> LPE: On distributions such as RHEL, /dev/kvm is world-writable (0666), so an unprivileged user can also use this vulnerability as a reliable LPE to gain root.
Why on Linux device files are accessible by untrusted applications?
Not all device files, only /dev/kvm. I assume the logic was "with /dev/kvm access the user can ...allocate memory and execute code, which they already can, so why not allow it?". Could also make rootless isolation easier
???
That's been the case forever: /dev/null, /dev/zero, /dev/stdin, ...
Very many "devices" aren't at all device-like.