{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2023-53756","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-12-08T01:18:04.280Z","datePublished":"2025-12-08T01:19:17.081Z","dateUpdated":"2026-05-11T19:51:04.572Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T19:51:04.572Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: VMX: Fix crash due to uninitialized current_vmcs\n\nKVM enables 'Enlightened VMCS' and 'Enlightened MSR Bitmap' when running as\na nested hypervisor on top of Hyper-V. When MSR bitmap is updated,\nevmcs_touch_msr_bitmap function uses current_vmcs per-cpu variable to mark\nthat the msr bitmap was changed.\n\nvmx_vcpu_create() modifies the msr bitmap via vmx_disable_intercept_for_msr\n-> vmx_msr_bitmap_l01_changed which in the end calls this function. The\nfunction checks for current_vmcs if it is null but the check is\ninsufficient because current_vmcs is not initialized. Because of this, the\ncode might incorrectly write to the structure pointed by current_vmcs value\nleft by another task. Preemption is not disabled, the current task can be\npreempted and moved to another CPU while current_vmcs is accessed multiple\ntimes from evmcs_touch_msr_bitmap() which leads to crash.\n\nThe manipulation of MSR bitmaps by callers happens only for vmcs01 so the\nsolution is to use vmx->vmcs01.vmcs instead of current_vmcs.\n\n  BUG: kernel NULL pointer dereference, address: 0000000000000338\n  PGD 4e1775067 P4D 0\n  Oops: 0002 [#1] PREEMPT SMP NOPTI\n  ...\n  RIP: 0010:vmx_msr_bitmap_l01_changed+0x39/0x50 [kvm_intel]\n  ...\n  Call Trace:\n   vmx_disable_intercept_for_msr+0x36/0x260 [kvm_intel]\n   vmx_vcpu_create+0xe6/0x540 [kvm_intel]\n   kvm_arch_vcpu_create+0x1d1/0x2e0 [kvm]\n   kvm_vm_ioctl_create_vcpu+0x178/0x430 [kvm]\n   kvm_vm_ioctl+0x53f/0x790 [kvm]\n   __x64_sys_ioctl+0x8a/0xc0\n   do_syscall_64+0x5c/0x90\n   entry_SYSCALL_64_after_hwframe+0x63/0xcd"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["arch/x86/kvm/vmx/hyperv.h","arch/x86/kvm/vmx/vmx.c"],"versions":[{"version":"ceef7d10dfb6284d512c499292e6daa35ea83f90","lessThan":"6baebcecf09acd19e2bab1c2911dcdba5d48a1dc","status":"affected","versionType":"git"},{"version":"ceef7d10dfb6284d512c499292e6daa35ea83f90","lessThan":"6e7bc50f97c9855da83f1478f722590defd45ff2","status":"affected","versionType":"git"},{"version":"ceef7d10dfb6284d512c499292e6daa35ea83f90","lessThan":"b2de2b4d4e007f9add46ea8dc06f781835e3ea9f","status":"affected","versionType":"git"},{"version":"ceef7d10dfb6284d512c499292e6daa35ea83f90","lessThan":"3ba95cc671c025d0d2a1c7d5e2930f0ff0980cf4","status":"affected","versionType":"git"},{"version":"ceef7d10dfb6284d512c499292e6daa35ea83f90","lessThan":"93827a0a36396f2fd6368a54a020f420c8916e9b","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["arch/x86/kvm/vmx/hyperv.h","arch/x86/kvm/vmx/vmx.c"],"versions":[{"version":"4.18","status":"affected"},{"version":"0","lessThan":"4.18","status":"unaffected","versionType":"semver"},{"version":"5.10.175","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.103","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.16","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.2.3","lessThanOrEqual":"6.2.*","status":"unaffected","versionType":"semver"},{"version":"6.3","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.18","versionEndExcluding":"5.10.175"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.18","versionEndExcluding":"5.15.103"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.18","versionEndExcluding":"6.1.16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.18","versionEndExcluding":"6.2.3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.18","versionEndExcluding":"6.3"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/6baebcecf09acd19e2bab1c2911dcdba5d48a1dc"},{"url":"https://git.kernel.org/stable/c/6e7bc50f97c9855da83f1478f722590defd45ff2"},{"url":"https://git.kernel.org/stable/c/b2de2b4d4e007f9add46ea8dc06f781835e3ea9f"},{"url":"https://git.kernel.org/stable/c/3ba95cc671c025d0d2a1c7d5e2930f0ff0980cf4"},{"url":"https://git.kernel.org/stable/c/93827a0a36396f2fd6368a54a020f420c8916e9b"}],"title":"KVM: VMX: Fix crash due to uninitialized current_vmcs","x_generator":{"engine":"bippy-1.2.0"}}}}