CVE-2024-26992 in Linuxinfo

Summary

by MITRE • 05/01/2024

In the Linux kernel, the following vulnerability has been resolved:

KVM: x86/pmu: Disable support for adaptive PEBS

Drop support for virtualizing adaptive PEBS, as KVM's implementation is architecturally broken without an obvious/easy path forward, and because exposing adaptive PEBS can leak host LBRs to the guest, i.e. can leak host kernel addresses to the guest.

Bug #1 is that KVM doesn't account for the upper 32 bits of IA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.g fixed_ctrl_field() drops the upper bits, reprogram_fixed_counters() stores local variables as u8s and truncates the upper bits too, etc.

Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero value for PEBS events, perf will _always_ generate an adaptive record, even if the guest requested a basic record. Note, KVM will also enable adaptive PEBS in individual *counter*, even if adaptive PEBS isn't exposed to the guest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero, i.e. the guest will only ever see Basic records.

Bug #3 is in perf. intel_pmu_disable_fixed() doesn't clear the upper bits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, and intel_pmu_enable_fixed() effectively doesn't clear ICL_FIXED_0_ADAPTIVE either. I.e. perf _always_ enables ADAPTIVE counters, regardless of what KVM requests.

Bug #4 is that adaptive PEBS *might* effectively bypass event filters set by the host, as "Updated Memory Access Info Group" records information that might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.

Bug #5 is that KVM doesn't ensure LBR MSRs hold guest values (or at least zeros) when entering a vCPU with adaptive PEBS, which allows the guest to read host LBRs, i.e. host RIPs/addresses, by enabling "LBR Entries" records.

Disable adaptive PEBS support as an immediate fix due to the severity of the LBR leak in particular, and because fixing all of the bugs will be non-trivial, e.g. not suitable for backporting to stable kernels.

Note! This will break live migration, but trying to make KVM play nice with live migration would be quite complicated, wouldn't be guaranteed to work (i.e. KVM might still kill/confuse the guest), and it's not clear that there are any publicly available VMMs that support adaptive PEBS, let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn't support PEBS in any capacity.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 02/06/2026

The vulnerability CVE-2024-26992 addresses a critical flaw in the Linux kernel's KVM hypervisor implementation related to the handling of Performance Monitoring Unit (PMU) features, specifically the adaptive Performance Event Based Sampling (PEBS) capability. This issue affects the x86 architecture implementation within KVM virtualization environments and represents a significant security risk due to potential information leakage from host to guest virtual machines. The flaw stems from multiple interconnected bugs in how KVM manages fixed performance counters and PEBS event handling, creating a scenario where guest operating systems could inadvertently access sensitive host kernel addresses through the Leaked Branch Records (LBR) mechanism.

The technical root cause involves several architectural failures in the KVM PMU subsystem that collectively undermine security boundaries. Bug #1 manifests in the improper handling of upper 32 bits of the IA32_FIXED_CTR_CTRL register during counter programming operations, where functions like fixed_ctrl_field() and reprogram_fixed_counters() truncate these bits through u8 storage limitations. Bug #2 occurs because KVM consistently sets precise_ip to non-zero values for PEBS events, forcing perf subsystem to generate adaptive records even when guests request basic records. The most severe issue involves Bug #3, where the perf subsystem's intel_pmu_disable_fixed() and intel_pmu_enable_fixed() functions fail to properly clear upper bits, ensuring that adaptive counters are always enabled regardless of KVM's intentions. Additionally, Bug #4 reveals that adaptive PEBS can bypass host-set event filters through "Updated Memory Access Info Group" records, while Bug #5 demonstrates that KVM fails to properly isolate LBR MSRs, allowing guests to read host LBRs and thereby extract kernel addresses.

This vulnerability directly maps to CWE-200 (Information Exposure) and CWE-248 (Uncaught Exception) categories within the Common Weakness Enumeration framework, representing a clear breach of information security principles. The ATT&CK framework categorizes this as a privilege escalation and information gathering technique, where adversaries can leverage hypervisor flaws to extract sensitive kernel information. The impact extends beyond simple information disclosure to include potential privilege escalation paths and system integrity compromise, as guest VMs could gain access to host kernel addresses that could be used for further exploitation or attack vector development. The severity is amplified by the fact that this vulnerability affects the fundamental hypervisor layer that isolates virtual machines, creating a direct pathway for information leakage between host and guest environments.

The mitigation strategy implemented in this fix involves completely disabling support for adaptive PEBS in KVM's x86 PMU implementation, which represents a defensive approach to prevent exploitation while acknowledging the complexity of fixing all the underlying bugs. This solution addresses the most critical security concern - the LBR leak - which could enable attackers to discover host kernel addresses and potentially leverage this information for advanced exploitation techniques. The decision to disable adaptive PEBS was driven by the complexity of fixing all five identified bugs, which would require extensive kernel modifications that are not suitable for stable kernel backports. The fix also acknowledges the practical reality that live migration capabilities would be broken, as no widely available virtualization platforms support adaptive PEBS in their migration implementations. This approach aligns with the principle of least privilege and defense in depth, ensuring that the hypervisor maintains proper isolation boundaries while accepting the trade-off of reduced functionality for improved security. The vulnerability demonstrates the critical importance of thorough security analysis in virtualization platforms, where seemingly minor implementation details in performance monitoring subsystems can create significant security risks.

Reservation

02/19/2024

Disclosure

05/01/2024

Moderation

accepted

CPE

ready

EPSS

0.00221

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!