Machine Check Error on Page Size Change Vulnerability

Machine Check Error on Page Size Change (MCEPSC) Speculative-Execution vulnerability


In a recent vulnerability report, Common Vulnerabilities and Exposures (CVE) has released CVE-2018-12207 (Machine Check Error Vulnerability) which raised a serious concern with the Intel processors where Intel processors can crash if a guest kernel alters the page size of an instruction fetch without first flushing the TLB. This machine check error vulnerability will result in a crash at the hypervisor.

A flaw was found in computer hardware of the Intel microprocessors related to the Instruction Translation Lookaside Buffer (ITLB) that caches translations from guest (and host) virtual addresses into physical addresses, also referred to as an address-translation cache, dedicated for executable instructions. This provides a level of abstraction for applications to have a simplified view of system memory. The ITLB functionality is transparent to software and its use significantly improves performance.

As instructions are executed, their linear (or virtual) address is translated to the corresponding physical address. This mapping of virtual to a physical address, for executable instructions, is cached in the ITLB.

A privileged software (operating system or Virtual Machine Monitor (VMM)) may change the page size (ex. 4KB, 2MB, 1GB) and/or other attributes in the paging structures. Generally, such paging structure changes should be followed by the invalidation of the cached ITLB entries corresponding to the changed pages. However, this ITLB invalidation may be delayed. This delay offers a time window wherein an attacker could invoke instruction fetch, which will result in processor using an invalid cached address translation from ITLB to access an invalid physical address, which would result in a machine check error exception, leading the system to go into a hang state.

A privileged attacker inside a guest VM can control its guest page table entries and craft a malicious kernel module that is able to execute specific instructions to create ITLB entries such that, when the page size corresponding to the cached entries is modified, subsequent instruction fetch which use the cached ITLB address translation, would trigger the Machine Check Error.  Machine Check errors will lead the CPU into an unrecoverable hang state, resulting in a system-wide DoS scenario.

Updates to these caches require synchronization with the processor’s internal data structures requiring the use of specific processor instructions (INVLPG and CR3 modifications in microcode).  
An attacker can instruct a malicious guest to request mapping for one location, switch the page size, and re-issue the request with the new page size without issuing the correct invalidation sequence required to invalidate the internal CPU cache state.

Intel shared this vulnerability with the public on the article: Intel® Processor Machine Check Error Advisory. All Intel processors are in scope.

Vendor Advisories on machine check error CVE-2018-12207

Since this issue is leading to the crash of the Hypervisors, Many operating system vendors have released their public-facing article for this issue. All Intel processors are in scope.

VMWare: VMware Security Advisories.

  • Performance impact for this issue may be approximately 5% in most workloads, and up to 25% in some microbenchmarks. Nested hypervisor and Windows virtualization-based security (VBS) suffer significant (80+%) performance impact.
  • Additional performance information can be found in KB 76050.

Microsoft: Windows Denial of Service Vulnerability

Red Hat: Machine Check Error on Page Size Change


For more Vulnerability Updates please visit:


Ashutosh Dixit

I am currently working as a Senior Technical Support Engineer with VMware Premier Services for Telco. Before this, I worked as a Technical Lead with Microsoft Enterprise Platform Support for Production and Premier Support. I am an expert in High-Availability, Deployments, and VMware Core technology along with Tanzu and Horizon.

Leave a Reply