CVE-2024-40953: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: KVM: Fix a data race on last_boosted_vcpu in kvm_vcpu_on_spin() Use {READ,WRITE}_ONCE() to access kvm->last_boosted_vcpu to ensure the loads and stores are atomic. In the extremely unlikely scenario the compiler tears the stores, it's theoretically possible for KVM to attempt to get a vCPU using an out-of-bounds index, e.g. if the write is split into multiple 8-bit stores, and is paired with a 32-bit load on a VM with 257 vCPUs: CPU0 CPU1 last_boosted_vcpu = 0xff; (last_boosted_vcpu = 0x100) last_boosted_vcpu[15:8] = 0x01; i = (last_boosted_vcpu = 0x1ff) last_boosted_vcpu[7:0] = 0x00; vcpu = kvm->vcpu_array[0x1ff]; As detected by KCSAN: BUG: KCSAN: data-race in kvm_vcpu_on_spin [kvm] / kvm_vcpu_on_spin [kvm] write to 0xffffc90025a92344 of 4 bytes by task 4340 on cpu 16: kvm_vcpu_on_spin (arch/x86/kvm/../../../virt/kvm/kvm_main.c:4112) kvm handle_pause (arch/x86/kvm/vmx/vmx.c:5929) kvm_intel vmx_handle_exit (arch/x86/kvm/vmx/vmx.c:? arch/x86/kvm/vmx/vmx.c:6606) kvm_intel vcpu_run (arch/x86/kvm/x86.c:11107 arch/x86/kvm/x86.c:11211) kvm kvm_arch_vcpu_ioctl_run (arch/x86/kvm/x86.c:?) kvm kvm_vcpu_ioctl (arch/x86/kvm/../../../virt/kvm/kvm_main.c:?) kvm __se_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:904 fs/ioctl.c:890) __x64_sys_ioctl (fs/ioctl.c:890) x64_sys_call (arch/x86/entry/syscall_64.c:33) do_syscall_64 (arch/x86/entry/common.c:?) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) read to 0xffffc90025a92344 of 4 bytes by task 4342 on cpu 4: kvm_vcpu_on_spin (arch/x86/kvm/../../../virt/kvm/kvm_main.c:4069) kvm handle_pause (arch/x86/kvm/vmx/vmx.c:5929) kvm_intel vmx_handle_exit (arch/x86/kvm/vmx/vmx.c:? arch/x86/kvm/vmx/vmx.c:6606) kvm_intel vcpu_run (arch/x86/kvm/x86.c:11107 arch/x86/kvm/x86.c:11211) kvm kvm_arch_vcpu_ioctl_run (arch/x86/kvm/x86.c:?) kvm kvm_vcpu_ioctl (arch/x86/kvm/../../../virt/kvm/kvm_main.c:?) kvm __se_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:904 fs/ioctl.c:890) __x64_sys_ioctl (fs/ioctl.c:890) x64_sys_call (arch/x86/entry/syscall_64.c:33) do_syscall_64 (arch/x86/entry/common.c:?) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) value changed: 0x00000012 -> 0x00000000
AI Analysis
Technical Summary
CVE-2024-40953 is a concurrency vulnerability in the Linux kernel's KVM (Kernel-based Virtual Machine) subsystem. The flaw arises from a data race condition on the variable last_boosted_vcpu within the function kvm_vcpu_on_spin(). The issue is due to improper atomic access to last_boosted_vcpu, which is used to track the last virtual CPU (vCPU) that received a priority boost. Without atomic operations, compiler optimizations or CPU instruction reordering can cause torn reads or writes, leading to inconsistent or out-of-bounds values. Specifically, if the write to last_boosted_vcpu is split into multiple smaller stores (e.g., 8-bit stores) and paired with a larger load (e.g., 32-bit load), it can result in an invalid index being used to access the vcpu_array. This could cause KVM to attempt to access a vCPU beyond the allocated array bounds, potentially leading to undefined behavior, memory corruption, or kernel crashes. The vulnerability was detected by the Kernel Concurrency Sanitizer (KCSAN), which identified conflicting concurrent accesses (reads and writes) to last_boosted_vcpu by different CPUs. The patch involves using READ_ONCE() and WRITE_ONCE() macros to enforce atomicity of loads and stores, preventing torn accesses. This vulnerability affects Linux kernel versions containing the specified commit hash 217ece6129f2d3b4fdd18d9e79be9e43d8d14a42 and related builds. No known exploits are reported in the wild as of the publication date. The vulnerability requires the system to be running KVM with multiple vCPUs (potentially 257 or more) to trigger the out-of-bounds condition, making it a rare edge case but still a critical kernel-level flaw.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to environments using Linux-based virtualization with KVM, especially those running large-scale virtualized workloads with many vCPUs. Exploitation could lead to kernel crashes or memory corruption, resulting in denial of service (DoS) of virtual machines or the host system. In worst cases, memory corruption could be leveraged for privilege escalation or arbitrary code execution within the kernel context, though no such exploits are currently known. The impact is significant for cloud service providers, data centers, and enterprises relying on KVM virtualization for critical infrastructure, as instability or compromise of virtual machines could disrupt services and data integrity. Given the widespread use of Linux and KVM in European public and private sectors, including government, finance, and telecommunications, the vulnerability could affect a broad range of organizations. However, the complexity and rarity of the triggering conditions somewhat limit immediate exploitation risk. Still, the vulnerability undermines the reliability and security of virtualized environments and must be addressed promptly to maintain operational security and compliance with European cybersecurity standards.
Mitigation Recommendations
1. Apply the official Linux kernel patches that introduce atomic access macros (READ_ONCE and WRITE_ONCE) to last_boosted_vcpu as soon as they are available from trusted Linux kernel sources or vendor distributions. 2. For organizations using custom or older Linux kernels, backport the patch or upgrade to a kernel version containing the fix identified by commit 217ece6129f2d3b4fdd18d9e79be9e43d8d14a42 or later. 3. Limit the number of vCPUs assigned to virtual machines to below the threshold that could trigger the out-of-bounds condition (e.g., fewer than 257 vCPUs) as a temporary mitigation if patching is delayed. 4. Monitor kernel logs and system behavior for anomalies such as kernel panics, oops messages, or crashes related to KVM operations. 5. Employ runtime kernel security mechanisms such as Kernel Address Sanitizer (KASAN) or Kernel Concurrency Sanitizer (KCSAN) in test environments to detect similar concurrency issues proactively. 6. Ensure virtualization management tools and hypervisors are updated to versions compatible with patched kernels to avoid regressions. 7. Follow best practices for kernel security hardening and maintain strict access controls to prevent unauthorized kernel module loading or manipulation of KVM subsystems.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2024-40953: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: KVM: Fix a data race on last_boosted_vcpu in kvm_vcpu_on_spin() Use {READ,WRITE}_ONCE() to access kvm->last_boosted_vcpu to ensure the loads and stores are atomic. In the extremely unlikely scenario the compiler tears the stores, it's theoretically possible for KVM to attempt to get a vCPU using an out-of-bounds index, e.g. if the write is split into multiple 8-bit stores, and is paired with a 32-bit load on a VM with 257 vCPUs: CPU0 CPU1 last_boosted_vcpu = 0xff; (last_boosted_vcpu = 0x100) last_boosted_vcpu[15:8] = 0x01; i = (last_boosted_vcpu = 0x1ff) last_boosted_vcpu[7:0] = 0x00; vcpu = kvm->vcpu_array[0x1ff]; As detected by KCSAN: BUG: KCSAN: data-race in kvm_vcpu_on_spin [kvm] / kvm_vcpu_on_spin [kvm] write to 0xffffc90025a92344 of 4 bytes by task 4340 on cpu 16: kvm_vcpu_on_spin (arch/x86/kvm/../../../virt/kvm/kvm_main.c:4112) kvm handle_pause (arch/x86/kvm/vmx/vmx.c:5929) kvm_intel vmx_handle_exit (arch/x86/kvm/vmx/vmx.c:? arch/x86/kvm/vmx/vmx.c:6606) kvm_intel vcpu_run (arch/x86/kvm/x86.c:11107 arch/x86/kvm/x86.c:11211) kvm kvm_arch_vcpu_ioctl_run (arch/x86/kvm/x86.c:?) kvm kvm_vcpu_ioctl (arch/x86/kvm/../../../virt/kvm/kvm_main.c:?) kvm __se_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:904 fs/ioctl.c:890) __x64_sys_ioctl (fs/ioctl.c:890) x64_sys_call (arch/x86/entry/syscall_64.c:33) do_syscall_64 (arch/x86/entry/common.c:?) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) read to 0xffffc90025a92344 of 4 bytes by task 4342 on cpu 4: kvm_vcpu_on_spin (arch/x86/kvm/../../../virt/kvm/kvm_main.c:4069) kvm handle_pause (arch/x86/kvm/vmx/vmx.c:5929) kvm_intel vmx_handle_exit (arch/x86/kvm/vmx/vmx.c:? arch/x86/kvm/vmx/vmx.c:6606) kvm_intel vcpu_run (arch/x86/kvm/x86.c:11107 arch/x86/kvm/x86.c:11211) kvm kvm_arch_vcpu_ioctl_run (arch/x86/kvm/x86.c:?) kvm kvm_vcpu_ioctl (arch/x86/kvm/../../../virt/kvm/kvm_main.c:?) kvm __se_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:904 fs/ioctl.c:890) __x64_sys_ioctl (fs/ioctl.c:890) x64_sys_call (arch/x86/entry/syscall_64.c:33) do_syscall_64 (arch/x86/entry/common.c:?) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) value changed: 0x00000012 -> 0x00000000
AI-Powered Analysis
Technical Analysis
CVE-2024-40953 is a concurrency vulnerability in the Linux kernel's KVM (Kernel-based Virtual Machine) subsystem. The flaw arises from a data race condition on the variable last_boosted_vcpu within the function kvm_vcpu_on_spin(). The issue is due to improper atomic access to last_boosted_vcpu, which is used to track the last virtual CPU (vCPU) that received a priority boost. Without atomic operations, compiler optimizations or CPU instruction reordering can cause torn reads or writes, leading to inconsistent or out-of-bounds values. Specifically, if the write to last_boosted_vcpu is split into multiple smaller stores (e.g., 8-bit stores) and paired with a larger load (e.g., 32-bit load), it can result in an invalid index being used to access the vcpu_array. This could cause KVM to attempt to access a vCPU beyond the allocated array bounds, potentially leading to undefined behavior, memory corruption, or kernel crashes. The vulnerability was detected by the Kernel Concurrency Sanitizer (KCSAN), which identified conflicting concurrent accesses (reads and writes) to last_boosted_vcpu by different CPUs. The patch involves using READ_ONCE() and WRITE_ONCE() macros to enforce atomicity of loads and stores, preventing torn accesses. This vulnerability affects Linux kernel versions containing the specified commit hash 217ece6129f2d3b4fdd18d9e79be9e43d8d14a42 and related builds. No known exploits are reported in the wild as of the publication date. The vulnerability requires the system to be running KVM with multiple vCPUs (potentially 257 or more) to trigger the out-of-bounds condition, making it a rare edge case but still a critical kernel-level flaw.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to environments using Linux-based virtualization with KVM, especially those running large-scale virtualized workloads with many vCPUs. Exploitation could lead to kernel crashes or memory corruption, resulting in denial of service (DoS) of virtual machines or the host system. In worst cases, memory corruption could be leveraged for privilege escalation or arbitrary code execution within the kernel context, though no such exploits are currently known. The impact is significant for cloud service providers, data centers, and enterprises relying on KVM virtualization for critical infrastructure, as instability or compromise of virtual machines could disrupt services and data integrity. Given the widespread use of Linux and KVM in European public and private sectors, including government, finance, and telecommunications, the vulnerability could affect a broad range of organizations. However, the complexity and rarity of the triggering conditions somewhat limit immediate exploitation risk. Still, the vulnerability undermines the reliability and security of virtualized environments and must be addressed promptly to maintain operational security and compliance with European cybersecurity standards.
Mitigation Recommendations
1. Apply the official Linux kernel patches that introduce atomic access macros (READ_ONCE and WRITE_ONCE) to last_boosted_vcpu as soon as they are available from trusted Linux kernel sources or vendor distributions. 2. For organizations using custom or older Linux kernels, backport the patch or upgrade to a kernel version containing the fix identified by commit 217ece6129f2d3b4fdd18d9e79be9e43d8d14a42 or later. 3. Limit the number of vCPUs assigned to virtual machines to below the threshold that could trigger the out-of-bounds condition (e.g., fewer than 257 vCPUs) as a temporary mitigation if patching is delayed. 4. Monitor kernel logs and system behavior for anomalies such as kernel panics, oops messages, or crashes related to KVM operations. 5. Employ runtime kernel security mechanisms such as Kernel Address Sanitizer (KASAN) or Kernel Concurrency Sanitizer (KCSAN) in test environments to detect similar concurrency issues proactively. 6. Ensure virtualization management tools and hypervisors are updated to versions compatible with patched kernels to avoid regressions. 7. Follow best practices for kernel security hardening and maintain strict access controls to prevent unauthorized kernel module loading or manipulation of KVM subsystems.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-07-12T12:17:45.592Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9827c4522896dcbe1495
Added to database: 5/21/2025, 9:08:55 AM
Last enriched: 6/29/2025, 2:41:01 AM
Last updated: 8/22/2025, 6:19:35 PM
Views: 13
Related Threats
CVE-2025-43770: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Liferay Portal
MediumCVE-2025-55455: n/a
HighCVE-2025-8193
UnknownCVE-2025-9356: Stack-based Buffer Overflow in Linksys RE6250
HighCVE-2025-9355: Stack-based Buffer Overflow in Linksys RE6250
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.