CVE-2017-2596

MEDIUM

Linux Kernel < 4.9.8 - Resource Leak

Title source: rule

Description

The nested_vmx_check_vmptr function in arch/x86/kvm/vmx.c in the Linux kernel through 4.9.8 improperly emulates the VMXON instruction, which allows KVM L1 guest OS users to cause a denial of service (host OS memory consumption) by leveraging the mishandling of page references.

References (6)

[Mailing List, Patch, Third Party Advisory] http://www.openwall.com/lists/oss-security/2017/01/31/4

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/95878

[Issue Tracking, Patch] https://bugzilla.redhat.com/show_bug.cgi?id=1417812

[Third Party Advisory] http://www.debian.org/security/2017/dsa-3791

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2017:1842

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2017:2077

Scores

CVSS v3 6.5

EPSS 0.0005

EPSS Percentile 15.0%

Attack Vector LOCAL

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H

Classification

CWE

CWE-772

Status published

Affected Products (2)

linux/linux_kernel < 4.9.8

n/a/n/a

Timeline

Published Feb 06, 2017

Tracked Since Feb 18, 2026