MEDIUM
The severity is rated as MEDIUM due to the potential for resource contention and unauthorized access between isolated environments. Real-world exploitability is moderate, primarily in homelab settings where isolation may be less stringent. No patches are currently required as this is more a technique analysis than a vulnerability disclosure.

This security advisory discusses a technique for rapidly creating virtual machine (VM) instances using KVM copy-on-write (CoW) memory pages, which can have implications for resource isolation in multi-tenant environments. The technique leverages Firecracker to pre-load Python and numpy into a VM, then snapshot the state of the memory and CPU. Subsequent VMs are created by forking this initial instance with minimal overhead, as each fork shares the same memory pages until they need to write to them. This sub-millisecond VM creation process can potentially be exploited if not properly secured, leading to resource contention or unauthorized access between isolated environments. Engineers and sysadmins must ensure that proper isolation mechanisms are in place when using KVM-based virtualization with CoW for rapid instance provisioning.

Affected Systems
  • Firecracker
  • KVM
Affected Versions: All versions using KVM with CoW memory pages for VM creation
Remediation
  • Ensure proper isolation mechanisms (e.g., network, resource) are in place when using Firecracker or similar virtualization techniques.
  • Monitor and limit the number of concurrent VM forks to avoid potential resource exhaustion.
  • Regularly update KVM and related software to incorporate any security improvements.
Stack Impact

In common homelab stacks, this technique could impact environments where multiple VMs are rapidly created for testing or development purposes. Specific impacts would depend on the version of Firecracker and KVM being used.

Source →