CVE-2024-25744: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-25744 affects the Linux kernel versions before 6.6.7. The vulnerability allows an untrusted Virtual Machine Monitor (VMM) to trigger int80 syscall handling at any given point, specifically related to the files arch/x86/coco/tdx/tdx.c and arch/x86/mm/memencryptamd.c. The vulnerability was discovered by Supraja Sridhara, Benedict Schlüter, Mark Kuhne, Andrin Bertschi, and Shweta Shinde (Kernel Patch).

The vulnerability exists because the INT 0x80 instruction, used for 32-bit x86 Linux syscalls, can be triggered by external interrupts on the same vector. The kernel interprets an external interrupt on vector 0x80 as a 32-bit system call from userspace. Since a VMM can inject external interrupts on any arbitrary vector at any time, even in TDX and SEV guests where the VMM is untrusted, this allows manipulation of guest OS behavior. The content of the guest register file at the moment of interrupt injection defines what syscall is triggered and its arguments (Kernel Patch). The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H (NVD).

Successful exploitation of this vulnerability could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS). The vulnerability allows an untrusted VMM to manipulate the guest OS behavior through syscall injection (NetApp Advisory).

The primary mitigation is to update to Linux kernel version 6.6.7 or later. For TDX and SEV guests, 32-bit emulation is disabled by default as a security measure, though users can override this with the ia32_emulation=y command line option (Kernel Patch).