CVE-2024-58083

CVE-2024-58083 is a use-after-free vulnerability (CWE-416) in the Linux kernel's KVM (Kernel-based Virtual Machine) subsystem, specifically within the kvm_get_vcpu() function. The issue arises because the function does not explicitly verify that the target virtual CPU (vCPU) is fully online before applying nospec index clamping. If the index is invalid, clamping defaults to index 0, returning vCPU0 instead of NULL. This becomes problematic with KVM's use of an xarray for the vCPUs array, as vCPU0 may not be fully created or could be freed if kvm_vm_ioctl_create_vcpu() fails during initialization.

A local attacker with low privileges (PR:L) can exploit this vulnerability with low complexity (AC:L) and no user interaction (UI:N) in an unprivileged guest or user-space context. By providing a bad vCPU index—potentially through buggy or malicious user-space code or guest behavior—the attacker could trigger access to vCPU0 before it is online. If vCPU creation fails and frees vCPU0, subsequent dereference leads to a use-after-free, enabling high confidentiality, integrity, and availability impacts (CVSS 7.8). The vulnerability is unlikely to trigger in normal operation but relies on misbehaving user-space or guests sending invalid indices, such as during interrupt delivery.

Mitigation involves applying upstream kernel patches from the provided stable commit references, including changes to explicitly verify the target vCPU is online prior to clamping in kvm_get_vcpu(). These patches (e.g., 09d50ccf0b2d, 125da53b3c0c) resolve the issue and enable reverting a prior workaround (commit afb2acb2e3a3) that introduced teardown races, without reintroducing the vCPU array[0] use-after-free race.

No real-world exploitation has been reported, and the vulnerability primarily affects KVM-enabled Linux kernels prior to the listed stable patches.