Cyber Resilience

CVE-2024-58083

High

Published: 06 March 2025

Published
06 March 2025
Modified
03 November 2025
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0003 8.5th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-58083 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 8.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-58083 is a use-after-free vulnerability (CWE-416) in the Linux kernel's KVM (Kernel-based Virtual Machine) subsystem, specifically within the kvm_get_vcpu() function. The issue arises because the function does not explicitly verify that the target virtual CPU (vCPU) is fully online before applying nospec index clamping. If the index is invalid, clamping defaults to index 0, returning vCPU0 instead of NULL. This becomes problematic with KVM's use of an xarray for the vCPUs array, as vCPU0 may not be fully created or could be freed if kvm_vm_ioctl_create_vcpu() fails during initialization.

A local attacker with low privileges (PR:L) can exploit this vulnerability with low complexity (AC:L) and no user interaction (UI:N) in an unprivileged guest or user-space context. By providing a bad vCPU index—potentially through buggy or malicious user-space code or guest behavior—the attacker could trigger access to vCPU0 before it is online. If vCPU creation fails and frees vCPU0, subsequent dereference leads to a use-after-free, enabling high confidentiality, integrity, and availability impacts (CVSS 7.8). The vulnerability is unlikely to trigger in normal operation but relies on misbehaving user-space or guests sending invalid indices, such as during interrupt delivery.

Mitigation involves applying upstream kernel patches from the provided stable commit references, including changes to explicitly verify the target vCPU is online prior to clamping in kvm_get_vcpu(). These patches (e.g., 09d50ccf0b2d, 125da53b3c0c) resolve the issue and enable reverting a prior workaround (commit afb2acb2e3a3) that introduced teardown races, without reintroducing the vCPU array[0] use-after-free race.

No real-world exploitation has been reported, and the vulnerability primarily affects KVM-enabled Linux kernels prior to the listed stable patches.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: KVM: Explicitly verify target vCPU is online in kvm_get_vcpu() Explicitly verify the target vCPU is fully online _prior_ to clamping the index in kvm_get_vcpu(). If the index is "bad", the…

more

nospec clamping will generate '0', i.e. KVM will return vCPU0 instead of NULL. In practice, the bug is unlikely to cause problems, as it will only come into play if userspace or the guest is buggy or misbehaving, e.g. KVM may send interrupts to vCPU0 instead of dropping them on the floor. However, returning vCPU0 when it shouldn't exist per online_vcpus is problematic now that KVM uses an xarray for the vCPUs array, as KVM needs to insert into the xarray before publishing the vCPU to userspace (see commit c5b077549136 ("KVM: Convert the kvm->vcpus array to a xarray")), i.e. before vCPU creation is guaranteed to succeed. As a result, incorrectly providing access to vCPU0 will trigger a use-after-free if vCPU0 is dereferenced and kvm_vm_ioctl_create_vcpu() bails out of vCPU creation due to an error and frees vCPU0. Commit afb2acb2e3a3 ("KVM: Fix vcpu_array[0] races") papered over that issue, but in doing so introduced an unsolvable teardown conundrum. Preventing accesses to vCPU0 before it's fully online will allow reverting commit afb2acb2e3a3, without re-introducing the vcpu_array[0] UAF race.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

The use-after-free in kvm_get_vcpu() is a local kernel vulnerability in KVM that can be triggered from unprivileged user-space or guest context to achieve arbitrary code execution or crash, directly enabling privilege escalation on the host.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-23111Same product: Linux Linux Kernel
CVE-2026-31530Same product: Linux Linux Kernel
CVE-2026-43019Same product: Linux Linux Kernel
CVE-2026-23158Same product: Linux Linux Kernel
CVE-2025-21893Same product: Linux Linux Kernel
CVE-2026-31446Same product: Linux Linux Kernel
CVE-2026-31650Same product: Linux Linux Kernel
CVE-2026-23001Same product: Linux Linux Kernel
CVE-2024-50051Same product: Linux Linux Kernel
CVE-2025-21759Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
4.14.120 — 4.15 · 4.19.44 — 4.20 · 5.0.17 — 5.4.291

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the use-after-free flaw in kvm_get_vcpu() by applying kernel patches that explicitly verify vCPU online status before access.

prevent

Requires validation of vCPU indices to reject invalid inputs, preventing access to uninitialized or freed vCPU0 as fixed in the CVE patches.

prevent

Implements memory protections that mitigate use-after-free exploitation in the KVM subsystem even if the specific flaw is triggered.

References