{"id":"CVE-2023-53756","summary":"KVM: VMX: Fix crash due to uninitialized current_vmcs","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: VMX: Fix crash due to uninitialized current_vmcs\n\nKVM enables 'Enlightened VMCS' and 'Enlightened MSR Bitmap' when running as\na nested hypervisor on top of Hyper-V. When MSR bitmap is updated,\nevmcs_touch_msr_bitmap function uses current_vmcs per-cpu variable to mark\nthat the msr bitmap was changed.\n\nvmx_vcpu_create() modifies the msr bitmap via vmx_disable_intercept_for_msr\n-\u003e vmx_msr_bitmap_l01_changed which in the end calls this function. The\nfunction checks for current_vmcs if it is null but the check is\ninsufficient because current_vmcs is not initialized. Because of this, the\ncode might incorrectly write to the structure pointed by current_vmcs value\nleft by another task. Preemption is not disabled, the current task can be\npreempted and moved to another CPU while current_vmcs is accessed multiple\ntimes from evmcs_touch_msr_bitmap() which leads to crash.\n\nThe manipulation of MSR bitmaps by callers happens only for vmcs01 so the\nsolution is to use vmx-\u003evmcs01.vmcs instead of current_vmcs.\n\n  BUG: kernel NULL pointer dereference, address: 0000000000000338\n  PGD 4e1775067 P4D 0\n  Oops: 0002 [#1] PREEMPT SMP NOPTI\n  ...\n  RIP: 0010:vmx_msr_bitmap_l01_changed+0x39/0x50 [kvm_intel]\n  ...\n  Call Trace:\n   vmx_disable_intercept_for_msr+0x36/0x260 [kvm_intel]\n   vmx_vcpu_create+0xe6/0x540 [kvm_intel]\n   kvm_arch_vcpu_create+0x1d1/0x2e0 [kvm]\n   kvm_vm_ioctl_create_vcpu+0x178/0x430 [kvm]\n   kvm_vm_ioctl+0x53f/0x790 [kvm]\n   __x64_sys_ioctl+0x8a/0xc0\n   do_syscall_64+0x5c/0x90\n   entry_SYSCALL_64_after_hwframe+0x63/0xcd","modified":"2026-04-02T09:45:05.951125Z","published":"2025-12-08T01:19:17.081Z","database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/53xxx/CVE-2023-53756.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/3ba95cc671c025d0d2a1c7d5e2930f0ff0980cf4"},{"type":"WEB","url":"https://git.kernel.org/stable/c/6baebcecf09acd19e2bab1c2911dcdba5d48a1dc"},{"type":"WEB","url":"https://git.kernel.org/stable/c/6e7bc50f97c9855da83f1478f722590defd45ff2"},{"type":"WEB","url":"https://git.kernel.org/stable/c/93827a0a36396f2fd6368a54a020f420c8916e9b"},{"type":"WEB","url":"https://git.kernel.org/stable/c/b2de2b4d4e007f9add46ea8dc06f781835e3ea9f"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/53xxx/CVE-2023-53756.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-53756"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"ceef7d10dfb6284d512c499292e6daa35ea83f90"},{"fixed":"6baebcecf09acd19e2bab1c2911dcdba5d48a1dc"},{"fixed":"6e7bc50f97c9855da83f1478f722590defd45ff2"},{"fixed":"b2de2b4d4e007f9add46ea8dc06f781835e3ea9f"},{"fixed":"3ba95cc671c025d0d2a1c7d5e2930f0ff0980cf4"},{"fixed":"93827a0a36396f2fd6368a54a020f420c8916e9b"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-53756.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"4.18.0"},{"fixed":"5.10.175"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.103"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.16"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.2.3"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-53756.json"}}],"schema_version":"1.7.5"}