Android Kernel Memory Tagging Extension Vulnerability in KVM on Arm64

A vulnerability in the Android kernel's KVM implementation for arm64 architecture allows for local privilege escalation. This issue arises from a logic error in the memory protection functions, where the host's Memory Tagging Extension (MTE) state is not properly managed. As a result, a malicious host could exploit this flaw to enable MTE for non-protected guests, potentially leading to system crashes or compromised guest environments. The vulnerability does not require any additional execution privileges or user interaction to exploit.

Impact

Exploitation of this vulnerability could lead to unauthorized execution of arbitrary code with elevated privileges, allowing an attacker to gain unauthorized access to system resources or sensitive information.

Reproduction

The vulnerability can be reproduced by configuring a KVM environment on an arm64 host that does not support or has disabled the Memory Tagging Extension. When non-protected guests are activated, the KVM hypervisor may inadvertently enable MTE, creating an opportunity for exploitation.

Remediation

Users can update to the latest version of the Android kernel, where this vulnerability has been addressed by properly managing the Memory Tagging Extension state for KVM guests.