CVE-2024-53135: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: KVM: VMX: Bury Intel PT virtualization (guest/host mode) behind CONFIG_BROKEN Hide KVM's pt_mode module param behind CONFIG_BROKEN, i.e. disable support for virtualizing Intel PT via guest/host mode unless BROKEN=y. There are myriad bugs in the implementation, some of which are fatal to the guest, and others which put the stability and health of the host at risk. For guest fatalities, the most glaring issue is that KVM fails to ensure tracing is disabled, and *stays* disabled prior to VM-Enter, which is necessary as hardware disallows loading (the guest's) RTIT_CTL if tracing is enabled (enforced via a VMX consistency check). Per the SDM: If the logical processor is operating with Intel PT enabled (if IA32_RTIT_CTL.TraceEn = 1) at the time of VM entry, the "load IA32_RTIT_CTL" VM-entry control must be 0. On the host side, KVM doesn't validate the guest CPUID configuration provided by userspace, and even worse, uses the guest configuration to decide what MSRs to save/load at VM-Enter and VM-Exit. E.g. configuring guest CPUID to enumerate more address ranges than are supported in hardware will result in KVM trying to passthrough, save, and load non-existent MSRs, which generates a variety of WARNs, ToPA ERRORs in the host, a potential deadlock, etc.
AI Analysis
Technical Summary
CVE-2024-53135 is a vulnerability in the Linux kernel's KVM (Kernel-based Virtual Machine) virtualization subsystem, specifically related to Intel Processor Trace (Intel PT) virtualization in guest/host mode. The vulnerability arises because the KVM implementation does not properly handle the virtualization of Intel PT, which is a hardware feature used for detailed tracing and debugging of processor execution. The flaw involves multiple bugs, some of which can cause fatal errors in guest virtual machines, while others threaten the stability and security of the host system running the hypervisor. Technically, the vulnerability stems from KVM's failure to ensure that Intel PT tracing is disabled before VM-Enter (virtual machine entry). According to Intel's Software Developer Manual (SDM), if Intel PT is enabled (IA32_RTIT_CTL.TraceEn = 1) at VM entry, the VM-entry control to load IA32_RTIT_CTL must be zero. KVM does not enforce this, leading to VMX consistency check failures and guest crashes. On the host side, KVM does not validate the guest CPUID configuration provided by userspace. This allows a malicious or misconfigured guest to specify CPUID values that enumerate more address ranges than the hardware supports. Consequently, KVM attempts to save and load non-existent Model-Specific Registers (MSRs) during VM transitions, causing warnings, ToPA errors, potential deadlocks, and host instability. To mitigate these risks, the Linux kernel maintainers have hidden the KVM pt_mode module parameter behind the CONFIG_BROKEN kernel configuration option, effectively disabling Intel PT virtualization in guest/host mode by default unless explicitly enabled with BROKEN=y. This prevents the vulnerable code path from being used inadvertently. This vulnerability affects Linux kernel versions identified by the commit hash f99e3daf94ff35dd4a878d32ff66e1fd35223ad6 and related builds. No known exploits are currently reported in the wild, but the vulnerability poses a significant risk to environments using KVM virtualization with Intel PT enabled in guest/host mode.
Potential Impact
For European organizations, the impact of CVE-2024-53135 can be substantial, particularly for those relying heavily on Linux-based virtualization infrastructure using KVM on Intel hardware. The vulnerability can lead to guest VM crashes, resulting in service interruptions and potential data loss within virtualized environments. More critically, the host system's stability and security can be compromised, potentially causing host deadlocks or kernel panics, which would affect all VMs running on the host. This could disrupt critical services, cloud infrastructure, and enterprise applications. Organizations in sectors such as finance, telecommunications, government, and cloud service providers, which often use Linux KVM virtualization extensively, may face operational risks and downtime. Additionally, the inability to properly validate guest CPUID configurations could be exploited by malicious insiders or attackers with guest VM access to destabilize host systems, potentially leading to denial of service or facilitating further attacks. Given the widespread use of Linux in European data centers and cloud environments, the vulnerability could affect a broad range of enterprises and public sector organizations. The lack of known exploits currently reduces immediate risk, but the complexity and severity of the bugs warrant urgent attention to patch or mitigate the issue.
Mitigation Recommendations
1. Disable Intel PT virtualization in guest/host mode by ensuring the CONFIG_BROKEN kernel configuration option is not enabled unless absolutely necessary. This is the default in patched kernels. 2. Upgrade Linux kernels to versions that include the fix for CVE-2024-53135, specifically those that hide the pt_mode module parameter behind CONFIG_BROKEN. 3. Audit and restrict guest VM CPUID configurations to prevent enumeration of unsupported address ranges. Implement validation checks in userspace tools that configure KVM guests to avoid passing invalid CPUID data. 4. Monitor host kernel logs for WARNs, ToPA errors, or deadlock symptoms related to MSR handling during VM transitions, which may indicate attempts to exploit this vulnerability. 5. Limit guest VM privileges and isolate untrusted guests to reduce the risk of malicious configuration attempts. 6. Engage with Linux distribution vendors and virtualization platform providers to ensure timely deployment of patches and security advisories. 7. For environments requiring Intel PT virtualization, conduct thorough testing and risk assessment before enabling the feature, considering the known instability. These steps go beyond generic advice by focusing on configuration management, kernel upgrades, and proactive monitoring tailored to the specifics of this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Denmark, Ireland, Belgium, Italy
CVE-2024-53135: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: KVM: VMX: Bury Intel PT virtualization (guest/host mode) behind CONFIG_BROKEN Hide KVM's pt_mode module param behind CONFIG_BROKEN, i.e. disable support for virtualizing Intel PT via guest/host mode unless BROKEN=y. There are myriad bugs in the implementation, some of which are fatal to the guest, and others which put the stability and health of the host at risk. For guest fatalities, the most glaring issue is that KVM fails to ensure tracing is disabled, and *stays* disabled prior to VM-Enter, which is necessary as hardware disallows loading (the guest's) RTIT_CTL if tracing is enabled (enforced via a VMX consistency check). Per the SDM: If the logical processor is operating with Intel PT enabled (if IA32_RTIT_CTL.TraceEn = 1) at the time of VM entry, the "load IA32_RTIT_CTL" VM-entry control must be 0. On the host side, KVM doesn't validate the guest CPUID configuration provided by userspace, and even worse, uses the guest configuration to decide what MSRs to save/load at VM-Enter and VM-Exit. E.g. configuring guest CPUID to enumerate more address ranges than are supported in hardware will result in KVM trying to passthrough, save, and load non-existent MSRs, which generates a variety of WARNs, ToPA ERRORs in the host, a potential deadlock, etc.
AI-Powered Analysis
Technical Analysis
CVE-2024-53135 is a vulnerability in the Linux kernel's KVM (Kernel-based Virtual Machine) virtualization subsystem, specifically related to Intel Processor Trace (Intel PT) virtualization in guest/host mode. The vulnerability arises because the KVM implementation does not properly handle the virtualization of Intel PT, which is a hardware feature used for detailed tracing and debugging of processor execution. The flaw involves multiple bugs, some of which can cause fatal errors in guest virtual machines, while others threaten the stability and security of the host system running the hypervisor. Technically, the vulnerability stems from KVM's failure to ensure that Intel PT tracing is disabled before VM-Enter (virtual machine entry). According to Intel's Software Developer Manual (SDM), if Intel PT is enabled (IA32_RTIT_CTL.TraceEn = 1) at VM entry, the VM-entry control to load IA32_RTIT_CTL must be zero. KVM does not enforce this, leading to VMX consistency check failures and guest crashes. On the host side, KVM does not validate the guest CPUID configuration provided by userspace. This allows a malicious or misconfigured guest to specify CPUID values that enumerate more address ranges than the hardware supports. Consequently, KVM attempts to save and load non-existent Model-Specific Registers (MSRs) during VM transitions, causing warnings, ToPA errors, potential deadlocks, and host instability. To mitigate these risks, the Linux kernel maintainers have hidden the KVM pt_mode module parameter behind the CONFIG_BROKEN kernel configuration option, effectively disabling Intel PT virtualization in guest/host mode by default unless explicitly enabled with BROKEN=y. This prevents the vulnerable code path from being used inadvertently. This vulnerability affects Linux kernel versions identified by the commit hash f99e3daf94ff35dd4a878d32ff66e1fd35223ad6 and related builds. No known exploits are currently reported in the wild, but the vulnerability poses a significant risk to environments using KVM virtualization with Intel PT enabled in guest/host mode.
Potential Impact
For European organizations, the impact of CVE-2024-53135 can be substantial, particularly for those relying heavily on Linux-based virtualization infrastructure using KVM on Intel hardware. The vulnerability can lead to guest VM crashes, resulting in service interruptions and potential data loss within virtualized environments. More critically, the host system's stability and security can be compromised, potentially causing host deadlocks or kernel panics, which would affect all VMs running on the host. This could disrupt critical services, cloud infrastructure, and enterprise applications. Organizations in sectors such as finance, telecommunications, government, and cloud service providers, which often use Linux KVM virtualization extensively, may face operational risks and downtime. Additionally, the inability to properly validate guest CPUID configurations could be exploited by malicious insiders or attackers with guest VM access to destabilize host systems, potentially leading to denial of service or facilitating further attacks. Given the widespread use of Linux in European data centers and cloud environments, the vulnerability could affect a broad range of enterprises and public sector organizations. The lack of known exploits currently reduces immediate risk, but the complexity and severity of the bugs warrant urgent attention to patch or mitigate the issue.
Mitigation Recommendations
1. Disable Intel PT virtualization in guest/host mode by ensuring the CONFIG_BROKEN kernel configuration option is not enabled unless absolutely necessary. This is the default in patched kernels. 2. Upgrade Linux kernels to versions that include the fix for CVE-2024-53135, specifically those that hide the pt_mode module parameter behind CONFIG_BROKEN. 3. Audit and restrict guest VM CPUID configurations to prevent enumeration of unsupported address ranges. Implement validation checks in userspace tools that configure KVM guests to avoid passing invalid CPUID data. 4. Monitor host kernel logs for WARNs, ToPA errors, or deadlock symptoms related to MSR handling during VM transitions, which may indicate attempts to exploit this vulnerability. 5. Limit guest VM privileges and isolate untrusted guests to reduce the risk of malicious configuration attempts. 6. Engage with Linux distribution vendors and virtualization platform providers to ensure timely deployment of patches and security advisories. 7. For environments requiring Intel PT virtualization, conduct thorough testing and risk assessment before enabling the feature, considering the known instability. These steps go beyond generic advice by focusing on configuration management, kernel upgrades, and proactive monitoring tailored to the specifics of this vulnerability.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-11-19T17:17:24.996Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9824c4522896dcbdfaea
Added to database: 5/21/2025, 9:08:52 AM
Last enriched: 6/28/2025, 3:26:00 PM
Last updated: 8/21/2025, 4:15:45 AM
Views: 16
Related Threats
CVE-2025-8592: CWE-352 Cross-Site Request Forgery (CSRF) in wpzoom Inspiro
HighCVE-2025-52395: n/a
UnknownCVE-2025-9162: Cleartext Storage of Sensitive Information in an Environment Variable in Red Hat Red Hat Build of Keycloak
MediumCVE-2025-55420: n/a
HighCVE-2025-9306: Cross Site Scripting in SourceCodester Advanced School Management System
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.