{
  "threat_severity" : "Low",
  "public_date" : "2025-09-15T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: Linux kernel KVM: Denial of Service in nested SVM due to TSC multiplier manipulation",
    "id" : "2395440",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2395440"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-670",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nKVM: nSVM: Load L1's TSC multiplier based on L1 state, not L2 state\nWhen emulating nested VM-Exit, load L1's TSC multiplier if L1's desired\nratio doesn't match the current ratio, not if the ratio L1 is using for\nL2 diverges from the default.  Functionally, the end result is the same\nas KVM will run L2 with L1's multiplier if L2's multiplier is the default,\ni.e. checking that L1's multiplier is loaded is equivalent to checking if\nL2 has a non-default multiplier.\nHowever, the assertion that TSC scaling is exposed to L1 is flawed, as\nuserspace can trigger the WARN at will by writing the MSR and then\nupdating guest CPUID to hide the feature (modifying guest CPUID is\nallowed anytime before KVM_RUN).  E.g. hacking KVM's state_test\nselftest to do\nvcpu_set_msr(vcpu, MSR_AMD64_TSC_RATIO, 0);\nvcpu_clear_cpuid_feature(vcpu, X86_FEATURE_TSCRATEMSR);\nafter restoring state in a new VM+vCPU yields an endless supply of:\n------------[ cut here ]------------\nWARNING: CPU: 10 PID: 206939 at arch/x86/kvm/svm/nested.c:1105\nnested_svm_vmexit+0x6af/0x720 [kvm_amd]\nCall Trace:\nnested_svm_exit_handled+0x102/0x1f0 [kvm_amd]\nsvm_handle_exit+0xb9/0x180 [kvm_amd]\nkvm_arch_vcpu_ioctl_run+0x1eab/0x2570 [kvm]\nkvm_vcpu_ioctl+0x4c9/0x5b0 [kvm]\n? trace_hardirqs_off+0x4d/0xa0\n__se_sys_ioctl+0x7a/0xc0\n__x64_sys_ioctl+0x21/0x30\ndo_syscall_64+0x41/0x90\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\nUnlike the nested VMRUN path, hoisting the svm->tsc_scaling_enabled check\ninto the if-statement is wrong as KVM needs to ensure L1's multiplier is\nloaded in the above scenario.   Alternatively, the WARN_ON() could simply\nbe deleted, but that would make KVM's behavior even more subtle, e.g. it's\nnot immediately obvious why it's safe to write MSR_AMD64_TSC_RATIO when\nchecking only tsc_ratio_msr.", "A flaw was found in the Linux kernel's Kernel-based Virtual Machine (KVM) nested SVM (nSVM) module. A local attacker with low privileges in a nested virtual machine can manipulate the Timestamp Counter (TSC) multiplier and CPUID features. This manipulation can trigger a kernel warning, leading to a Denial of Service (DoS) by crashing the system." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-04-30T00:00:00Z",
    "advisory" : "RHSA-2024:2394",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-427.13.1.el9_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-04-30T00:00:00Z",
    "advisory" : "RHSA-2024:2394",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-427.13.1.el9_4"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-53208\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-53208\nhttps://lore.kernel.org/linux-cve-announce/2025091510-CVE-2023-53208-b31d@gregkh/T" ],
  "name" : "CVE-2023-53208",
  "csaw" : false
}