CVE-2017-2596 - Vulnerability Details - OpenCVE

The nested_vmx_check_vmptr function in arch/x86/kvm/vmx.c in the Linux kernel through 4.9.8 improperly emulates the VMXON instruction, which allows KVM L1 guest OS users to cause a denial of service (host OS memory consumption) by leveraging the mishandling of page references.

No CVSS v4.0

No CVSS v3.1

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Complete

This CVE is not in the KEV list.

The EPSS score is 0.00049.

Key SSVC decision points have not yet been added.

Vendors	Products
Linux	Linux Kernel
Redhat	Enterprise Linux Rhel Extras Rt

Configuration 1 [-]

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 7
kernel-rt-0:3.10.0-693.rt56.617.el7	cpe:/a:redhat:rhel_extras_rt:7	RHSA-2017:2077	2017-08-01T00:00:00Z
kernel-0:3.10.0-693.el7	cpe:/o:redhat:enterprise_linux:7	RHSA-2017:1842	2017-08-01T00:00:00Z

No data.

References

Link	Providers
http://www.debian.org/security/2017/dsa-3791
http://www.openwall.com/lists/oss-security/2017/01/31/4
http://www.securityfocus.com/bid/95878
https://access.redhat.com/errata/RHSA-2017:1842
https://access.redhat.com/errata/RHSA-2017:2077
https://bugzilla.redhat.com/show_bug.cgi?id=1417812
https://nvd.nist.gov/vuln/detail/CVE-2017-2596
https://www.cve.org/CVERecord?id=CVE-2017-2596

History

No history.

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2017-02-06T06:04:00

Updated: 2024-08-05T14:02:06.941Z

Reserved: 2016-12-01T00:00:00

Link: CVE-2017-2596

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2017-02-06T06:59:00.450

Modified: 2025-04-20T01:37:25.860

Link: CVE-2017-2596

Redhat

Severity : Moderate

Publid Date: 2017-01-24T00:00:00Z

Links: CVE-2017-2596 - Bugzilla

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2017-01-31T00:00:00", "descriptions": [{"lang": "en", "value": "The nested_vmx_check_vmptr function in arch/x86/kvm/vmx.c in the Linux kernel through 4.9.8 improperly emulates the VMXON instruction, which allows KVM L1 guest OS users to cause a denial of service (host OS memory consumption) by leveraging the mishandling of page references."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-01-04T19:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1417812"}, {"name": "[oss-security] 20170131 CVE-2017-2596 Kernel: kvm: page reference leakage in handle_vmon", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2017/01/31/4"}, {"name": "95878", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/95878"}, {"name": "RHSA-2017:2077", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2017:2077"}, {"name": "RHSA-2017:1842", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2017:1842"}, {"name": "DSA-3791", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2017/dsa-3791"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T14:02:06.941Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1417812"}, {"name": "[oss-security] 20170131 CVE-2017-2596 Kernel: kvm: page reference leakage in handle_vmon", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2017/01/31/4"}, {"name": "95878", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/95878"}, {"name": "RHSA-2017:2077", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2017:2077"}, {"name": "RHSA-2017:1842", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2017:1842"}, {"name": "DSA-3791", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "http://www.debian.org/security/2017/dsa-3791"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2017-2596", "datePublished": "2017-02-06T06:04:00", "dateReserved": "2016-12-01T00:00:00", "dateUpdated": "2024-08-05T14:02:06.941Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "631307FC-F876-4F6F-9611-3DA04263A60E", "versionEndIncluding": "4.9.8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The nested_vmx_check_vmptr function in arch/x86/kvm/vmx.c in the Linux kernel through 4.9.8 improperly emulates the VMXON instruction, which allows KVM L1 guest OS users to cause a denial of service (host OS memory consumption) by leveraging the mishandling of page references."}, {"lang": "es", "value": "La funci\u00f3n nested_vmx_check_vmptr en arch/x86/kvm/vmx.c en el kernel de Linux hasta la versi\u00f3n 4.9.8 emula indebidamente la instrucci\u00f3n VMXON, lo que permite a usuarios del SO invitado KVM L1 provocar una denegaci\u00f3n de servicio (consumo de memoria del SO anfitri\u00f3n) aprovechando el manejo incorrecto de referencia de p\u00e1ginas."}], "id": "CVE-2017-2596", "lastModified": "2025-04-20T01:37:25.860", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 4.9, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 6.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H", "version": "3.0"}, "exploitabilityScore": 2.0, "impactScore": 4.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-02-06T06:59:00.450", "references": [{"source": "secalert@redhat.com", "url": "http://www.debian.org/security/2017/dsa-3791"}, {"source": "secalert@redhat.com", "tags": ["Mailing List", "Patch", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2017/01/31/4"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/95878"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2017:1842"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2017:2077"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Patch"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1417812"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.debian.org/security/2017/dsa-3791"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Patch", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2017/01/31/4"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/95878"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://access.redhat.com/errata/RHSA-2017:1842"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://access.redhat.com/errata/RHSA-2017:2077"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Patch"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1417812"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-772"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank Dmitry Vyukov (Google Inc.) for reporting this issue.", "affected_release": [{"advisory": "RHSA-2017:2077", "cpe": "cpe:/a:redhat:rhel_extras_rt:7", "package": "kernel-rt-0:3.10.0-693.rt56.617.el7", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2017-08-01T00:00:00Z"}, {"advisory": "RHSA-2017:1842", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "kernel-0:3.10.0-693.el7", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2017-08-01T00:00:00Z"}], "bugzilla": {"description": "Kernel: kvm: page reference leakage in handle_vmon", "id": "1417812", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1417812"}, "csaw": false, "cvss": {"cvss_base_score": "4.3", "cvss_scoring_vector": "AV:A/AC:H/Au:S/C:N/I:N/A:C", "status": "verified"}, "cvss3": {"cvss3_base_score": "5.8", "cvss3_scoring_vector": "CVSS:3.0/AV:A/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-772", "details": ["The nested_vmx_check_vmptr function in arch/x86/kvm/vmx.c in the Linux kernel through 4.9.8 improperly emulates the VMXON instruction, which allows KVM L1 guest OS users to cause a denial of service (host OS memory consumption) by leveraging the mishandling of page references.", "Linux kernel built with the KVM visualization support (CONFIG_KVM), with nested visualization(nVMX) feature enabled(nested=1), is vulnerable to host memory leakage issue. It could occur while emulating VMXON instruction in 'handle_vmon'. An L1 guest user could use this flaw to leak host memory potentially resulting in DoS."], "name": "CVE-2017-2596", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/a:redhat:enterprise_mrg:2", "fix_state": "Not affected", "package_name": "realtime-kernel", "product_name": "Red Hat Enterprise MRG 2"}], "public_date": "2017-01-24T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2017-2596\nhttps://nvd.nist.gov/vuln/detail/CVE-2017-2596"], "statement": "This issue does not affect the versions of the kernel package as shipped with\nRed Hat Enterprise Linux 5, 6, 7 and Red Hat Enterprise MRG 2.", "threat_severity": "Moderate"}