Impact
This vulnerability stems from the Linux kernel’s KVM subsystem on arm64, where page table walks in fault injection and AT emulation are performed without acquiring the necessary SRCU lock. The result is an unchecked race condition that can corrupt memory, leading to kernel panics or other unstable states. The weakness is a concurrency issue involving shared memory protection as defined by CWE‑820, allowing an attacker to manipulate shared data structures concurrently.
Affected Systems
All Linux kernel arm64 builds that implement the KVM virtualization path prior to the fix in commit 97706097f9b851cfe55c3b00b083dfc2bcf542bc. The issue specifically affects the kvm_walk_nested_s2() and walk_s1() functions when used by __kvm_at_s12() and __kvm_find_s1_desc_level() without holding the kvm->srcu lock.
Risk and Exploitability
The CVSS score of 8.8 indicates a high severity vulnerability, while the EPSS score of <1% suggests a low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog, indicating no known large‑scale exploitation. The likely attack vector involves a malicious guest or a user with sufficient privileges to trigger fault injection or AT emulation in KVM, potentially leading to arbitrary memory corruption or a denial‑of‑service condition. As it is a concurrency issue, the success of an exploit depends on precise timing and the ability to force the kernel to perform the problematic page table walks.
OpenCVE Enrichment