CVE-2024-50115 (GCVE-0-2024-50115)

Vulnerability from cvelistv5 – Published: 2024-11-05 17:10 – Updated: 2026-05-11 20:45
VLAI
Title
KVM: nSVM: Ignore nCR3[4:0] when loading PDPTEs from memory
Summary
In the Linux kernel, the following vulnerability has been resolved: KVM: nSVM: Ignore nCR3[4:0] when loading PDPTEs from memory Ignore nCR3[4:0] when loading PDPTEs from memory for nested SVM, as bits 4:0 of CR3 are ignored when PAE paging is used, and thus VMRUN doesn't enforce 32-byte alignment of nCR3. In the absolute worst case scenario, failure to ignore bits 4:0 can result in an out-of-bounds read, e.g. if the target page is at the end of a memslot, and the VMM isn't using guard pages. Per the APM: The CR3 register points to the base address of the page-directory-pointer table. The page-directory-pointer table is aligned on a 32-byte boundary, with the low 5 address bits 4:0 assumed to be 0. And the SDM's much more explicit: 4:0 Ignored Note, KVM gets this right when loading PDPTRs, it's only the nSVM flow that is broken.
Severity
7.1 (High)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: e4e517b4be019787ada4cbbce2f04570c21b0cbd , < 76ce386feb14ec9a460784fcd495d8432acce7a5 (git)
Affected: e4e517b4be019787ada4cbbce2f04570c21b0cbd , < 58cb697d80e669c56197f703e188867c8c54c494 (git)
Affected: e4e517b4be019787ada4cbbce2f04570c21b0cbd , < 6876793907cbe19d42e9edc8c3315a21e06c32ae (git)
Affected: e4e517b4be019787ada4cbbce2f04570c21b0cbd , < 2c4adc9b192a0815fe58a62bc0709449416cc884 (git)
Affected: e4e517b4be019787ada4cbbce2f04570c21b0cbd , < 426682afec71ea3f889b972d038238807b9443e4 (git)
Affected: e4e517b4be019787ada4cbbce2f04570c21b0cbd , < f559b2e9c5c5308850544ab59396b7d53cfc67bd (git)
Create a notification for this product.
Linux Linux Affected: 3.2
Unaffected: 0 , < 3.2 (semver)
Unaffected: 5.10.229 , ≤ 5.10.* (semver)
Unaffected: 5.15.170 , ≤ 5.15.* (semver)
Unaffected: 6.1.115 , ≤ 6.1.* (semver)
Unaffected: 6.6.59 , ≤ 6.6.* (semver)
Unaffected: 6.11.6 , ≤ 6.11.* (semver)
Unaffected: 6.12 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.1,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-50115",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T20:21:56.032296Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-125",
                "description": "CWE-125 Out-of-bounds Read",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T20:27:17.080Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T22:25:38.622Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/kvm/svm/nested.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "76ce386feb14ec9a460784fcd495d8432acce7a5",
              "status": "affected",
              "version": "e4e517b4be019787ada4cbbce2f04570c21b0cbd",
              "versionType": "git"
            },
            {
              "lessThan": "58cb697d80e669c56197f703e188867c8c54c494",
              "status": "affected",
              "version": "e4e517b4be019787ada4cbbce2f04570c21b0cbd",
              "versionType": "git"
            },
            {
              "lessThan": "6876793907cbe19d42e9edc8c3315a21e06c32ae",
              "status": "affected",
              "version": "e4e517b4be019787ada4cbbce2f04570c21b0cbd",
              "versionType": "git"
            },
            {
              "lessThan": "2c4adc9b192a0815fe58a62bc0709449416cc884",
              "status": "affected",
              "version": "e4e517b4be019787ada4cbbce2f04570c21b0cbd",
              "versionType": "git"
            },
            {
              "lessThan": "426682afec71ea3f889b972d038238807b9443e4",
              "status": "affected",
              "version": "e4e517b4be019787ada4cbbce2f04570c21b0cbd",
              "versionType": "git"
            },
            {
              "lessThan": "f559b2e9c5c5308850544ab59396b7d53cfc67bd",
              "status": "affected",
              "version": "e4e517b4be019787ada4cbbce2f04570c21b0cbd",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/kvm/svm/nested.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.2"
            },
            {
              "lessThan": "3.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.229",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.170",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.115",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.59",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.11.*",
              "status": "unaffected",
              "version": "6.11.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.12",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.229",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.170",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.115",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.59",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.11.6",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: nSVM: Ignore nCR3[4:0] when loading PDPTEs from memory\n\nIgnore nCR3[4:0] when loading PDPTEs from memory for nested SVM, as bits\n4:0 of CR3 are ignored when PAE paging is used, and thus VMRUN doesn\u0027t\nenforce 32-byte alignment of nCR3.\n\nIn the absolute worst case scenario, failure to ignore bits 4:0 can result\nin an out-of-bounds read, e.g. if the target page is at the end of a\nmemslot, and the VMM isn\u0027t using guard pages.\n\nPer the APM:\n\n  The CR3 register points to the base address of the page-directory-pointer\n  table. The page-directory-pointer table is aligned on a 32-byte boundary,\n  with the low 5 address bits 4:0 assumed to be 0.\n\nAnd the SDM\u0027s much more explicit:\n\n  4:0    Ignored\n\nNote, KVM gets this right when loading PDPTRs, it\u0027s only the nSVM flow\nthat is broken."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T20:45:42.795Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/76ce386feb14ec9a460784fcd495d8432acce7a5"
        },
        {
          "url": "https://git.kernel.org/stable/c/58cb697d80e669c56197f703e188867c8c54c494"
        },
        {
          "url": "https://git.kernel.org/stable/c/6876793907cbe19d42e9edc8c3315a21e06c32ae"
        },
        {
          "url": "https://git.kernel.org/stable/c/2c4adc9b192a0815fe58a62bc0709449416cc884"
        },
        {
          "url": "https://git.kernel.org/stable/c/426682afec71ea3f889b972d038238807b9443e4"
        },
        {
          "url": "https://git.kernel.org/stable/c/f559b2e9c5c5308850544ab59396b7d53cfc67bd"
        }
      ],
      "title": "KVM: nSVM: Ignore nCR3[4:0] when loading PDPTEs from memory",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-50115",
    "datePublished": "2024-11-05T17:10:46.677Z",
    "dateReserved": "2024-10-21T19:36:19.947Z",
    "dateUpdated": "2026-05-11T20:45:42.795Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2024-50115",
      "date": "2026-06-30",
      "epss": "0.00243",
      "percentile": "0.1534"
    },
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"3.2\", \"versionEndExcluding\": \"5.10.229\", \"matchCriteriaId\": \"D1CC38D5-4E73-4234-A39C-C214E4AF4851\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"5.11\", \"versionEndExcluding\": \"5.15.170\", \"matchCriteriaId\": \"A9BA1C73-2D2E-45E3-937B-276A28AEB5FC\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"5.16\", \"versionEndExcluding\": \"6.1.115\", \"matchCriteriaId\": \"C08A77A6-E42E-4EFD-B5A1-2BF6CBBB42AE\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"6.2\", \"versionEndExcluding\": \"6.6.59\", \"matchCriteriaId\": \"5D15CA59-D15C-4ACD-8B03-A072DEAD2081\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"6.7\", \"versionEndExcluding\": \"6.11.6\", \"matchCriteriaId\": \"E4486B12-007B-4794-9857-F07145637AA1\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:6.12:rc1:*:*:*:*:*:*\", \"matchCriteriaId\": \"7F361E1D-580F-4A2D-A509-7615F73167A1\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:6.12:rc2:*:*:*:*:*:*\", \"matchCriteriaId\": \"925478D0-3E3D-4E6F-ACD5-09F28D5DF82C\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:6.12:rc3:*:*:*:*:*:*\", \"matchCriteriaId\": \"3C95E234-D335-4B6C-96BF-E2CEBD8654ED\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:6.12:rc4:*:*:*:*:*:*\", \"matchCriteriaId\": \"E0F717D8-3014-4F84-8086-0124B2111379\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nKVM: nSVM: Ignore nCR3[4:0] when loading PDPTEs from memory\\n\\nIgnore nCR3[4:0] when loading PDPTEs from memory for nested SVM, as bits\\n4:0 of CR3 are ignored when PAE paging is used, and thus VMRUN doesn\u0027t\\nenforce 32-byte alignment of nCR3.\\n\\nIn the absolute worst case scenario, failure to ignore bits 4:0 can result\\nin an out-of-bounds read, e.g. if the target page is at the end of a\\nmemslot, and the VMM isn\u0027t using guard pages.\\n\\nPer the APM:\\n\\n  The CR3 register points to the base address of the page-directory-pointer\\n  table. The page-directory-pointer table is aligned on a 32-byte boundary,\\n  with the low 5 address bits 4:0 assumed to be 0.\\n\\nAnd the SDM\u0027s much more explicit:\\n\\n  4:0    Ignored\\n\\nNote, KVM gets this right when loading PDPTRs, it\u0027s only the nSVM flow\\nthat is broken.\"}, {\"lang\": \"es\", \"value\": \"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: KVM: nSVM: Ignorar nCR3[4:0] al cargar PDPTE desde la memoria Ignorar nCR3[4:0] al cargar PDPTE desde la memoria para SVM anidado, ya que los bits 4:0 de CR3 se ignoran cuando se utiliza la paginaci\\u00f3n PAE y, por lo tanto, VMRUN no aplica la alineaci\\u00f3n de 32 bytes de nCR3. En el peor de los casos, no ignorar los bits 4:0 puede dar como resultado una lectura fuera de los l\\u00edmites, por ejemplo, si la p\\u00e1gina de destino est\\u00e1 al final de un memslot y el VMM no est\\u00e1 utilizando p\\u00e1ginas de protecci\\u00f3n. Seg\\u00fan el APM: El registro CR3 apunta a la direcci\\u00f3n base de la tabla de punteros de directorio de p\\u00e1ginas. La tabla de punteros de directorio de p\\u00e1gina est\\u00e1 alineada en un l\\u00edmite de 32 bytes, y se supone que los 5 bits de direcci\\u00f3n bajos 4:0 son 0. Y el SDM es mucho m\\u00e1s expl\\u00edcito: 4:0 Ignorado. Tenga en cuenta que KVM hace esto correctamente al cargar PDPTR, es solo el flujo nSVM el que est\\u00e1 da\\u00f1ado.\"}]",
      "id": "CVE-2024-50115",
      "lastModified": "2024-11-08T19:14:49.233",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H\", \"baseScore\": 7.1, \"baseSeverity\": \"HIGH\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 1.8, \"impactScore\": 5.2}]}",
      "published": "2024-11-05T18:15:14.700",
      "references": "[{\"url\": \"https://git.kernel.org/stable/c/2c4adc9b192a0815fe58a62bc0709449416cc884\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"tags\": [\"Patch\"]}, {\"url\": \"https://git.kernel.org/stable/c/426682afec71ea3f889b972d038238807b9443e4\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"tags\": [\"Patch\"]}, {\"url\": \"https://git.kernel.org/stable/c/58cb697d80e669c56197f703e188867c8c54c494\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"tags\": [\"Patch\"]}, {\"url\": \"https://git.kernel.org/stable/c/6876793907cbe19d42e9edc8c3315a21e06c32ae\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"tags\": [\"Patch\"]}, {\"url\": \"https://git.kernel.org/stable/c/76ce386feb14ec9a460784fcd495d8432acce7a5\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"tags\": [\"Patch\"]}, {\"url\": \"https://git.kernel.org/stable/c/f559b2e9c5c5308850544ab59396b7d53cfc67bd\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"tags\": [\"Patch\"]}]",
      "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "vulnStatus": "Analyzed",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-125\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-50115\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-11-05T18:15:14.700\",\"lastModified\":\"2026-06-17T08:03:37.590\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nKVM: nSVM: Ignore nCR3[4:0] when loading PDPTEs from memory\\n\\nIgnore nCR3[4:0] when loading PDPTEs from memory for nested SVM, as bits\\n4:0 of CR3 are ignored when PAE paging is used, and thus VMRUN doesn\u0027t\\nenforce 32-byte alignment of nCR3.\\n\\nIn the absolute worst case scenario, failure to ignore bits 4:0 can result\\nin an out-of-bounds read, e.g. if the target page is at the end of a\\nmemslot, and the VMM isn\u0027t using guard pages.\\n\\nPer the APM:\\n\\n  The CR3 register points to the base address of the page-directory-pointer\\n  table. The page-directory-pointer table is aligned on a 32-byte boundary,\\n  with the low 5 address bits 4:0 assumed to be 0.\\n\\nAnd the SDM\u0027s much more explicit:\\n\\n  4:0    Ignored\\n\\nNote, KVM gets this right when loading PDPTRs, it\u0027s only the nSVM flow\\nthat is broken.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: KVM: nSVM: Ignorar nCR3[4:0] al cargar PDPTE desde la memoria Ignorar nCR3[4:0] al cargar PDPTE desde la memoria para SVM anidado, ya que los bits 4:0 de CR3 se ignoran cuando se utiliza la paginaci\u00f3n PAE y, por lo tanto, VMRUN no aplica la alineaci\u00f3n de 32 bytes de nCR3. En el peor de los casos, no ignorar los bits 4:0 puede dar como resultado una lectura fuera de los l\u00edmites, por ejemplo, si la p\u00e1gina de destino est\u00e1 al final de un memslot y el VMM no est\u00e1 utilizando p\u00e1ginas de protecci\u00f3n. Seg\u00fan el APM: El registro CR3 apunta a la direcci\u00f3n base de la tabla de punteros de directorio de p\u00e1ginas. La tabla de punteros de directorio de p\u00e1gina est\u00e1 alineada en un l\u00edmite de 32 bytes, y se supone que los 5 bits de direcci\u00f3n bajos 4:0 son 0. Y el SDM es mucho m\u00e1s expl\u00edcito: 4:0 Ignorado. Tenga en cuenta que KVM hace esto correctamente al cargar PDPTR, es solo el flujo nSVM el que est\u00e1 da\u00f1ado.\"}],\"affected\":[{\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"affectedData\":[{\"vendor\":\"Linux\",\"product\":\"Linux\",\"defaultStatus\":\"unaffected\",\"programFiles\":[\"arch/x86/kvm/svm/nested.c\"],\"repo\":\"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\",\"versions\":[{\"version\":\"e4e517b4be019787ada4cbbce2f04570c21b0cbd\",\"lessThan\":\"76ce386feb14ec9a460784fcd495d8432acce7a5\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"e4e517b4be019787ada4cbbce2f04570c21b0cbd\",\"lessThan\":\"58cb697d80e669c56197f703e188867c8c54c494\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"e4e517b4be019787ada4cbbce2f04570c21b0cbd\",\"lessThan\":\"6876793907cbe19d42e9edc8c3315a21e06c32ae\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"e4e517b4be019787ada4cbbce2f04570c21b0cbd\",\"lessThan\":\"2c4adc9b192a0815fe58a62bc0709449416cc884\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"e4e517b4be019787ada4cbbce2f04570c21b0cbd\",\"lessThan\":\"426682afec71ea3f889b972d038238807b9443e4\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"e4e517b4be019787ada4cbbce2f04570c21b0cbd\",\"lessThan\":\"f559b2e9c5c5308850544ab59396b7d53cfc67bd\",\"versionType\":\"git\",\"status\":\"affected\"}]},{\"vendor\":\"Linux\",\"product\":\"Linux\",\"defaultStatus\":\"affected\",\"programFiles\":[\"arch/x86/kvm/svm/nested.c\"],\"repo\":\"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\",\"versions\":[{\"version\":\"3.2\",\"status\":\"affected\"},{\"version\":\"0\",\"lessThan\":\"3.2\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"5.10.229\",\"lessThanOrEqual\":\"5.10.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"5.15.170\",\"lessThanOrEqual\":\"5.15.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"6.1.115\",\"lessThanOrEqual\":\"6.1.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"6.6.59\",\"lessThanOrEqual\":\"6.6.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"6.11.6\",\"lessThanOrEqual\":\"6.11.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"6.12\",\"lessThanOrEqual\":\"*\",\"versionType\":\"original_commit_for_fix\",\"status\":\"unaffected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H\",\"baseScore\":7.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.2},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H\",\"baseScore\":7.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.2}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2025-10-01T20:21:56.032296Z\",\"id\":\"CVE-2024-50115\",\"options\":[{\"exploitation\":\"none\"},{\"automatable\":\"no\"},{\"technicalImpact\":\"partial\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-125\"}]},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-125\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.2\",\"versionEndExcluding\":\"5.10.229\",\"matchCriteriaId\":\"D1CC38D5-4E73-4234-A39C-C214E4AF4851\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.11\",\"versionEndExcluding\":\"5.15.170\",\"matchCriteriaId\":\"A9BA1C73-2D2E-45E3-937B-276A28AEB5FC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.16\",\"versionEndExcluding\":\"6.1.115\",\"matchCriteriaId\":\"C08A77A6-E42E-4EFD-B5A1-2BF6CBBB42AE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.2\",\"versionEndExcluding\":\"6.6.59\",\"matchCriteriaId\":\"5D15CA59-D15C-4ACD-8B03-A072DEAD2081\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.7\",\"versionEndExcluding\":\"6.11.6\",\"matchCriteriaId\":\"E4486B12-007B-4794-9857-F07145637AA1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.12:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"7F361E1D-580F-4A2D-A509-7615F73167A1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.12:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"925478D0-3E3D-4E6F-ACD5-09F28D5DF82C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.12:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"3C95E234-D335-4B6C-96BF-E2CEBD8654ED\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.12:rc4:*:*:*:*:*:*\",\"matchCriteriaId\":\"E0F717D8-3014-4F84-8086-0124B2111379\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/2c4adc9b192a0815fe58a62bc0709449416cc884\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/426682afec71ea3f889b972d038238807b9443e4\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/58cb697d80e669c56197f703e188867c8c54c494\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/6876793907cbe19d42e9edc8c3315a21e06c32ae\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/76ce386feb14ec9a460784fcd495d8432acce7a5\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/f559b2e9c5c5308850544ab59396b7d53cfc67bd\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html\"}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2025-11-03T22:25:38.622Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.1, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-50115\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-10-01T20:21:56.032296Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-125\", \"description\": \"CWE-125 Out-of-bounds Read\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-10-01T15:15:55.396Z\"}}], \"cna\": {\"title\": \"KVM: nSVM: Ignore nCR3[4:0] when loading PDPTEs from memory\", \"affected\": [{\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"e4e517b4be019787ada4cbbce2f04570c21b0cbd\", \"lessThan\": \"76ce386feb14ec9a460784fcd495d8432acce7a5\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"e4e517b4be019787ada4cbbce2f04570c21b0cbd\", \"lessThan\": \"58cb697d80e669c56197f703e188867c8c54c494\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"e4e517b4be019787ada4cbbce2f04570c21b0cbd\", \"lessThan\": \"6876793907cbe19d42e9edc8c3315a21e06c32ae\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"e4e517b4be019787ada4cbbce2f04570c21b0cbd\", \"lessThan\": \"2c4adc9b192a0815fe58a62bc0709449416cc884\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"e4e517b4be019787ada4cbbce2f04570c21b0cbd\", \"lessThan\": \"426682afec71ea3f889b972d038238807b9443e4\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"e4e517b4be019787ada4cbbce2f04570c21b0cbd\", \"lessThan\": \"f559b2e9c5c5308850544ab59396b7d53cfc67bd\", \"versionType\": \"git\"}], \"programFiles\": [\"arch/x86/kvm/svm/nested.c\"], \"defaultStatus\": \"unaffected\"}, {\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"3.2\"}, {\"status\": \"unaffected\", \"version\": \"0\", \"lessThan\": \"3.2\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"5.10.229\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.10.*\"}, {\"status\": \"unaffected\", \"version\": \"5.15.170\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.15.*\"}, {\"status\": \"unaffected\", \"version\": \"6.1.115\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.1.*\"}, {\"status\": \"unaffected\", \"version\": \"6.6.59\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.6.*\"}, {\"status\": \"unaffected\", \"version\": \"6.11.6\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.11.*\"}, {\"status\": \"unaffected\", \"version\": \"6.12\", \"versionType\": \"original_commit_for_fix\", \"lessThanOrEqual\": \"*\"}], \"programFiles\": [\"arch/x86/kvm/svm/nested.c\"], \"defaultStatus\": \"affected\"}], \"references\": [{\"url\": \"https://git.kernel.org/stable/c/76ce386feb14ec9a460784fcd495d8432acce7a5\"}, {\"url\": \"https://git.kernel.org/stable/c/58cb697d80e669c56197f703e188867c8c54c494\"}, {\"url\": \"https://git.kernel.org/stable/c/6876793907cbe19d42e9edc8c3315a21e06c32ae\"}, {\"url\": \"https://git.kernel.org/stable/c/2c4adc9b192a0815fe58a62bc0709449416cc884\"}, {\"url\": \"https://git.kernel.org/stable/c/426682afec71ea3f889b972d038238807b9443e4\"}, {\"url\": \"https://git.kernel.org/stable/c/f559b2e9c5c5308850544ab59396b7d53cfc67bd\"}], \"x_generator\": {\"engine\": \"bippy-1.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nKVM: nSVM: Ignore nCR3[4:0] when loading PDPTEs from memory\\n\\nIgnore nCR3[4:0] when loading PDPTEs from memory for nested SVM, as bits\\n4:0 of CR3 are ignored when PAE paging is used, and thus VMRUN doesn\u0027t\\nenforce 32-byte alignment of nCR3.\\n\\nIn the absolute worst case scenario, failure to ignore bits 4:0 can result\\nin an out-of-bounds read, e.g. if the target page is at the end of a\\nmemslot, and the VMM isn\u0027t using guard pages.\\n\\nPer the APM:\\n\\n  The CR3 register points to the base address of the page-directory-pointer\\n  table. The page-directory-pointer table is aligned on a 32-byte boundary,\\n  with the low 5 address bits 4:0 assumed to be 0.\\n\\nAnd the SDM\u0027s much more explicit:\\n\\n  4:0    Ignored\\n\\nNote, KVM gets this right when loading PDPTRs, it\u0027s only the nSVM flow\\nthat is broken.\"}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.10.229\", \"versionStartIncluding\": \"3.2\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.15.170\", \"versionStartIncluding\": \"3.2\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.1.115\", \"versionStartIncluding\": \"3.2\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.6.59\", \"versionStartIncluding\": \"3.2\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.11.6\", \"versionStartIncluding\": \"3.2\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.12\", \"versionStartIncluding\": \"3.2\"}], \"operator\": \"OR\"}]}], \"providerMetadata\": {\"orgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"shortName\": \"Linux\", \"dateUpdated\": \"2025-05-04T09:46:21.969Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-50115\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-11-03T22:25:38.622Z\", \"dateReserved\": \"2024-10-21T19:36:19.947Z\", \"assignerOrgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"datePublished\": \"2024-11-05T17:10:46.677Z\", \"assignerShortName\": \"Linux\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.