information about () that allows you to go beyond the guest system in KVM (qemu-kvm) and execute your code on the side of the host environment in the context of the Linux kernel. The vulnerability has been codenamed V-gHost. The problem allows from the guest system to create conditions for a buffer overflow in the vhost-net kernel module (network backend for virtio), which is executed on the side of the host environment. The attack can be carried out by an attacker with privileged access to the guest system during the virtual machine migration operation.
Fixing the problem into the Linux 5.3 kernel. As workarounds for blocking the vulnerability, you can disable live migration of guest systems or disable the vhost-net module (add "blacklist vhost-net" to /etc/modprobe.d/blacklist.conf). The problem manifests itself since the Linux kernel 2.6.34. Vulnerability fixed in ΠΈ , but so far remains uncorrected in , , ΠΈ .
Source: opennet.ru