Impact
The vulnerability resides in the Linux kernel’s KVM module, where the logic used to set the NextRIP register for a nested virtual machine control block (vmcb02) is incorrect in a specific scenario. When a level‑1 hypervisor runs a level‑2 guest with a soft interrupt and the NRIPS feature is disabled, the current instruction pointer is mistakenly used as NextRIP after the first nested VMRUN. This mismatch can lead to the guest machine executing instructions from an unintended address, representing a logic flaw (CWE‑841).
Affected Systems
Linux kernel hosts that run KVM with nested virtualization. The flaw appears when the host uses NRIPS disabled and a guest L2 injects a soft interrupt during a nested VMRUN; after the first L2 execution, the vmcb02 NextRIP is set incorrectly.
Risk and Exploitability
The CVSS base score of 5.5 indicates moderate impact. The EPSS score is less than 1%, suggesting a low probability of exploitation at this time, and the vulnerability is not listed in CISA’s KEV catalog. These metrics imply that the risk level is moderate but with a low likelihood of widespread real‑world exploitation.
OpenCVE Enrichment
Ubuntu USN