arch/x86/kvm/mmu.c in the Linux kernel through 4.13.5, when nested
virtualisation is used, does not properly traverse guest pagetable entries
to resolve a guest virtual address, which allows L1 guest OS users to
execute arbitrary code on the host OS or cause a denial of service
(incorrect index during page walking, and host OS crash), aka an "MMU
potential stack buffer overrun."
Fixed in 4.9.57, 4.14