CVE-2024-36953 in Linux
Summary
by MITRE • 05/30/2024
In the Linux kernel, the following vulnerability has been resolved:
KVM: arm64: vgic-v2: Check for non-NULL vCPU in vgic_v2_parse_attr()
vgic_v2_parse_attr() is responsible for finding the vCPU that matches the user-provided CPUID, which (of course) may not be valid. If the ID is invalid, kvm_get_vcpu_by_id() returns NULL, which isn't handled gracefully.
Similar to the GICv3 uaccess flow, check that kvm_get_vcpu_by_id() actually returns something and fail the ioctl if not.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 12/24/2025
The vulnerability identified as CVE-2024-36953 resides within the Linux kernel's KVM implementation specifically targeting the arm64 architecture's virtual generic interrupt controller version 2. This flaw manifests in the vgic_v2_parse_attr() function which serves as a critical component for processing attribute parsing operations within the virtual interrupt controller framework. The function's primary responsibility involves identifying and matching virtual CPUs based on user-provided CPU identifiers, a process that inherently requires robust validation mechanisms to prevent system instability or security breaches.
The technical flaw stems from inadequate error handling within the vgic_v2_parse_attr() function when processing invalid CPU identifiers. When the kvm_get_vcpu_by_id() function encounters a non-existent or invalid CPU identifier, it returns a NULL pointer to indicate failure. However, the current implementation fails to properly validate this return value, allowing the system to proceed with a null reference that can lead to undefined behavior, potential system crashes, or exploitation opportunities. This represents a classic input validation vulnerability where insufficient bounds checking and error handling create a pathway for malicious or malformed input to compromise system stability.
The operational impact of this vulnerability within virtualized environments running on arm64 architecture is significant, particularly in cloud computing and containerized deployments where KVM hypervisors manage multiple virtual machines. When exploited, the vulnerability could allow an attacker to cause denial of service conditions by triggering system crashes or potentially escalate privileges through carefully crafted ioctl calls that manipulate the virtual interrupt controller state. The vulnerability affects systems where KVM virtualization is enabled and running on arm64 platforms, making it particularly concerning for infrastructure providers and organizations relying on virtualized computing environments.
This vulnerability aligns with CWE-476, which specifically addresses the use of a null pointer dereference, and demonstrates characteristics consistent with the ATT&CK technique T1059.001 for command and scripting interpreter execution. The improper handling of NULL return values in kernel space creates a condition where malicious actors could exploit the lack of validation to disrupt virtual machine operations or potentially gain unauthorized access to underlying system resources. The fix implemented addresses this by introducing proper validation checks similar to those already established in the GICv3 uaccess flow, ensuring that the ioctl operation fails gracefully when invalid CPU identifiers are provided rather than allowing execution to continue with null references.
Mitigation strategies should focus on applying the kernel patch that implements the proper NULL pointer validation in the vgic_v2_parse_attr() function, ensuring that all calls to kvm_get_vcpu_by_id() are properly validated before proceeding with subsequent operations. System administrators should prioritize updating their kernel versions to include this fix, particularly in production environments where virtualization is actively utilized. Additionally, monitoring for unusual ioctl operations or system crashes related to KVM operations should be implemented as part of security operations center protocols to detect potential exploitation attempts. The fix follows established security practices by implementing defensive programming techniques that prevent null pointer dereferences and maintain system stability even when invalid input parameters are provided through the virtualization interface.