Login Sign Up

CVE-2020-36313

7.8 HIGH

📋 TL;DR

This vulnerability in the Linux kernel's KVM subsystem allows out-of-range access to memory slots after deletion, potentially leading to memory corruption. It affects Linux systems running kernel versions before 5.7 with KVM virtualization enabled. Attackers with access to a guest VM could exploit this to compromise the host system.

💻 Affected Systems

Products:
  • Linux kernel
Versions: All versions before 5.7
Operating Systems: Linux distributions using affected kernel versions
Default Config Vulnerable: ✅ No
Notes: Only vulnerable if KVM virtualization is enabled and in use. Many cloud providers and virtualization hosts are affected.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full host system compromise through memory corruption leading to arbitrary code execution on the hypervisor.

🟠

Likely Case

Guest-to-host escape resulting in privilege escalation, denial of service, or information disclosure from the host.

🟢

If Mitigated

Limited impact if KVM is disabled or proper access controls restrict who can create/manage VMs.

🌐 Internet-Facing: LOW - Requires access to a guest VM, not directly exploitable from internet.
🏢 Internal Only: MEDIUM - Internal attackers with VM access could exploit this for privilege escalation.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires access to a guest VM and knowledge of KVM internals. No public exploits have been documented.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Linux kernel 5.7 and later

Vendor Advisory: https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.7

Restart Required: Yes

Instructions:

1. Update Linux kernel to version 5.7 or later. 2. Reboot the system. 3. For distributions with backported patches, apply the security update for CVE-2020-36313.

🔧 Temporary Workarounds

Disable KVM

linux

Disable KVM virtualization if not required

modprobe -r kvm
echo 'blacklist kvm' >> /etc/modprobe.d/blacklist.conf

🧯 If You Can't Patch

  • Restrict VM creation/management to trusted administrators only
  • Implement strict network segmentation between VMs and critical systems

🔍 How to Verify

Check if Vulnerable:

Check kernel version: uname -r. If version is < 5.7 and KVM is loaded (lsmod | grep kvm), system is vulnerable.

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version is ≥ 5.7 with uname -r and check that the system is stable with KVM enabled.

📡 Detection & Monitoring

Log Indicators:

  • Kernel panic logs
  • KVM module crash reports
  • Unexpected memory access errors in dmesg

Network Indicators:

  • Unusual VM-to-host communication patterns

SIEM Query:

source="kernel" AND ("KVM" OR "memslot") AND ("panic" OR "crash" OR "corruption")

📊 Metadata

CVE ID: CVE-2020-36313
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-416
Published: April 7, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-36313, you might also want to check these:

CVE-2025-24085 10.0

This CVE describes a use-after-free vulnerability (CWE-416) in Apple operating systems that allows m...

Same vulnerability type (CWE-416)
CVE-2024-43102 10.0

This CVE describes a use-after-free vulnerability in FreeBSD's umtx (user mutex) subsystem where con...

Same vulnerability type (CWE-416)
CVE-2021-33796 10.0

CVE-2021-33796 is a use-after-free vulnerability in MuJS's regexp source property access that can le...

Same vulnerability type (CWE-416)