CVE-2023-54172
Awaiting Analysis Awaiting Analysis - Queue
BaseFortify

Publication date: 2025-12-30

Last updated on: 2025-12-31

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: x86/hyperv: Disable IBT when hypercall page lacks ENDBR instruction On hardware that supports Indirect Branch Tracking (IBT), Hyper-V VMs with ConfigVersion 9.3 or later support IBT in the guest. However, current versions of Hyper-V have a bug in that there's not an ENDBR64 instruction at the beginning of the hypercall page. Since hypercalls are made with an indirect call to the hypercall page, all hypercall attempts fail with an exception and Linux panics. A Hyper-V fix is in progress to add ENDBR64. But guard against the Linux panic by clearing X86_FEATURE_IBT if the hypercall page doesn't start with ENDBR. The VM will boot and run without IBT. If future Linux 32-bit kernels were to support IBT, additional hypercall page hackery would be needed to make IBT work for such kernels in a Hyper-V VM.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-30
Last Modified
2025-12-31
Generated
2026-06-16
AI Q&A
2025-12-30
EPSS Evaluated
2026-06-15
NVD
CVE-2023-54172
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability involves the Linux kernel running on Hyper-V virtual machines (VMs) with hardware that supports Indirect Branch Tracking (IBT). Hyper-V VMs with ConfigVersion 9.3 or later support IBT, but there is a bug where the hypercall page does not start with the required ENDBR64 instruction. Since hypercalls use indirect calls to this page, the absence of ENDBR64 causes all hypercall attempts to fail, leading to exceptions and Linux kernel panics. A fix is underway in Hyper-V to add the ENDBR64 instruction, but meanwhile, Linux disables IBT if the hypercall page lacks ENDBR to prevent panics, allowing the VM to boot and run without IBT.

Impact Analysis

This vulnerability can cause Linux virtual machines running on Hyper-V with IBT-enabled hardware to experience kernel panics due to failed hypercalls. This results in system crashes and instability, potentially causing downtime or loss of service in affected environments. The workaround disables IBT to prevent panics, which may reduce security protections related to indirect branch tracking but allows the VM to continue running.

Mitigation Strategies

To mitigate this vulnerability, ensure that your Hyper-V environment is updated with the fix that adds the ENDBR64 instruction at the beginning of the hypercall page. Meanwhile, the Linux kernel disables IBT (Indirect Branch Tracking) if the hypercall page lacks the ENDBR instruction, preventing panics. Therefore, updating your Linux kernel to a version that includes this fix will help avoid the panic. Additionally, monitor for Hyper-V updates that address this issue.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2023-54172. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart