Published: 29 March 2012
The KVM implementation in the Linux kernel before 3.3.6 allows host OS users to cause a denial of service (NULL pointer dereference and host OS crash) by making a KVM_CREATE_IRQCHIP ioctl call after a virtual CPU already exists.
From the Ubuntu security team
A flaw was found in the Linux kernel's KVM (Kernel Virtual Machine) virtual cpu setup. An unprivileged local user could exploit this flaw to crash the system leading to a denial of service.
sha1 below is from the KVM tree, though it is likely to be the right one when it hits upstream. Patch title is: KVM: Ensure all vcpus are consistent with in-kernel irqchip settings now arrived in linus' tree as the sha1 below