when not desired; 4) adaptive PEBS potentially bypassing event filters set by the host, allowing unauthorized data collection; and 5) KVM not sanitizing LBR MSRs on vCPU entry, enabling guests to read host LBR data. Due to the complexity and severity of these issues, the immediate mitigation is to disable adaptive PEBS support in KVM entirely. This fix prevents the leakage but breaks live migration of VMs using adaptive PEBS. The vulnerability is not currently known to be exploited in the wild, and no CVSS score has been assigned yet. However, the impact on confidentiality and potential for privilege escalation is significant. The vulnerability affects Linux kernel versions containing the specified commit hashes and is relevant to environments running KVM virtualization on x86 platforms with adaptive PEBS enabled.
Potential Impact
For European organizations, especially those relying on Linux-based virtualization infrastructures using KVM on x86 hardware, this vulnerability poses a serious confidentiality risk. The leakage of host kernel addresses to guest VMs can facilitate advanced attacks such as kernel-level exploits, privilege escalation, and escape from virtualized environments. This is particularly critical for cloud service providers, data centers, and enterprises running multi-tenant virtualized workloads, where isolation between guests and hosts is paramount. The inability to trust the isolation boundary could lead to unauthorized access to sensitive data or disruption of critical services. Additionally, the disabling of adaptive PEBS to mitigate the issue may impact performance monitoring and debugging capabilities, potentially complicating incident response and system optimization efforts. The breakage of live migration functionality could affect operational flexibility and disaster recovery plans, especially for organizations with distributed data centers or hybrid cloud deployments. Overall, the vulnerability undermines the security guarantees of virtualization platforms widely used in European IT infrastructures, increasing the risk profile for critical sectors such as finance, healthcare, telecommunications, and government.
Mitigation Recommendations
1. Immediately apply the Linux kernel patches that disable adaptive PEBS support in KVM to prevent leakage of host LBRs to guest VMs. 2. Audit virtualization environments to identify any use of adaptive PEBS features and disable them at the hypervisor level. 3. Review and update virtualization management policies to account for the loss of live migration capabilities when adaptive PEBS is disabled; plan alternative migration or failover strategies. 4. Enhance monitoring for unusual guest VM behavior that might indicate attempts to exploit performance monitoring features. 5. Limit guest VM privileges and restrict access to performance monitoring interfaces where possible to reduce attack surface. 6. Coordinate with hardware and virtualization vendors to track updates and patches related to this vulnerability. 7. For environments requiring detailed performance monitoring, consider alternative tools or configurations that do not rely on adaptive PEBS until a secure implementation is available. 8. Conduct security awareness training for system administrators on the implications of this vulnerability and the importance of timely patching and configuration changes.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland
CVE-2024-26992: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: KVM: x86/pmu: Disable support for adaptive PEBS Drop support for virtualizing adaptive PEBS, as KVM's implementation is architecturally broken without an obvious/easy path forward, and because exposing adaptive PEBS can leak host LBRs to the guest, i.e. can leak host kernel addresses to the guest. Bug #1 is that KVM doesn't account for the upper 32 bits of IA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.g fixed_ctrl_field() drops the upper bits, reprogram_fixed_counters() stores local variables as u8s and truncates the upper bits too, etc. Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero value for PEBS events, perf will _always_ generate an adaptive record, even if the guest requested a basic record. Note, KVM will also enable adaptive PEBS in individual *counter*, even if adaptive PEBS isn't exposed to the guest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero, i.e. the guest will only ever see Basic records. Bug #3 is in perf. intel_pmu_disable_fixed() doesn't clear the upper bits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, and intel_pmu_enable_fixed() effectively doesn't clear ICL_FIXED_0_ADAPTIVE either. I.e. perf _always_ enables ADAPTIVE counters, regardless of what KVM requests. Bug #4 is that adaptive PEBS *might* effectively bypass event filters set by the host, as "Updated Memory Access Info Group" records information that might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER. Bug #5 is that KVM doesn't ensure LBR MSRs hold guest values (or at least zeros) when entering a vCPU with adaptive PEBS, which allows the guest to read host LBRs, i.e. host RIPs/addresses, by enabling "LBR Entries" records. Disable adaptive PEBS support as an immediate fix due to the severity of the LBR leak in particular, and because fixing all of the bugs will be non-trivial, e.g. not suitable for backporting to stable kernels. Note! This will break live migration, but trying to make KVM play nice with live migration would be quite complicated, wouldn't be guaranteed to work (i.e. KVM might still kill/confuse the guest), and it's not clear that there are any publicly available VMMs that support adaptive PEBS, let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn't support PEBS in any capacity.
AI-Powered Analysis
Technical Analysis
CVE-2024-26992 is a vulnerability in the Linux kernel's KVM (Kernel-based Virtual Machine) subsystem related to the handling of adaptive Precise Event-Based Sampling (PEBS) on x86 architectures. Adaptive PEBS is a performance monitoring feature that allows detailed tracing of CPU events. The vulnerability arises because KVM's implementation of adaptive PEBS is fundamentally flawed and exposes sensitive host kernel information to guest virtual machines (VMs). Specifically, several bugs cause improper handling of performance monitoring registers and counters, leading to leakage of host Last Branch Records (LBRs) to guest VMs. This leakage can reveal host kernel addresses, which are critical for attackers aiming to bypass kernel address space layout randomization (KASLR) and escalate privileges. The key technical issues include: 1) KVM failing to manage the upper 32 bits of IA32_FIXED_CTR_CTRL MSR correctly, causing truncation and misconfiguration of fixed counters; 2) KVM always enabling adaptive PEBS records regardless of guest requests, leading to unintended exposure; 3) the Linux perf subsystem not properly disabling adaptive PEBS counters, which results in them being enabled even when not desired; 4) adaptive PEBS potentially bypassing event filters set by the host, allowing unauthorized data collection; and 5) KVM not sanitizing LBR MSRs on vCPU entry, enabling guests to read host LBR data. Due to the complexity and severity of these issues, the immediate mitigation is to disable adaptive PEBS support in KVM entirely. This fix prevents the leakage but breaks live migration of VMs using adaptive PEBS. The vulnerability is not currently known to be exploited in the wild, and no CVSS score has been assigned yet. However, the impact on confidentiality and potential for privilege escalation is significant. The vulnerability affects Linux kernel versions containing the specified commit hashes and is relevant to environments running KVM virtualization on x86 platforms with adaptive PEBS enabled.
Potential Impact
For European organizations, especially those relying on Linux-based virtualization infrastructures using KVM on x86 hardware, this vulnerability poses a serious confidentiality risk. The leakage of host kernel addresses to guest VMs can facilitate advanced attacks such as kernel-level exploits, privilege escalation, and escape from virtualized environments. This is particularly critical for cloud service providers, data centers, and enterprises running multi-tenant virtualized workloads, where isolation between guests and hosts is paramount. The inability to trust the isolation boundary could lead to unauthorized access to sensitive data or disruption of critical services. Additionally, the disabling of adaptive PEBS to mitigate the issue may impact performance monitoring and debugging capabilities, potentially complicating incident response and system optimization efforts. The breakage of live migration functionality could affect operational flexibility and disaster recovery plans, especially for organizations with distributed data centers or hybrid cloud deployments. Overall, the vulnerability undermines the security guarantees of virtualization platforms widely used in European IT infrastructures, increasing the risk profile for critical sectors such as finance, healthcare, telecommunications, and government.
Mitigation Recommendations
1. Immediately apply the Linux kernel patches that disable adaptive PEBS support in KVM to prevent leakage of host LBRs to guest VMs. 2. Audit virtualization environments to identify any use of adaptive PEBS features and disable them at the hypervisor level. 3. Review and update virtualization management policies to account for the loss of live migration capabilities when adaptive PEBS is disabled; plan alternative migration or failover strategies. 4. Enhance monitoring for unusual guest VM behavior that might indicate attempts to exploit performance monitoring features. 5. Limit guest VM privileges and restrict access to performance monitoring interfaces where possible to reduce attack surface. 6. Coordinate with hardware and virtualization vendors to track updates and patches related to this vulnerability. 7. For environments requiring detailed performance monitoring, consider alternative tools or configurations that do not rely on adaptive PEBS until a secure implementation is available. 8. Conduct security awareness training for system administrators on the implications of this vulnerability and the importance of timely patching and configuration changes.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-19T14:20:24.205Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9829c4522896dcbe302b
Added to database: 5/21/2025, 9:08:57 AM
Last enriched: 6/29/2025, 2:10:25 PM
Last updated: 7/27/2025, 1:40:03 AM
Views: 11
Related Threats
CVE-2025-43735: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Liferay Portal
MediumCVE-2025-40770: CWE-300: Channel Accessible by Non-Endpoint in Siemens SINEC Traffic Analyzer
HighCVE-2025-40769: CWE-1164: Irrelevant Code in Siemens SINEC Traffic Analyzer
HighCVE-2025-40768: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in Siemens SINEC Traffic Analyzer
HighCVE-2025-40767: CWE-250: Execution with Unnecessary Privileges in Siemens SINEC Traffic Analyzer
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.