{ "threat_severity" : "Low", "public_date" : "2025-09-16T00:00:00Z", "bugzilla" : { "description" : "kernel: Linux kernel KVM: Denial of Service due to incorrect kvm_arm_init failure handling in finalize_pkvm", "id" : "2395869", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2395869" }, "cvss3" : { "cvss3_base_score" : "5.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-820", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nKVM: arm64: Handle kvm_arm_init failure correctly in finalize_pkvm\nCurrently there is no synchronisation between finalize_pkvm() and\nkvm_arm_init() initcalls. The finalize_pkvm() proceeds happily even if\nkvm_arm_init() fails resulting in the following warning on all the CPUs\nand eventually a HYP panic:\n| kvm [1]: IPA Size Limit: 48 bits\n| kvm [1]: Failed to init hyp memory protection\n| kvm [1]: error initializing Hyp mode: -22\n|\n| \n|\n| WARNING: CPU: 0 PID: 0 at arch/arm64/kvm/pkvm.c:226 _kvm_host_prot_finalize+0x30/0x50\n| Modules linked in:\n| CPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.4.0 #237\n| Hardware name: FVP Base RevC (DT)\n| pstate: 634020c5 (nZCv daIF +PAN -UAO +TCO +DIT -SSBS BTYPE=--)\n| pc : _kvm_host_prot_finalize+0x30/0x50\n| lr : __flush_smp_call_function_queue+0xd8/0x230\n|\n| Call trace:\n| _kvm_host_prot_finalize+0x3c/0x50\n| on_each_cpu_cond_mask+0x3c/0x6c\n| pkvm_drop_host_privileges+0x4c/0x78\n| finalize_pkvm+0x3c/0x5c\n| do_one_initcall+0xcc/0x240\n| do_initcall_level+0x8c/0xac\n| do_initcalls+0x54/0x94\n| do_basic_setup+0x1c/0x28\n| kernel_init_freeable+0x100/0x16c\n| kernel_init+0x20/0x1a0\n| ret_from_fork+0x10/0x20\n| Failed to finalize Hyp protection: -22\n| dtb=fvp-base-revc.dtb\n| kvm [95]: nVHE hyp BUG at: arch/arm64/kvm/hyp/nvhe/mem_protect.c:540!\n| kvm [95]: nVHE call trace:\n| kvm [95]: [] __kvm_nvhe_hyp_panic+0xac/0xf8\n| kvm [95]: [] __kvm_nvhe_handle_host_mem_abort+0x1a0/0x2ac\n| kvm [95]: [] __kvm_nvhe_handle_trap+0x4c/0x160\n| kvm [95]: [] __kvm_nvhe___skip_pauth_save+0x4/0x4\n| kvm [95]: ---[ end nVHE call trace ]---\n| kvm [95]: Hyp Offset: 0xfffe8db00ffa0000\n| Kernel panic - not syncing: HYP panic:\n| PS:a34023c9 PC:0000f250710b973c ESR:00000000f2000800\n| FAR:ffff000800cb00d0 HPFAR:000000000880cb00 PAR:0000000000000000\n| VCPU:0000000000000000\n| CPU: 3 PID: 95 Comm: kworker/u16:2 Tainted: G W 6.4.0 #237\n| Hardware name: FVP Base RevC (DT)\n| Workqueue: rpciod rpc_async_schedule\n| Call trace:\n| dump_backtrace+0xec/0x108\n| show_stack+0x18/0x2c\n| dump_stack_lvl+0x50/0x68\n| dump_stack+0x18/0x24\n| panic+0x138/0x33c\n| nvhe_hyp_panic_handler+0x100/0x184\n| new_slab+0x23c/0x54c\n| ___slab_alloc+0x3e4/0x770\n| kmem_cache_alloc_node+0x1f0/0x278\n| __alloc_skb+0xdc/0x294\n| tcp_stream_alloc_skb+0x2c/0xf0\n| tcp_sendmsg_locked+0x3d0/0xda4\n| tcp_sendmsg+0x38/0x5c\n| inet_sendmsg+0x44/0x60\n| sock_sendmsg+0x1c/0x34\n| xprt_sock_sendmsg+0xdc/0x274\n| xs_tcp_send_request+0x1ac/0x28c\n| xprt_transmit+0xcc/0x300\n| call_transmit+0x78/0x90\n| __rpc_execute+0x114/0x3d8\n| rpc_async_schedule+0x28/0x48\n| process_one_work+0x1d8/0x314\n| worker_thread+0x248/0x474\n| kthread+0xfc/0x184\n| ret_from_fork+0x10/0x20\n| SMP: stopping secondary CPUs\n| Kernel Offset: 0x57c5cb460000 from 0xffff800080000000\n| PHYS_OFFSET: 0x80000000\n| CPU features: 0x00000000,1035b7a3,ccfe773f\n| Memory Limit: none\n| ---[ end Kernel panic - not syncing: HYP panic:\n| PS:a34023c9 PC:0000f250710b973c ESR:00000000f2000800\n| FAR:ffff000800cb00d0 HPFAR:000000000880cb00 PAR:0000000000000000\n| VCPU:0000000000000000 ]---\nFix it by checking for the successfull initialisation of kvm_arm_init()\nin finalize_pkvm() before proceeding any futher.", "A flaw was found in the Linux kernel's Kernel-based Virtual Machine (KVM) for arm64 architectures. This vulnerability arises from a lack of synchronization between the `finalize_pkvm()` and `kvm_arm_init()` initialization calls. A local attacker with low privileges could exploit this by triggering a scenario where `finalize_pkvm()` proceeds despite a failure in `kvm_arm_init()`, leading to a kernel panic and a Denial of Service (DoS) on the system." ], "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2023-11-07T00:00:00Z", "advisory" : "RHSA-2023:6583", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-362.8.1.el9_3" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2023-11-07T00:00:00Z", "advisory" : "RHSA-2023:6583", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-362.8.1.el9_3" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-53319\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-53319\nhttps://lore.kernel.org/linux-cve-announce/2025091643-CVE-2023-53319-4fd2@gregkh/T" ], "name" : "CVE-2023-53319", "csaw" : false }