CVE-2023-5090: 
Linux Kernel vulnerability analysis and mitigation

A flaw was found in KVM (Kernel Virtual Machine) identified as CVE-2023-5090. The vulnerability stems from an improper check in svmsetx2apicmsrinterception() function that may allow direct access to host x2apic MSRs when the guest resets its APIC. This vulnerability was discovered by Maxim Levitsky and was publicly disclosed on November 6, 2023 (Ubuntu Security, NVD).

The vulnerability exists in the KVM nested virtualization (SVM) implementation for AMD processors in the Linux kernel. The issue specifically affects the handling of x2AVIC MSRs in the svmsetx2apicmsrinterception() function. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium) with the vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

When exploited, this vulnerability could allow an attacker in a guest VM to cause a denial of service condition by affecting the integrity of the host x2APIC, potentially leading to a host kernel crash (Ubuntu Security).

The vulnerability has been fixed in multiple Linux distributions through security updates. Red Hat has released patches for RHEL 8 and 9 through various security advisories including RHSA-2024:2758, RHSA-2024:3854, and RHSA-2024:3855. Ubuntu has also fixed the issue in versions 23.10 (mantic) and 23.04 (lunar) (Red Hat Security, Ubuntu Security).