CVE-2024-50115

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2024-50115

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-50115.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2024-50115

Downstream

BELL-CVE-2024-50115

DEBIAN-CVE-2024-50115

DLA-4008-1

DLA-4075-1

OESA-2024-2445

OESA-2024-2446

OESA-2024-2447

OESA-2024-2448

OESA-2024-2449

RHSA-2024:11486

SUSE-SU-2024:4313-1

SUSE-SU-2024:4314-1

SUSE-SU-2024:4315-1

SUSE-SU-2024:4316-1

SUSE-SU-2024:4317-1

SUSE-SU-2024:4318-1

SUSE-SU-2024:4345-1

SUSE-SU-2024:4346-1

SUSE-SU-2024:4364-1

SUSE-SU-2024:4367-1

SUSE-SU-2024:4376-1

SUSE-SU-2024:4387-1

SUSE-SU-2024:4388-1

SUSE-SU-2025:0035-1

SUSE-SU-2025:01590-1

SUSE-SU-2025:01593-1

SUSE-SU-2025:01601-1

SUSE-SU-2025:01603-1

SUSE-SU-2025:01610-1

SUSE-SU-2025:01652-1

SUSE-SU-2025:01655-1

SUSE-SU-2025:01656-1

SUSE-SU-2025:01663-1

SUSE-SU-2025:01668-1

SUSE-SU-2025:01669-1

SUSE-SU-2025:01675-1

SUSE-SU-2025:01676-1

SUSE-SU-2025:01677-1

SUSE-SU-2025:01682-1

SUSE-SU-2025:01683-1

SUSE-SU-2025:01692-1

SUSE-SU-2025:0784-1

SUSE-SU-2025:0833-1

SUSE-SU-2025:0833-2

SUSE-SU-2025:0834-1

SUSE-SU-2025:0835-1

SUSE-SU-2025:0847-1

SUSE-SU-2025:0853-1

SUSE-SU-2025:0855-1

SUSE-SU-2025:0856-1

SUSE-SU-2025:0867-1

SUSE-SU-2025:0945-1

SUSE-SU-2025:0955-1

SUSE-SU-2025:20163-1

SUSE-SU-2025:20164-1

SUSE-SU-2025:20190-1

SUSE-SU-2025:20192-1

SUSE-SU-2025:20246-1

SUSE-SU-2025:20247-1

SUSE-SU-2025:20260-1

SUSE-SU-2025:20270-1

SUSE-SU-2025:20339-1

SUSE-SU-2025:20340-1

SUSE-SU-2025:20349-1

SUSE-SU-2025:20351-1

SUSE-SU-2025:20367-1

SUSE-SU-2025:20368-1

SUSE-SU-2025:4123-1

openSUSE-SU-2024:14500-1

openSUSE-SU-2025:14705-1

Related

Published

2024-11-05T17:10:46.677Z

Modified

2026-03-12T02:18:19.745368Z

Severity

7.1 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H CVSS Calculator

Summary

KVM: nSVM: Ignore nCR3[4:0] when loading PDPTEs from memory

Details

In the Linux kernel, the following vulnerability has been resolved:

KVM: nSVM: Ignore nCR3[4:0] when loading PDPTEs from memory

Ignore nCR3[4:0] when loading PDPTEs from memory for nested SVM, as bits 4:0 of CR3 are ignored when PAE paging is used, and thus VMRUN doesn't enforce 32-byte alignment of nCR3.

In the absolute worst case scenario, failure to ignore bits 4:0 can result in an out-of-bounds read, e.g. if the target page is at the end of a memslot, and the VMM isn't using guard pages.

Per the APM:

The CR3 register points to the base address of the page-directory-pointer table. The page-directory-pointer table is aligned on a 32-byte boundary, with the low 5 address bits 4:0 assumed to be 0.

And the SDM's much more explicit:

4:0 Ignored

Note, KVM gets this right when loading PDPTRs, it's only the nSVM flow that is broken.

Database specific

{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/50xxx/CVE-2024-50115.json"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

e4e517b4be019787ada4cbbce2f04570c21b0cbd

Fixed

76ce386feb14ec9a460784fcd495d8432acce7a5

Fixed

58cb697d80e669c56197f703e188867c8c54c494

Fixed

6876793907cbe19d42e9edc8c3315a21e06c32ae

Fixed

2c4adc9b192a0815fe58a62bc0709449416cc884

Fixed

426682afec71ea3f889b972d038238807b9443e4

Fixed

f559b2e9c5c5308850544ab59396b7d53cfc67bd

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-50115.json"