Google now pays $250,000 for KVM zero-day vulnerabilities

Google has launched kvmCTF, a new vulnerability reward program first announced in October 2023 to improve the security of the Kernel-based Virtual Machine hypervisor that comes with $250,000 bounties for full VM escape exploits.
KVM, an open-source hypervisor with over 17 years of development, is a crucial component in consumer and enterprise settings, powering Android and Google Cloud platforms.
An active and key KVM contributor, Google developed kvmCTF as a collaborative platform to help identify and fix vulnerabilities, bolstering this vital security layer.
Like Google's kernelCTF vulnerability reward program, which targets Linux kernel security flaws, kvmCTF focuses on VM-reachable bugs in the Kernel-based Virtual Machine hypervisor.
The goal is to execute successful guest-to-host attacks, and QEMU or host-to-KVM vulnerabilities will not be awarded.
Security researchers who enroll in the program are provided with a controlled lab environment where they can use exploits to capture flags.
Unlike other vulnerability reward programs, kvmCTF focuses on zero-day vulnerabilities and will not reward exploits targeting known vulnerabilities.
The kvmCTF infrastructure is hosted on Google's Bare Metal Solution environment, highlighting the program's commitment to high-security standards.
Google will receive details of discovered zero-day vulnerabilities only after upstream patches are released, ensuring the information is shared with the open-source community simultaneously.
To get started, participants must review the kvmCTF rules, which include information on reserving time slots, connecting to the guest VM, obtaining flags, mapping various KASAN violations to reward tiers, as well as detailed instructions on reporting vulnerabilities.
Google patches exploited Android zero-day on Pixel devices.
Google fixes fifth Chrome zero-day exploited in attacks this year.
Google Pixel 6 series phones bricked after factory reset.
Cisco warns of NX-OS zero-day exploited to deploy custom malware.
Google Chrome to let Isolated Web App access sensitive USB devices.


This Cyber News was published on www.bleepingcomputer.com. Publication date: Tue, 02 Jul 2024 18:10:17 +0000


Cyber News related to Google now pays $250,000 for KVM zero-day vulnerabilities

CVE-2024-40953 - In the Linux kernel, the following vulnerability has been resolved: ...
4 weeks ago
CVE-2021-47094 - In the Linux kernel, the following vulnerability has been resolved: ...
8 months ago
CVE-2021-47092 - In the Linux kernel, the following vulnerability has been resolved: ...
8 months ago
Samsung Galaxy S23 hacked two more times at Pwn2Own Toronto - Security researchers hacked the Samsung Galaxy S23 smartphone two more times on the second day of the Pwn2Own 2023 hacking competition in Toronto, Canada. The contestants also demoed zero-day bugs in printers, routers, smart speakers, surveillance ...
11 months ago Bleepingcomputer.com
Samsung Galaxy S23 hacked twice on first day of Pwn2Own Toronto - Security researchers hacked the Samsung Galaxy S23 twice during the first day of the consumer-focused Pwn2Own 2023 hacking contest in Toronto, Canada. They also demoed exploits and vulnerability chains targeting zero-days in Xiaomi's 13 Pro ...
11 months ago Bleepingcomputer.com
Google now pays $250,000 for KVM zero-day vulnerabilities - Google has launched kvmCTF, a new vulnerability reward program first announced in October 2023 to improve the security of the Kernel-based Virtual Machine hypervisor that comes with $250,000 bounties for full VM escape exploits. KVM, an open-source ...
4 months ago Bleepingcomputer.com
Check Point released hotfix for actively exploited VPN zero-day - MUST READ. Check Point released hotfix for actively exploited VPN zero-day. Microsoft Patch Tuesday security updates for May 2024 fixes 2 actively exploited zero-days. Critical Fortinet's FortiClient EMS flaw actively exploited in the wild. Apple ...
5 months ago Securityaffairs.com
CVE-2021-47341 - In the Linux kernel, the following vulnerability has been resolved: KVM: mmio: Fix use-after-free Read in kvm_vm_ioctl_unregister_coalesced_mmio BUG: KASAN: use-after-free in kvm_vm_ioctl_unregister_coalesced_mmio+0x7c/0x1ec ...
5 months ago Tenable.com
CVE-2022-48763 - In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Forcibly leave nested virt when SMM state is toggled Forcibly leave nested virtualization operation if userspace toggles SMM state via KVM_SET_VCPU_EVENTS or ...
5 months ago Tenable.com
Days After Google, Apple Reveals Exploited Zero-Day in Browser Engine - Apple has patched an actively exploited zero-day bug in its WebKit browser engine for Safari. Actively Exploited Apple yesterday described the vulnerability as something an attacker could exploit to execute arbitrary code on affected systems. ...
9 months ago Darkreading.com
10 of the biggest zero-day attacks of 2023 - Here are 10 of the biggest zero-day attacks of 2023 in chronological order. Zero-day attacks started strong in 2023 with CVE-2023-0669, a pre-authentication command injection vulnerability in Fortra's GoAnywhere managed file transfer product. ...
10 months ago Techtarget.com
CVE-2024-47744 - In the Linux kernel, the following vulnerability has been resolved: KVM: Use dedicated mutex to protect kvm_usage_count to avoid deadlock Use a dedicated mutex to guard kvm_usage_count to fix a potential deadlock on x86 due to a chain of locks and ...
4 weeks ago Tenable.com
CVE-2021-47230 - In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Immediately reset the MMU context when the SMM flag is cleared Immediately reset the MMU context when the vCPU's SMM flag is cleared so that the SMM flag in the MMU role is ...
5 months ago Tenable.com
CVE-2024-26976 - In the Linux kernel, the following vulnerability has been resolved: KVM: Always flush async #PF workqueue when vCPU is being destroyed Always flush the per-vCPU async #PF workqueue when a vCPU is clearing its completion queue, e.g. when a VM and all ...
6 months ago Tenable.com
Apple fixes Safari WebKit zero-day flaw exploited at Pwn2Own - Apple has released security updates to fix a zero-day vulnerability in the Safari web browser exploited during this year's Pwn2Own Vancouver hacking competition. The company addressed the security flaw on systems running macOS Monterey and macOS ...
6 months ago Bleepingcomputer.com
Google Chrome Zero-Day Bug Under Attack, Allows Code Injection - Google has patched a high-severity zero-day bug in its Chrome Web browser that attackers are actively exploiting. The vulnerability, assigned as CVE-2024-0519, is the first Chrome zero-day bug that Google has disclosed in 2024, and the second in the ...
10 months ago Darkreading.com
CVE-2024-47717 - In the Linux kernel, the following vulnerability has been resolved: RISC-V: KVM: Don't zero-out PMU snapshot area before freeing data With the latest Linux-6.11-rc3, the below NULL pointer crash is observed when SBI PMU snapshot is enabled for the ...
4 weeks ago Tenable.com
CVE-2024-45005 - In the Linux kernel, the following vulnerability has been resolved: ...
1 month ago
Cisco discloses new IOS XE zero-day exploited to deploy malware implant - Cisco disclosed a new high-severity zero-day today, actively exploited to deploy malicious implants on IOS XE devices compromised using the CVE-2023-20198 zero-day unveiled earlier this week. The company said it found a fix for both vulnerabilities ...
11 months ago Bleepingcomputer.com
Cisco patches IOS XE zero-days used to hack over 50,000 devices - Cisco has addressed the two vulnerabilities that hackers exploited to compromise tens of thousands of IOS XE devices over the past week. The free software release comes after a threat actor leveraged the security issues as zero-days to compromise and ...
11 months ago Bleepingcomputer.com
Apple fixes two new iOS zero-days in emergency updates - Apple released emergency security updates to fix two zero-day vulnerabilities exploited in attacks and impacting iPhone, iPad, and Mac devices, reaching 20 zero-days patched since the start of the year. "Apple is aware of a report that this issue may ...
11 months ago Bleepingcomputer.com
Google fixes first actively exploited Chrome zero-day of 2024 - Google has released security updates to fix the first Chrome zero-day vulnerability exploited in the wild since the start of the year. The company fixed the zero-day for users in the Stable Desktop channel, with patched versions rolling out worldwide ...
10 months ago Bleepingcomputer.com
Pwn2Own Automotive: $1.3M for 49 zero-days, Tesla hacked twice - The first edition of Pwn2Own Automotive has ended with competitors earning $1,323,750 for hacking Tesla twice and demoing 49 zero-day bugs in multiple electric car systems between January 24 and January 26. Throughout the contest organized by Trend ...
9 months ago Bleepingcomputer.com
Google discloses 2 zero-day vulnerabilities in less than a week - Google patched another Chrome zero-day vulnerability on Monday, the second one in the span of four days. In a blog post on Monday, Daniel Yip, technical program manager at Google, disclosed a high-severity out-of-bounds write vulnerability tracked as ...
6 months ago Techtarget.com
CVE-2023-52803 - In the Linux kernel, the following vulnerability has been resolved: SUNRPC: Fix RPC client cleaned up the freed pipefs dentries RPC client pipefs dentries cleanup is in separated rpc_remove_pipedir() workqueue,which takes care about pipefs superblock ...
5 months ago Tenable.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)