{
  "threat_severity" : "Low",
  "public_date" : "2025-12-30T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: KVM: SVM: Get source vCPUs from source VM for SEV-ES intrahost migration",
    "id" : "2426083",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2426083"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-386",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nKVM: SVM: Get source vCPUs from source VM for SEV-ES intrahost migration\nFix a goof where KVM tries to grab source vCPUs from the destination VM\nwhen doing intrahost migration.  Grabbing the wrong vCPU not only hoses\nthe guest, it also crashes the host due to the VMSA pointer being left\nNULL.\nBUG: unable to handle page fault for address: ffffe38687000000\n#PF: supervisor read access in kernel mode\n#PF: error_code(0x0000) - not-present page\nPGD 0 P4D 0\nOops: 0000 [#1] SMP NOPTI\nCPU: 39 PID: 17143 Comm: sev_migrate_tes Tainted: GO       6.5.0-smp--fff2e47e6c3b-next #151\nHardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 34.28.0 07/10/2023\nRIP: 0010:__free_pages+0x15/0xd0\nRSP: 0018:ffff923fcf6e3c78 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: ffffe38687000000 RCX: 0000000000000100\nRDX: 0000000000000100 RSI: 0000000000000000 RDI: ffffe38687000000\nRBP: ffff923fcf6e3c88 R08: ffff923fcafb0000 R09: 0000000000000000\nR10: 0000000000000000 R11: ffffffff83619b90 R12: ffff923fa9540000\nR13: 0000000000080007 R14: ffff923f6d35d000 R15: 0000000000000000\nFS:  0000000000000000(0000) GS:ffff929d0d7c0000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: ffffe38687000000 CR3: 0000005224c34005 CR4: 0000000000770ee0\nPKRU: 55555554\nCall Trace:\n<TASK>\nsev_free_vcpu+0xcb/0x110 [kvm_amd]\nsvm_vcpu_free+0x75/0xf0 [kvm_amd]\nkvm_arch_vcpu_destroy+0x36/0x140 [kvm]\nkvm_destroy_vcpus+0x67/0x100 [kvm]\nkvm_arch_destroy_vm+0x161/0x1d0 [kvm]\nkvm_put_kvm+0x276/0x560 [kvm]\nkvm_vm_release+0x25/0x30 [kvm]\n__fput+0x106/0x280\n____fput+0x12/0x20\ntask_work_run+0x86/0xb0\ndo_exit+0x2e3/0x9c0\ndo_group_exit+0xb1/0xc0\n__x64_sys_exit_group+0x1b/0x20\ndo_syscall_64+0x41/0x90\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\n</TASK>\nCR2: ffffe38687000000", "A flaw was found in the Linux kernel's KVM SVM implementation for AMD SEV-ES. During intrahost VM migration, KVM incorrectly retrieves source vCPUs from the destination VM instead of the source VM. This causes the VMSA (Virtual Machine Save Area) pointer to remain NULL, leading to a host kernel crash when the VM is destroyed or during subsequent vCPU operations." ],
  "statement" : "This bug affects AMD systems using SEV-ES (Secure Encrypted Virtualization - Encrypted State) with VM migration capabilities. The flaw can crash the host kernel from a guest operation, representing a guest-to-host denial of service. However, exploitation requires the ability to perform SEV-ES VM migrations, which typically needs elevated privileges.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2025-01-08T00:00:00Z",
    "advisory" : "RHSA-2025:0065",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "kernel-0:4.18.0-553.34.1.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-04-30T00:00:00Z",
    "advisory" : "RHSA-2024:2394",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-427.13.1.el9_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-04-30T00:00:00Z",
    "advisory" : "RHSA-2024:2394",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-427.13.1.el9_4"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-54296\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-54296\nhttps://lore.kernel.org/linux-cve-announce/2025123031-CVE-2023-54296-e667@gregkh/T" ],
  "name" : "CVE-2023-54296",
  "csaw" : false
}