CVE-2024-36913 Overview
CVE-2024-36913 is a Linux kernel vulnerability in the Hyper-V VMBus driver (drivers/hv/vmbus) affecting Confidential Computing (CoCo) virtual machines. When set_memory_encrypted() or set_memory_decrypted() fails, the VMBus code could free pages that remain in a shared/decrypted state back to the page allocator. An untrusted host can intentionally induce these failures, causing decrypted memory to be recycled by the kernel for other uses. The resolution is to leak the affected pages rather than return them to the allocator, preventing functional and security issues. The flaw is tracked under [CWE-1258] (exposure of sensitive system information due to uncleared debug information) and impacts the confidentiality guarantees that CoCo VMs are designed to provide.
Critical Impact
An untrusted hypervisor can force set_memory_encrypted() failures and cause the Linux guest kernel to return shared (decrypted) pages to the page allocator, undermining CoCo memory isolation.
Affected Products
- Linux kernel mainline through 6.9-rc3 (Hyper-V VMBus driver)
- Linux kernel stable branches prior to the fix commits
- Debian GNU/Linux 11 (bullseye)
Discovery Timeline
- 2024-05-30 - CVE-2024-36913 published to NVD
- 2025-11-14 - Last updated in NVD database
Technical Details for CVE-2024-36913
Vulnerability Analysis
The vulnerability resides in the Linux kernel Hyper-V VMBus subsystem that supports Confidential Computing virtual machines such as AMD SEV-SNP and Intel TDX guests. CoCo guests rely on encrypted memory and explicitly mark pages as shared (decrypted) when communicating with the host through paravirtualized devices like VMBus. The functions set_memory_encrypted() and set_memory_decrypted() change the encryption state of guest pages by issuing hypercalls to the host.
Because the host is untrusted in the CoCo threat model, it can return errors from these operations. The original VMBus code did not handle these failures defensively. If set_memory_encrypted() failed during teardown, the pages remained shared but were still freed back to the page allocator. The kernel could then reallocate those decrypted pages for sensitive purposes such as kernel structures or user data, exposing them to host inspection or modification.
Root Cause
The root cause is improper error handling around memory re-encryption transitions in the VMBus driver. The driver assumed set_memory_encrypted() would always succeed and unconditionally freed buffers. In CoCo environments, the host can force these calls to fail, leaving the kernel with shared pages that are improperly recycled.
Attack Vector
A malicious or compromised hypervisor manipulates responses to encryption-state hypercalls issued by the guest VMBus driver. By causing set_memory_encrypted() to fail at strategic moments, the host triggers the freeing of decrypted pages into the guest page allocator. Subsequent allocations of those pages for kernel objects or user buffers can leak secrets to the host or allow the host to tamper with sensitive guest state. The attack requires control of the host, which is the standard adversary in the CoCo threat model.
No verified public exploit code is available for this issue. The fix, applied across kernel stable branches in commits 03f5a999adba, 6123a4e8e25b, 7f2afcbfe4f6, and e813a0fc2e59, intentionally leaks the affected pages when encryption-state changes fail, ensuring they never re-enter the allocator.
Detection Methods for CVE-2024-36913
Indicators of Compromise
- Kernel log warnings from the hv_vmbus driver referencing failures in set_memory_encrypted() or set_memory_decrypted()
- Unexpected memory leaks reported by /proc/meminfo or slabinfo in long-running CoCo guests, correlating with VMBus channel teardown events
- Anomalous hypercall return codes from the host affecting page state transitions
Detection Strategies
- Audit running kernel versions on all Hyper-V CoCo guests and compare against the patched stable releases that include commits 03f5a999adba, 6123a4e8e25b, 7f2afcbfe4f6, and e813a0fc2e59
- Monitor dmesg for VMBus error paths indicating failed memory encryption state changes
- Use configuration management tooling to identify Debian 11 systems still running pre-patch kernel packages
Monitoring Recommendations
- Forward kernel logs from CoCo guests to a centralized logging or SIEM platform and alert on hv_vmbus error patterns
- Track kernel package versions across the fleet and flag hosts running affected versions
- Establish baselines for CoCo guest memory usage to detect abnormal growth that may indicate the patched leak path is being exercised by a hostile host
How to Mitigate CVE-2024-36913
Immediate Actions Required
- Update the Linux kernel on all Hyper-V CoCo guests to a version containing the upstream fix commits listed in the kernel.org stable advisories
- Apply Debian security updates for linux packages as described in the Debian LTS Announcement
- Reboot affected guests after kernel update to load the patched VMBus driver
Patch Information
The fix is distributed across four upstream commits: 03f5a999adba062456c8c818a683beb1b498983a, 6123a4e8e25bd40cf44db14694abac00e6b664e6, 7f2afcbfe4f6b6047b5f68db5067b7321e5be125, and e813a0fc2e597146e9cebea61ced9c796d4e308f. The patches modify the VMBus driver to deliberately leak pages when set_memory_encrypted() returns an error, preventing decrypted pages from being returned to the page allocator. Debian LTS shipped corresponding packages in the October 2025 announcement.
Workarounds
- No functional workaround exists short of patching, since the issue is in kernel memory-management logic
- Operate CoCo guests only on trusted Hyper-V hosts until the kernel update is applied, reducing the likelihood of a malicious hypervisor inducing the failure path
- Where feasible, avoid frequent VMBus channel teardown and re-creation, which is the code path exercised by the vulnerability
# Verify running kernel version on a Debian guest
uname -r
# Apply Debian security updates and reboot
sudo apt update && sudo apt upgrade -y linux-image-$(uname -r | sed 's/.*-//')
sudo reboot
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
