CVE-2021-29657
KVM nested_svm_vmrun Double Fetch
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
2Exploited in Wild
-Decision
Descriptions
arch/x86/kvm/svm/nested.c in the Linux kernel before 5.11.12 has a use-after-free in which an AMD KVM guest can bypass access control on host OS MSRs when there are nested guests, aka CID-a58d9166a756. This occurs because of a TOCTOU race condition associated with a VMCB12 double fetch in nested_svm_vmrun.
El archivo arch/x86/kvm/svm/nested.c en el kernel de Linux versiones anteriores a 5.11.12, presenta un uso de memoria previamente liberada en el que un invitado KVM de AMD puede omitir el control de acceso en los MSR del SO anfitrión cuando se presentan invitados anidados, también se conoce como CID-a58d9166a756. Esto ocurre debido a una condición de carrera TOCTOU asociada con un doble fetch VMCB12 en la función nested_svm_vmrun
CVSS Scores
SSVC
- Decision:-
Timeline
- 2021-03-31 CVE Reserved
- 2021-05-12 CVE Published
- 2024-08-03 CVE Updated
- 2024-08-03 First Exploit
- 2024-12-17 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition
- CWE-416: Use After Free
CAPEC
References (5)
URL | Tag | Source |
---|---|---|
http://packetstormsecurity.com/files/163324/KVM-nested_svm_vmrun-Double-Fetch.html | Third Party Advisory | |
https://security.netapp.com/advisory/ntap-20210902-0008 | Third Party Advisory |
URL | Date | SRC |
---|---|---|
https://bugs.chromium.org/p/project-zero/issues/detail?id=2177 | 2024-08-03 | |
https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.11.12 | 2024-08-03 |
URL | Date | SRC |
---|---|---|
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a58d9166a756a0f4a6618e4f593232593d6df134 | 2023-05-19 |
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 5.10 < 5.10.28 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.10 < 5.10.28" | - |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 5.11 < 5.11.12 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.11 < 5.11.12" | - |
Affected
|