CVE-2023-54172
Awaiting Analysis Awaiting Analysis - Queue

BaseFortify

Vulnerability report for CVE-2023-54172, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2025-12-30

Last updated on: 2025-12-31

Assigner: kernel.org

Description

In the Linux kernel, the following vulnerability has been resolved: x86/hyperv: Disable IBT when hypercall page lacks ENDBR instruction On hardware that supports Indirect Branch Tracking (IBT), Hyper-V VMs with ConfigVersion 9.3 or later support IBT in the guest. However, current versions of Hyper-V have a bug in that there's not an ENDBR64 instruction at the beginning of the hypercall page. Since hypercalls are made with an indirect call to the hypercall page, all hypercall attempts fail with an exception and Linux panics. A Hyper-V fix is in progress to add ENDBR64. But guard against the Linux panic by clearing X86_FEATURE_IBT if the hypercall page doesn't start with ENDBR. The VM will boot and run without IBT. If future Linux 32-bit kernels were to support IBT, additional hypercall page hackery would be needed to make IBT work for such kernels in a Hyper-V VM.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2025-12-30
Last Modified
2025-12-31
Generated
2026-07-06
AI Q&A
2025-12-30
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Currently, no data is known.

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability involves the Linux kernel running on Hyper-V virtual machines (VMs) with hardware that supports Indirect Branch Tracking (IBT). Hyper-V VMs with ConfigVersion 9.3 or later support IBT, but there is a bug where the hypercall page does not start with the required ENDBR64 instruction. Since hypercalls use indirect calls to this page, the absence of ENDBR64 causes all hypercall attempts to fail, leading to exceptions and Linux kernel panics. A fix is underway in Hyper-V to add the ENDBR64 instruction, but meanwhile, Linux disables IBT if the hypercall page lacks ENDBR to prevent panics, allowing the VM to boot and run without IBT.

Impact Analysis

This vulnerability can cause Linux virtual machines running on Hyper-V with IBT-enabled hardware to experience kernel panics due to failed hypercalls. This results in system crashes and instability, potentially causing downtime or loss of service in affected environments. The workaround disables IBT to prevent panics, which may reduce security protections related to indirect branch tracking but allows the VM to continue running.

Mitigation Strategies

To mitigate this vulnerability, ensure that your Hyper-V environment is updated with the fix that adds the ENDBR64 instruction at the beginning of the hypercall page. Meanwhile, the Linux kernel disables IBT (Indirect Branch Tracking) if the hypercall page lacks the ENDBR instruction, preventing panics. Therefore, updating your Linux kernel to a version that includes this fix will help avoid the panic. Additionally, monitor for Hyper-V updates that address this issue.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2023-54172. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart