Candidate: CVE-2009-3290 
Description:
 "So far unprivileged guest callers running in ring 3 can issue, e.g., 
 MMU hypercalls. Normally, such callers cannot provide any hand-crafted 
 MMU command structure as it has to be passed by its physical address, 
 but they can still crash the guest kernel by passing random addresses.
 .
 To close the hole, this patch considers hypercalls valid only if issued 
 from guest ring 0. This may still be relaxed on a per-hypercall base in 
 the future once required."
 .
 This was introduced in v2.6.25-rc1, and fixed in 2.6.31
 jmm> The oss-security posting is wrong, this was fixed in 2.6.31-1
References:
 http://www.openwall.com/lists/oss-security/2009/09/18/1
 http://patchwork.kernel.org/patch/38926/
 https://bugzilla.redhat.com/show_bug.cgi?id=524124
Ubuntu-Description:
Notes:
 brad spengler has already developed working exploit code for this, so this is 
 high-urgency
Bugs:
upstream: released (2.6.32-rc1) [07708c4af1346ab1521b26a202f438366b7bcffd]
linux-2.6: released (2.6.31-1)
2.6.18-etch-security: N/A "introduced in 2.6.25"
2.6.24-etch-security: N/A "introduced in 2.6.25"
2.6.26-lenny-security: released (2.6.26-19lenny1) [bugfix/x86/kvm-disallow-hypercalls-for-guest-callers-in-rings-gt-0.patch]