oss-sec mailing list archives

Re: KVM shadow EPT stale rmap use-after-free

From: Demi Marie Obenour <demiobenour () gmail com>
Date: Mon, 30 Mar 2026 13:16:23 -0400

On 3/30/26 02:04, Sandipan Roy wrote:

Hello OSS-Sec,

Alexander Bulekov(bkov () amazon com) and Fred Griffoul (fgriffo () amazon com)
reported a use-after-free in KVM's shadow paging code. The issue was found
through fuzzing. It is exploitable from any x86 guest with nested virtualization enabled,
on either Intel or AMD processors, or using shadow paging (ept=0 /
npt=0). The bug leads to kernel memory corruption and DoS issues.


Was this part of Amazon's work to enable nested virtualization on AWS?

On kernels 6.16 and newer the reproducer also triggers a WARN, present 
since commit 11d45175111d ("KVM: x86/mmu: Warn if PFN changes on 
shadow-present SPTE in shadow MMU").


Does the WARN happen before any memory corruption?  In other words,
is panic_on_warn a mitigation?
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)

Attachment: OpenPGP_0xB288B55FFF9C22C1.asc
Description: OpenPGP public key

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature

Current thread:

KVM shadow EPT stale rmap use-after-free Sandipan Roy (Mar 30)
- Re: KVM shadow EPT stale rmap use-after-free Demi Marie Obenour (Mar 30)
- Re: KVM shadow EPT stale rmap use-after-free Solar Designer (Mar 30)