What is CVE-2009-3638?

CVE-2009-3638 is a High severity Linux kernel vulnerability with a CVSS score of 7.2 out of 10. CVE-2009-3638 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

What is the CVSS score for CVE-2009-3638?

CVE-2009-3638 has a CVSS score of 7.2 out of 10, rated High severity. The vector string is AV:L/AC:L/Au:N/C:C/I:C/A:C.

Is there a patch available for CVE-2009-3638?

No patch is currently available for CVE-2009-3638. Monitor the NIST NVD and your Linux distribution's security advisories for updates.

Is CVE-2009-3638 actively exploited?

CVE-2009-3638 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

CVE-2009-3638

High

Integer overflow in the kvm_dev_ioctl_get_supported_cpuid function in arch/x86/kvm/x86.c in the KVM subsystem in the Linux kernel before 2.6.31.4 allows local users to have an unspecified impact via a KVM_GET_SUPPORTED_CPUID request to the kvm_arch_dev_ioctl function.

Package Linux Kernel

Published 2009-10-29

Last modified 2026-04-23

CVSS version 2.0

Patch available

Awaiting data

CVSS 2.0 score

7.2

out of 10

High

Attack Vector

Local

Attack Complexity

Low

Privileges Required

User Interaction

Scope

Confidentiality

Low

Integrity

Availability

Vector string

AV:L/AC:L/Au:N/C:C/I:C/A:C

Weakness type

CWE-189

CVE-2009-3638 is classified as CWE-189

See CWE-189 on MITRE CWE for full details on this weakness type.

References

The following references provide additional information about CVE-2009-3638 including vendor advisories, patch commits, exploit details, and third-party analysis. Links are sourced from the NIST NVD database.

Marc
http://marc.info/?l=oss-security&m=125628917011048&w=2

Exploit
Marc
http://marc.info/?l=oss-security&m=125632898507373&w=2

Exploit
Kernel.org
http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.31.4

Vendor Advisory
Kernel.org
http://www.kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.32-rc4

Vendor Advisory
Mandriva
http://www.mandriva.com/security/advisories?name=MDVSA-2009:329
Ubuntu Security
http://www.ubuntu.com/usn/usn-864-1
Red Hat
https://bugzilla.redhat.com/show_bug.cgi?id=530515

Exploit
Exchange
https://exchange.xforce.ibmcloud.com/vulnerabilities/53934
Red Hat
https://www.redhat.com/archives/fedora-package-announce/2009-November/msg00190.html
Kernel patch commit
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=6a54435560efdab1a08f429a954df4d6c740bddf
Patch
Kernel patch commit
http://www.securityfocus.com/bid/36803
Patch

Details

CVE ID CVE-2009-3638

Severity High

CVSS score 7.2 / 10

CVSS version 2.0

Published 2009-10-29

Modified 2026-04-23

KEV No

Patch Awaiting data

Package linux

Frequently asked questions

What is CVE-2009-3638?

CVE-2009-3638 is a High severity Linux kernel vulnerability with a CVSS score of 7.2 out of 10 . CVE-2009-3638 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.
What is the CVSS score for CVE-2009-3638?

CVE-2009-3638 has a CVSS score of 7.2 out of 10, rated High severity (CVSS 2.0). The vector string is AV:L/AC:L/Au:N/C:C/I:C/A:C.
Is there a patch available for CVE-2009-3638?

No patch is currently available for CVE-2009-3638. Monitor the NIST NVD and your Linux distribution's security advisories for updates.
Is CVE-2009-3638 actively exploited?

No — CVE-2009-3638 has not been confirmed as actively exploited. It is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.