KVM Nest Virtualization L1 Guest Privilege Escalation
Posted on 26 June 2018
When KVM (on Intel) virtualizes another hypervisor as L1 VM it does not verify that VMX instructions from the L1 VM (which trigger a VM exit and are emulated by L0 KVM) are coming from ring 0.