CVE-2024-53196 in Linux
Summary
by MITRE • 12/27/2024
In the Linux kernel, the following vulnerability has been resolved:
KVM: arm64: Don't retire aborted MMIO instruction
Returning an abort to the guest for an unsupported MMIO access is a documented feature of the KVM UAPI. Nevertheless, it's clear that this plumbing has seen limited testing, since userspace can trivially cause a WARN in the MMIO return:
WARNING: CPU: 0 PID: 30558 at arch/arm64/include/asm/kvm_emulate.h:536 kvm_handle_mmio_return+0x46c/0x5c4 arch/arm64/include/asm/kvm_emulate.h:536 Call trace: kvm_handle_mmio_return+0x46c/0x5c4 arch/arm64/include/asm/kvm_emulate.h:536 kvm_arch_vcpu_ioctl_run+0x98/0x15b4 arch/arm64/kvm/arm.c:1133 kvm_vcpu_ioctl+0x75c/0xa78 virt/kvm/kvm_main.c:4487 __do_sys_ioctl fs/ioctl.c:51 [inline]
__se_sys_ioctl fs/ioctl.c:893 [inline]
__arm64_sys_ioctl+0x14c/0x1c8 fs/ioctl.c:893 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x1e0/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x38/0x68 arch/arm64/kernel/entry-common.c:712 el0t_64_sync_handler+0x90/0xfc arch/arm64/kernel/entry-common.c:730 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598
The splat is complaining that KVM is advancing PC while an exception is pending, i.e. that KVM is retiring the MMIO instruction despite a pending synchronous external abort. Womp womp.
Fix the glaring UAPI bug by skipping over all the MMIO emulation in case there is a pending synchronous exception. Note that while userspace is capable of pending an asynchronous exception (SError, IRQ, or FIQ), it is still safe to retire the MMIO instruction in this case as (1) they are by definition asynchronous, and (2) KVM relies on hardware support for pending/delivering these exceptions instead of the software state machine for advancing PC.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 12/15/2025
The vulnerability CVE-2024-53196 resides within the Linux kernel's KVM implementation for arm64 architecture, specifically concerning how the kernel handles MMIO (Memory-Mapped I/O) access operations when synchronous exceptions are pending. This issue manifests as a potential system instability condition where the kernel attempts to advance the program counter while a synchronous external abort is still pending, leading to a kernel warning and potential system crash. The problem occurs during the processing of MMIO return operations through the KVM UAPI (User-space API) interface, where the kernel fails to properly account for pending synchronous exceptions when retiring MMIO instructions.
The technical flaw stems from improper handling of the MMIO instruction retirement process in the KVM subsystem when synchronous exceptions are present. When a guest operating system attempts an MMIO access that cannot be handled by the hypervisor, KVM should return an abort to the guest. However, the current implementation does not properly check for pending synchronous exceptions before proceeding with the retirement of the MMIO instruction, which results in advancing the program counter while an exception is still pending. This violates fundamental processor exception handling principles and creates a condition that can lead to system instability. The kernel's warning message indicates that the function kvm_handle_mmio_return is attempting to advance the PC register while an exception is pending, which is a clear violation of expected processor behavior and represents a critical flaw in the exception handling state machine.
The operational impact of this vulnerability extends beyond simple system instability to potentially compromise the integrity of virtualized environments running on arm64 systems. Attackers could exploit this condition by crafting specific MMIO access patterns that trigger the problematic code path, potentially leading to denial of service scenarios or more severe consequences depending on the execution context. The vulnerability is particularly concerning in cloud and server virtualization environments where KVM is extensively used, as it could allow malicious guests to destabilize the host system or cause unexpected behavior in multi-tenant environments. The issue is classified as a UAPI bug according to CWE-691, which represents inadequate control flow in the interface between kernel and user space components, and aligns with ATT&CK technique T1059.001 for executing malicious code through kernel-level manipulation.
The fix for CVE-2024-53196 involves implementing a proper check for pending synchronous exceptions before attempting to retire MMIO instructions. The solution requires modifying the KVM implementation to skip all MMIO emulation when a synchronous exception is pending, which aligns with the documented behavior of the KVM UAPI interface. This approach is safe because asynchronous exceptions such as SError, IRQ, or FIQ can still be properly handled since they are delivered through hardware mechanisms rather than software state machines. The fix ensures that the kernel maintains proper exception handling semantics by preventing the advancement of program counter when synchronous exceptions remain pending, thereby maintaining system stability and preventing the kernel warning condition that was previously observed. This remediation directly addresses the root cause by ensuring that the kernel's exception handling state machine remains consistent and that the MMIO instruction retirement process properly respects the processor's exception handling requirements.