CVE-2023-53756

Boot-Time

Vulnerability

CVE-2023-53756 is a bug in the Linux kernel's KVM/VMX implementation that occurs when the kernel itself runs as a nested hypervisor on top of Microsoft Hyper-V with 'Enlightened VMCS' and 'Enlightened MSR Bitmap' features enabled. The function evmcs_touch_msr_bitmap relies on the per-CPU variable current_vmcs, but this variable is not initialized during VM creation. Because the check for a null current_vmcs is insufficient, the code may dereference a stale pointer left by a previous task on that CPU, leading to a NULL-pointer dereference or other memory corruption [1][2].

Attack

Conditions

Exploitation is local; an attacker must have the ability to trigger VM creation via the KVM ioctl interface (e.g., KVM_CREATE_VCPU). No special privileges beyond KVM_CAP_IOMMU-type capabilities are required, but the host must be configured as a nested Hyper-V guest. Race conditions can occur because preemption is not disabled while current_vmcs is read multiple times in evmcs_touch_msr_bitmap, allowing a move to another CPU mid-operation.

Impact

A successful trigger results in a kernel crash (NULL pointer dereference), causing a denial of service (DoS) for the entire host system. The crash trace shows the oops occurring in vmx_msr_bitmap_l01_changed during vmx_disable_intercept_for_msr called from vmx_vcpu_create.

Remediation

The fix [1][2] replaces the use of current_vmcs with vmx->vmcs01.vmcs, which is always initialized and properly scoped to the VCPU being created. Patches have been applied to the upstream Linux kernel and backported to stable branches. Administrators should update to a kernel version containing the fix (commits 6baebcecf09a or 3ba95cc671c0 or later).