{"id":"CVE-2023-53208","summary":"KVM: nSVM: Load L1's TSC multiplier based on L1 state, not L2 state","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: nSVM: Load L1's TSC multiplier based on L1 state, not L2 state\n\nWhen emulating nested VM-Exit, load L1's TSC multiplier if L1's desired\nratio doesn't match the current ratio, not if the ratio L1 is using for\nL2 diverges from the default.  Functionally, the end result is the same\nas KVM will run L2 with L1's multiplier if L2's multiplier is the default,\ni.e. checking that L1's multiplier is loaded is equivalent to checking if\nL2 has a non-default multiplier.\n\nHowever, the assertion that TSC scaling is exposed to L1 is flawed, as\nuserspace can trigger the WARN at will by writing the MSR and then\nupdating guest CPUID to hide the feature (modifying guest CPUID is\nallowed anytime before KVM_RUN).  E.g. hacking KVM's state_test\nselftest to do\n\n                vcpu_set_msr(vcpu, MSR_AMD64_TSC_RATIO, 0);\n                vcpu_clear_cpuid_feature(vcpu, X86_FEATURE_TSCRATEMSR);\n\nafter restoring state in a new VM+vCPU yields an endless supply of:\n\n  ------------[ cut here ]------------\n  WARNING: CPU: 10 PID: 206939 at arch/x86/kvm/svm/nested.c:1105\n           nested_svm_vmexit+0x6af/0x720 [kvm_amd]\n  Call Trace:\n   nested_svm_exit_handled+0x102/0x1f0 [kvm_amd]\n   svm_handle_exit+0xb9/0x180 [kvm_amd]\n   kvm_arch_vcpu_ioctl_run+0x1eab/0x2570 [kvm]\n   kvm_vcpu_ioctl+0x4c9/0x5b0 [kvm]\n   ? trace_hardirqs_off+0x4d/0xa0\n   __se_sys_ioctl+0x7a/0xc0\n   __x64_sys_ioctl+0x21/0x30\n   do_syscall_64+0x41/0x90\n   entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nUnlike the nested VMRUN path, hoisting the svm-\u003etsc_scaling_enabled check\ninto the if-statement is wrong as KVM needs to ensure L1's multiplier is\nloaded in the above scenario.   Alternatively, the WARN_ON() could simply\nbe deleted, but that would make KVM's behavior even more subtle, e.g. it's\nnot immediately obvious why it's safe to write MSR_AMD64_TSC_RATIO when\nchecking only tsc_ratio_msr.","modified":"2026-04-02T09:43:49.655087Z","published":"2025-09-15T14:21:36.170Z","related":["SUSE-SU-2025:03600-1","SUSE-SU-2025:03634-1","SUSE-SU-2025:20851-1","SUSE-SU-2025:20861-1","SUSE-SU-2025:20870-1","SUSE-SU-2025:20898-1","SUSE-SU-2025:3751-1","SUSE-SU-2025:4057-1","SUSE-SU-2025:4132-1","SUSE-SU-2025:4141-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/53xxx/CVE-2023-53208.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/0c94e2468491cbf0754f49a5136ab51294a96b69"},{"type":"WEB","url":"https://git.kernel.org/stable/c/5b2b0535fa7adee7e295fed0a3095082131a8d05"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e91c07f6cf7060d2acb3aeee31a6baebe3773d3f"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/53xxx/CVE-2023-53208.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-53208"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"5228eb96a4875f8cf5d61d486e3795ac14df8904"},{"fixed":"5b2b0535fa7adee7e295fed0a3095082131a8d05"},{"fixed":"e91c07f6cf7060d2acb3aeee31a6baebe3773d3f"},{"fixed":"0c94e2468491cbf0754f49a5136ab51294a96b69"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-53208.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}]}