{"id":48026,"date":"2026-06-14T10:29:54","date_gmt":"2026-06-14T03:29:54","guid":{"rendered":"https:\/\/antoanthongtinhaiphong.gov.vn\/?p=48026"},"modified":"2026-06-18T10:30:28","modified_gmt":"2026-06-18T03:30:28","slug":"lo-hong-cho-phep-thoat-may-ao-va-chiem-quyen-host-tren-linux-bi-cong-bo-ma-poc","status":"publish","type":"post","link":"https:\/\/antoanthongtinhaiphong.gov.vn\/lo-hong-cho-phep-thoat-may-ao-va-chiem-quyen-host-tren-linux-bi-cong-bo-ma-poc\/","title":{"rendered":"L\u1ed7 h\u1ed5ng cho ph\u00e9p tho\u00e1t m\u00e1y \u1ea3o v\u00e0 chi\u1ebfm quy\u1ec1n host tr\u00ean Linux b\u1ecb c\u00f4ng b\u1ed1 m\u00e3 PoC"},"content":{"rendered":"<div><b>M\u1ed9t b\u1eb1ng ch\u1ee9ng khai th\u00e1c (PoC) v\u1eeba \u0111\u01b0\u1ee3c c\u00f4ng b\u1ed1 cho l\u1ed7 h\u1ed5ng CVE-2026-46316 trong Linux kernel \u0111\u00e3 x\u00e1c nh\u1eadn kh\u1ea3 n\u0103ng tho\u00e1t m\u00e1y \u1ea3o sang m\u00e1y ch\u1ee7 tr\u00ean c\u00e1c h\u1ec7 th\u1ed1ng s\u1eed d\u1ee5ng KVM ki\u1ebfn tr\u00fac ARM64. L\u1ed7 h\u1ed5ng cho ph\u00e9p ph\u00e1 v\u1ee1 c\u01a1 ch\u1ebf c\u00f4 l\u1eadp gi\u1eefa m\u00e1y \u1ea3o v\u00e0 host, t\u1eeb \u0111\u00f3 m\u1edf ra nguy c\u01a1 can thi\u1ec7p tr\u1ef1c ti\u1ebfp v\u00e0o nh\u00e2n h\u1ec7 \u0111i\u1ec1u h\u00e0nh c\u1ee7a m\u00e1y ch\u1ee7 v\u1eadt l\u00fd.<\/b><br \/>\n\u200b<\/div>\n<div>\n<div class=\"bbImageWrapper  js-lbImage\" title=\"linux kernel.png\" data-src=\"https:\/\/whitehat.vn\/attachments\/linux-kernel-png.19151\/\" data-lb-sidebar-href=\"\" data-lb-caption-extra-html=\"\" data-single-image=\"1\"><img loading=\"lazy\" decoding=\"async\" class=\"bbImage\" title=\"linux kernel.png\" src=\"https:\/\/whitehat.vn\/attachments\/linux-kernel-png.19151\/\" alt=\"linux kernel.png\" width=\"700\" height=\"390\" data-url=\"\" data-zoom-target=\"1\" \/><\/div>\n<\/div>\n<div>\nCVE-2026-46316 c\u00f2n \u0111\u01b0\u1ee3c bi\u1ebft \u0111\u1ebfn v\u1edbi t\u00ean ITScape, t\u1ed3n t\u1ea1i trong c\u01a1 ch\u1ebf vGIC-ITS (Interrupt Translation Service) c\u1ee7a KVM, th\u00e0nh ph\u1ea7n \u0111\u1ea3m nhi\u1ec7m vi\u1ec7c x\u1eed l\u00fd \u00e1nh x\u1ea1 v\u00e0 ph\u00e2n ph\u1ed1i ng\u1eaft trong m\u00f4i tr\u01b0\u1eddng \u1ea3o h\u00f3a \u1edf c\u1ea5p kernel. V\u1ea5n \u0111\u1ec1 ph\u00e1t sinh t\u1eeb race condition trong qu\u00e1 tr\u00ecnh qu\u1ea3n l\u00fd t\u00e0i nguy\u00ean, d\u1eabn \u0111\u1ebfn l\u1ed7i double-put v\u00e0 g\u00e2y h\u1ecfng c\u1ea5u tr\u00fac b\u1ed9 nh\u1edb trong kh\u00f4ng gian kernel c\u1ee7a h\u1ec7 th\u1ed1ng host.<\/p>\n<p>Khi khai th\u00e1c th\u00e0nh c\u00f4ng, k\u1ebb t\u1ea5n c\u00f4ng t\u1eeb b\u00ean trong m\u00e1y \u1ea3o c\u00f3 th\u1ec3 th\u1ef1c thi m\u00e3 trong ng\u1eef c\u1ea3nh kernel c\u1ee7a m\u00e1y ch\u1ee7 v\u1eadt l\u00fd, \u0111\u1ea1t m\u1ee9c \u0111\u1eb7c quy\u1ec1n cao nh\u1ea5t tr\u00ean h\u1ec7 th\u1ed1ng. Quy\u1ec1n truy c\u1eadp n\u00e0y cho ph\u00e9p can thi\u1ec7p tr\u1ef1c ti\u1ebfp v\u00e0o ho\u1ea1t \u0111\u1ed9ng c\u1ee7a host v\u00e0 t\u1ea1o ti\u1ec1n \u0111\u1ec1 cho c\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng s\u00e2u h\u01a1n v\u00e0o h\u1ea1 t\u1ea7ng \u1ea3o h\u00f3a. Trong c\u00e1c h\u1ea1 t\u1ea7ng cloud ph\u1ee5c v\u1ee5 nhi\u1ec1u kh\u00e1ch h\u00e0ng, vi\u1ec7c chi\u1ebfm quy\u1ec1n host c\u00f3 th\u1ec3 t\u1ea1o b\u00e0n \u0111\u1ea1p \u0111\u1ec3 m\u1edf r\u1ed9ng ph\u1ea1m vi x\u00e2m nh\u1eadp sang c\u00e1c h\u1ec7 th\u1ed1ng kh\u00e1c c\u00f9ng v\u1eadn h\u00e0nh tr\u00ean m\u1ed9t n\u1ec1n t\u1ea3ng ph\u1ea7n c\u1ee9ng.<\/p>\n<p>PoC \u0111\u01b0\u1ee3c c\u00f4ng b\u1ed1 cho th\u1ea5y ITScape c\u00f3 th\u1ec3 b\u1ecb khai th\u00e1c ho\u00e0n to\u00e0n t\u1eeb b\u00ean trong m\u00e1y \u1ea3o m\u00e0 kh\u00f4ng c\u1ea7n b\u1ea5t k\u1ef3 t\u01b0\u01a1ng t\u00e1c n\u00e0o t\u1eeb ph\u00eda m\u00e1y ch\u1ee7. Trong m\u00f4i tr\u01b0\u1eddng th\u1eed nghi\u1ec7m, m\u00e3 khai th\u00e1c th\u1ef1c hi\u1ec7n m\u1ed9t lo\u1ea1t thao t\u00e1c MMIO \u0111\u01b0\u1ee3c thi\u1ebft k\u1ebf \u0111\u1eb7c bi\u1ec7t nh\u1eb1m t\u00e1c \u0111\u1ed9ng \u0111\u1ebfn c\u01a1 ch\u1ebf x\u1eed l\u00fd ng\u1eaft GIC\/ITS c\u1ee7a KVM, t\u1eeb \u0111\u00f3 k\u00edch ho\u1ea1t l\u1ed7i trong th\u00e0nh ph\u1ea7n vGIC-ITS. Chu\u1ed7i khai th\u00e1c sau \u0111\u00f3 d\u1eabn \u0111\u1ebfn th\u1ef1c thi m\u00e3 tr\u00ean h\u1ec7 th\u1ed1ng host v\u00e0 \u0111\u01b0\u1ee3c x\u00e1c nh\u1eadn b\u1eb1ng vi\u1ec7c t\u1ea1o th\u00e0nh c\u00f4ng m\u1ed9t t\u1ec7p tin thu\u1ed9c quy\u1ec1n s\u1edf h\u1eefu c\u1ee7a t\u00e0i kho\u1ea3n root tr\u00ean m\u00e1y ch\u1ee7.<br \/>\n\u200b<\/p><\/div>\n<div>\n<div class=\"bbImageWrapper  js-lbImage\" title=\"demo.gif\" data-src=\"https:\/\/whitehat.vn\/attachments\/demo-gif.19150\/\" data-lb-sidebar-href=\"\" data-lb-caption-extra-html=\"\" data-single-image=\"1\" data-fancybox=\"lb-thread-19655\" data-caption=\"&lt;h4&gt;demo.gif&lt;\/h4&gt;&lt;p&gt;&lt;a href=&quot;https:&amp;#x2F;&amp;#x2F;whitehat.vn&amp;#x2F;threads&amp;#x2F;lo-hong-cho-phep-thoat-may-ao-va-chiem-quyen-host-tren-linux-bi-cong-bo-ma-poc.19655&amp;#x2F;#post-45222&quot; class=&quot;js-lightboxCloser&quot;&gt;WhiteHat Team \u00b7 12&amp;#x2F;06&amp;#x2F;2026 l\u00fac 3:19 PM&lt;\/a&gt;&lt;\/p&gt;\"><img loading=\"lazy\" decoding=\"async\" class=\"bbImage\" title=\"demo.gif\" src=\"https:\/\/whitehat.vn\/attachments\/demo-gif.19150\/\" alt=\"demo.gif\" width=\"1280\" height=\"720\" data-url=\"\" data-zoom-target=\"1\" \/><\/div>\n<\/div>\n<div>\nTheo nh\u00e0 nghi\u00ean c\u1ee9u Hyunwoo Kim (V4bel), PoC hi\u1ec7n t\u1ea1i ch\u01b0a \u0111\u01b0\u1ee3c v\u0169 kh\u00ed h\u00f3a ho\u00e0n ch\u1ec9nh nh\u01b0ng c\u00f3 th\u1ec3 \u0111\u01b0\u1ee3c \u0111i\u1ec1u ch\u1ec9nh \u0111\u1ec3 ph\u00f9 h\u1ee3p v\u1edbi c\u00e1c m\u00f4i tr\u01b0\u1eddng cloud th\u1ef1c t\u1ebf th\u00f4ng qua vi\u1ec7c tinh ch\u1ec9nh tham s\u1ed1 b\u1ed9 nh\u1edb, \u0111i\u1ec1u ki\u1ec7n th\u1eddi gian v\u00e0 c\u1ea5u tr\u00fac kernel. \u0110i\u1ec1u n\u00e0y khi\u1ebfn kh\u1ea3 n\u0103ng khai th\u00e1c trong th\u1ef1c t\u1ebf tr\u1edf n\u00ean kh\u1ea3 thi h\u01a1n, \u0111\u1eb7c bi\u1ec7t trong c\u00e1c h\u1ea1 t\u1ea7ng \u0111i\u1ec7n to\u00e1n \u0111\u00e1m m\u00e2y ARM64 \u0111a ng\u01b0\u1eddi d\u00f9ng.<\/p>\n<p>Ph\u1ea1m vi \u1ea3nh h\u01b0\u1edfng c\u1ee7a CVE-2026-46316 tr\u1ea3i r\u1ed9ng t\u1eeb c\u00e1c phi\u00ean b\u1ea3n Linux kernel \u0111\u01b0\u1ee3c t\u00edch h\u1ee3p commit t\u1eeb th\u00e1ng 4\/2024 cho \u0111\u1ebfn tr\u01b0\u1edbc b\u1ea3n v\u00e1 \u0111\u01b0\u1ee3c ph\u00e1t h\u00e0nh v\u00e0o \u0111\u1ea7u th\u00e1ng 6\/2026. C\u00e1c h\u1ec7 th\u1ed1ng s\u1eed d\u1ee5ng KVM tr\u00ean ARM64 v\u00e0 v\u1eadn h\u00e0nh workload kh\u00f4ng tin c\u1eady \u0111\u01b0\u1ee3c \u0111\u00e1nh gi\u00e1 l\u00e0 nh\u00f3m ch\u1ecbu r\u1ee7i ro cao nh\u1ea5t. \u0110\u00e1ng ch\u00fa \u00fd, CVE-2026-46316 kh\u00f4ng \u1ea3nh h\u01b0\u1edfng \u0111\u1ebfn ki\u1ebfn tr\u00fac x86, do ch\u1ec9 t\u1ed3n t\u1ea1i trong th\u00e0nh ph\u1ea7n \u1ea3o h\u00f3a KVM d\u00e0nh ri\u00eang cho ARM64 trong Linux kernel.<\/p>\n<p>C\u1ed9ng \u0111\u1ed3ng ph\u00e1t tri\u1ec3n Linux kernel \u0111\u00e3 ph\u00e1t h\u00e0nh b\u1ea3n v\u00e1 cho CVE-2026-46316 t\u1ea1i commit 13031fb6b835. \u0110\u1ed1i v\u1edbi c\u00e1c h\u1ec7 th\u1ed1ng KVM ARM64, vi\u1ec7c r\u00e0 so\u00e1t phi\u00ean b\u1ea3n kernel \u0111ang s\u1eed d\u1ee5ng v\u00e0 \u01b0u ti\u00ean tri\u1ec3n khai b\u1ea3n v\u00e1 c\u1ea7n \u0111\u01b0\u1ee3c th\u1ef1c hi\u1ec7n s\u1edbm nh\u1eb1m lo\u1ea1i b\u1ecf nguy c\u01a1 b\u1ecb khai th\u00e1c. B\u00ean c\u1ea1nh \u0111\u00f3, c\u00e1c \u0111\u01a1n v\u1ecb v\u1eadn h\u00e0nh n\u00ean t\u0103ng c\u01b0\u1eddng gi\u00e1m s\u00e1t ho\u1ea1t \u0111\u1ed9ng c\u1ee7a m\u00e1y \u1ea3o v\u00e0 h\u1ea1n ch\u1ebf tri\u1ec3n khai workload kh\u00f4ng \u0111\u00e1ng tin c\u1eady tr\u00ean c\u00f9ng h\u1ea1 t\u1ea7ng v\u1eadt l\u00fd cho \u0111\u1ebfn khi qu\u00e1 tr\u00ecnh c\u1eadp nh\u1eadt ho\u00e0n t\u1ea5t.<\/p>\n<p>Vi\u1ec7c c\u00f4ng b\u1ed1 PoC \u0111\u00e3 mang \u0111\u1ebfn b\u1eb1ng ch\u1ee9ng r\u00f5 r\u00e0ng r\u1eb1ng CVE-2026-46316 kh\u00f4ng ch\u1ec9 l\u00e0 m\u1ed9t l\u1ed7i k\u1ef9 thu\u1eadt trong KVM. V\u1edbi kh\u1ea3 n\u0103ng v\u01b0\u1ee3t kh\u1ecfi m\u00e1y \u1ea3o v\u00e0 can thi\u1ec7p tr\u1ef1c ti\u1ebfp v\u00e0o host, l\u1ed7 h\u1ed5ng n\u00e0y \u0111ang tr\u1edf th\u00e0nh m\u1ed9t trong nh\u1eefng r\u1ee7i ro \u0111\u00e1ng ch\u00fa \u00fd nh\u1ea5t \u0111\u1ed1i v\u1edbi c\u00e1c h\u1ec7 th\u1ed1ng ARM64 s\u1eed d\u1ee5ng KVM hi\u1ec7n nay.<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>M\u1ed9t b\u1eb1ng ch\u1ee9ng khai th\u00e1c (PoC) v\u1eeba \u0111\u01b0\u1ee3c c\u00f4ng b\u1ed1 cho l\u1ed7 h\u1ed5ng CVE-2026-46316 trong Linux kernel \u0111\u00e3 x\u00e1c nh\u1eadn kh\u1ea3 n\u0103ng tho\u00e1t m\u00e1y \u1ea3o sang m\u00e1y ch\u1ee7 tr\u00ean c\u00e1c h\u1ec7 th\u1ed1ng s\u1eed d\u1ee5ng KVM ki\u1ebfn tr\u00fac ARM64. L\u1ed7 h\u1ed5ng cho ph\u00e9p ph\u00e1 v\u1ee1 c\u01a1 ch\u1ebf c\u00f4 l\u1eadp gi\u1eefa m\u00e1y \u1ea3o v\u00e0 host, t\u1eeb \u0111\u00f3 [&hellip;]<\/p>\n","protected":false},"author":20,"featured_media":48027,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"tdm_status":"","tdm_grid_status":"","footnotes":""},"categories":[3,24,35],"tags":[],"class_list":["post-48026","post","type-post","status-publish","format-standard","has-post-thumbnail","category-canh-bao-khuyen-nghi","category-tin-noi-bat","category-tin-tuc-su-kien"],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/posts\/48026","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/users\/20"}],"replies":[{"embeddable":true,"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/comments?post=48026"}],"version-history":[{"count":1,"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/posts\/48026\/revisions"}],"predecessor-version":[{"id":48028,"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/posts\/48026\/revisions\/48028"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/media\/48027"}],"wp:attachment":[{"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/media?parent=48026"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/categories?post=48026"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/tags?post=48026"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}