CVE-2021-46961: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: irqchip/gic-v3: Do not enable irqs when handling spurious interrups We triggered the following error while running our 4.19 kernel with the pseudo-NMI patches backported to it: [ 14.816231] ------------[ cut here ]------------ [ 14.816231] kernel BUG at irq.c:99! [ 14.816232] Internal error: Oops - BUG: 0 [#1] SMP [ 14.816232] Process swapper/0 (pid: 0, stack limit = 0x(____ptrval____)) [ 14.816233] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G O 4.19.95.aarch64 #14 [ 14.816233] Hardware name: evb (DT) [ 14.816234] pstate: 80400085 (Nzcv daIf +PAN -UAO) [ 14.816234] pc : asm_nmi_enter+0x94/0x98 [ 14.816235] lr : asm_nmi_enter+0x18/0x98 [ 14.816235] sp : ffff000008003c50 [ 14.816235] pmr_save: 00000070 [ 14.816237] x29: ffff000008003c50 x28: ffff0000095f56c0 [ 14.816238] x27: 0000000000000000 x26: ffff000008004000 [ 14.816239] x25: 00000000015e0000 x24: ffff8008fb916000 [ 14.816240] x23: 0000000020400005 x22: ffff0000080817cc [ 14.816241] x21: ffff000008003da0 x20: 0000000000000060 [ 14.816242] x19: 00000000000003ff x18: ffffffffffffffff [ 14.816243] x17: 0000000000000008 x16: 003d090000000000 [ 14.816244] x15: ffff0000095ea6c8 x14: ffff8008fff5ab40 [ 14.816244] x13: ffff8008fff58b9d x12: 0000000000000000 [ 14.816245] x11: ffff000008c8a200 x10: 000000008e31fca5 [ 14.816246] x9 : ffff000008c8a208 x8 : 000000000000000f [ 14.816247] x7 : 0000000000000004 x6 : ffff8008fff58b9e [ 14.816248] x5 : 0000000000000000 x4 : 0000000080000000 [ 14.816249] x3 : 0000000000000000 x2 : 0000000080000000 [ 14.816250] x1 : 0000000000120000 x0 : ffff0000095f56c0 [ 14.816251] Call trace: [ 14.816251] asm_nmi_enter+0x94/0x98 [ 14.816251] el1_irq+0x8c/0x180 (IRQ C) [ 14.816252] gic_handle_irq+0xbc/0x2e4 [ 14.816252] el1_irq+0xcc/0x180 (IRQ B) [ 14.816253] arch_timer_handler_virt+0x38/0x58 [ 14.816253] handle_percpu_devid_irq+0x90/0x240 [ 14.816253] generic_handle_irq+0x34/0x50 [ 14.816254] __handle_domain_irq+0x68/0xc0 [ 14.816254] gic_handle_irq+0xf8/0x2e4 [ 14.816255] el1_irq+0xcc/0x180 (IRQ A) [ 14.816255] arch_cpu_idle+0x34/0x1c8 [ 14.816255] default_idle_call+0x24/0x44 [ 14.816256] do_idle+0x1d0/0x2c8 [ 14.816256] cpu_startup_entry+0x28/0x30 [ 14.816256] rest_init+0xb8/0xc8 [ 14.816257] start_kernel+0x4c8/0x4f4 [ 14.816257] Code: 940587f1 d5384100 b9401001 36a7fd01 (d4210000) [ 14.816258] Modules linked in: start_dp(O) smeth(O) [ 15.103092] ---[ end trace 701753956cb14aa8 ]--- [ 15.103093] Kernel panic - not syncing: Fatal exception in interrupt [ 15.103099] SMP: stopping secondary CPUs [ 15.103100] Kernel Offset: disabled [ 15.103100] CPU features: 0x36,a2400218 [ 15.103100] Memory Limit: none which is cause by a 'BUG_ON(in_nmi())' in nmi_enter(). From the call trace, we can find three interrupts (noted A, B, C above): interrupt (A) is preempted by (B), which is further interrupted by (C). Subsequent investigations show that (B) results in nmi_enter() being called, but that it actually is a spurious interrupt. Furthermore, interrupts are reenabled in the context of (B), and (C) fires with NMI priority. We end-up with a nested NMI situation, something we definitely do not want to (and cannot) handle. The bug here is that spurious interrupts should never result in any state change, and we should just return to the interrupted context. Moving the handling of spurious interrupts as early as possible in the GICv3 handler fixes this issue. [maz: rewrote commit message, corrected Fixes: tag]
AI Analysis
Technical Summary
CVE-2021-46961 is a vulnerability in the Linux kernel specifically affecting the irqchip/gic-v3 interrupt controller driver. The issue arises from improper handling of spurious interrupts in the GICv3 interrupt controller implementation. When a spurious interrupt occurs, the kernel erroneously enables interrupts during the handling of a pseudo-NMI (Non-Maskable Interrupt), leading to nested NMI conditions that the kernel cannot safely handle. This results in a kernel BUG triggered by the 'BUG_ON(in_nmi())' check in the nmi_enter() function, causing a kernel panic and system crash. The problem is rooted in the interrupt preemption sequence where interrupt A is preempted by B, which is further interrupted by C, with B being a spurious interrupt that incorrectly re-enables interrupts and allows C to fire with NMI priority. The fix involves moving the handling of spurious interrupts earlier in the GICv3 interrupt handler to prevent any state changes or nested NMIs. This vulnerability affects Linux kernel versions that include the vulnerable GICv3 driver code, notably impacting ARM64 architectures using the 4.19 kernel with pseudo-NMI patches backported, as demonstrated in the provided kernel panic logs. The CVSS score is 5.5 (medium severity) with an attack vector of local access, requiring low privileges and no user interaction, impacting availability but not confidentiality or integrity. No known exploits are reported in the wild yet.
Potential Impact
For European organizations, this vulnerability primarily threatens the availability of Linux-based systems running on ARM64 platforms with the affected kernel versions, such as embedded devices, IoT infrastructure, and specialized servers. A kernel panic caused by this bug leads to system crashes and downtime, which can disrupt critical services, especially in industrial control systems, telecommunications, and cloud infrastructure relying on ARM64 Linux servers. Although it does not directly compromise confidentiality or integrity, the denial of service can have cascading effects on business operations, safety-critical environments, and service level agreements. Organizations using custom or older Linux kernels with backported patches are particularly at risk. The impact is more pronounced in sectors where ARM64 Linux is prevalent, including telecom providers deploying ARM-based network equipment and manufacturers of embedded devices used in European industries.
Mitigation Recommendations
To mitigate this vulnerability, European organizations should: 1) Immediately apply the official Linux kernel patches that move spurious interrupt handling earlier in the GICv3 handler, as provided by the Linux kernel maintainers. 2) Upgrade to a fixed kernel version that includes this patch, avoiding reliance on outdated or custom backported kernels. 3) For embedded and IoT devices, coordinate with hardware and software vendors to ensure updated firmware and kernel images are deployed. 4) Implement robust kernel crash monitoring and automated recovery mechanisms to minimize downtime in case of unexpected panics. 5) Restrict local access to systems running vulnerable kernels, as exploitation requires local privileges. 6) Conduct thorough testing of kernel updates in staging environments to ensure stability and compatibility before production rollout. 7) Maintain an inventory of ARM64 Linux systems and verify kernel versions to prioritize patching efforts.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2021-46961: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: irqchip/gic-v3: Do not enable irqs when handling spurious interrups We triggered the following error while running our 4.19 kernel with the pseudo-NMI patches backported to it: [ 14.816231] ------------[ cut here ]------------ [ 14.816231] kernel BUG at irq.c:99! [ 14.816232] Internal error: Oops - BUG: 0 [#1] SMP [ 14.816232] Process swapper/0 (pid: 0, stack limit = 0x(____ptrval____)) [ 14.816233] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G O 4.19.95.aarch64 #14 [ 14.816233] Hardware name: evb (DT) [ 14.816234] pstate: 80400085 (Nzcv daIf +PAN -UAO) [ 14.816234] pc : asm_nmi_enter+0x94/0x98 [ 14.816235] lr : asm_nmi_enter+0x18/0x98 [ 14.816235] sp : ffff000008003c50 [ 14.816235] pmr_save: 00000070 [ 14.816237] x29: ffff000008003c50 x28: ffff0000095f56c0 [ 14.816238] x27: 0000000000000000 x26: ffff000008004000 [ 14.816239] x25: 00000000015e0000 x24: ffff8008fb916000 [ 14.816240] x23: 0000000020400005 x22: ffff0000080817cc [ 14.816241] x21: ffff000008003da0 x20: 0000000000000060 [ 14.816242] x19: 00000000000003ff x18: ffffffffffffffff [ 14.816243] x17: 0000000000000008 x16: 003d090000000000 [ 14.816244] x15: ffff0000095ea6c8 x14: ffff8008fff5ab40 [ 14.816244] x13: ffff8008fff58b9d x12: 0000000000000000 [ 14.816245] x11: ffff000008c8a200 x10: 000000008e31fca5 [ 14.816246] x9 : ffff000008c8a208 x8 : 000000000000000f [ 14.816247] x7 : 0000000000000004 x6 : ffff8008fff58b9e [ 14.816248] x5 : 0000000000000000 x4 : 0000000080000000 [ 14.816249] x3 : 0000000000000000 x2 : 0000000080000000 [ 14.816250] x1 : 0000000000120000 x0 : ffff0000095f56c0 [ 14.816251] Call trace: [ 14.816251] asm_nmi_enter+0x94/0x98 [ 14.816251] el1_irq+0x8c/0x180 (IRQ C) [ 14.816252] gic_handle_irq+0xbc/0x2e4 [ 14.816252] el1_irq+0xcc/0x180 (IRQ B) [ 14.816253] arch_timer_handler_virt+0x38/0x58 [ 14.816253] handle_percpu_devid_irq+0x90/0x240 [ 14.816253] generic_handle_irq+0x34/0x50 [ 14.816254] __handle_domain_irq+0x68/0xc0 [ 14.816254] gic_handle_irq+0xf8/0x2e4 [ 14.816255] el1_irq+0xcc/0x180 (IRQ A) [ 14.816255] arch_cpu_idle+0x34/0x1c8 [ 14.816255] default_idle_call+0x24/0x44 [ 14.816256] do_idle+0x1d0/0x2c8 [ 14.816256] cpu_startup_entry+0x28/0x30 [ 14.816256] rest_init+0xb8/0xc8 [ 14.816257] start_kernel+0x4c8/0x4f4 [ 14.816257] Code: 940587f1 d5384100 b9401001 36a7fd01 (d4210000) [ 14.816258] Modules linked in: start_dp(O) smeth(O) [ 15.103092] ---[ end trace 701753956cb14aa8 ]--- [ 15.103093] Kernel panic - not syncing: Fatal exception in interrupt [ 15.103099] SMP: stopping secondary CPUs [ 15.103100] Kernel Offset: disabled [ 15.103100] CPU features: 0x36,a2400218 [ 15.103100] Memory Limit: none which is cause by a 'BUG_ON(in_nmi())' in nmi_enter(). From the call trace, we can find three interrupts (noted A, B, C above): interrupt (A) is preempted by (B), which is further interrupted by (C). Subsequent investigations show that (B) results in nmi_enter() being called, but that it actually is a spurious interrupt. Furthermore, interrupts are reenabled in the context of (B), and (C) fires with NMI priority. We end-up with a nested NMI situation, something we definitely do not want to (and cannot) handle. The bug here is that spurious interrupts should never result in any state change, and we should just return to the interrupted context. Moving the handling of spurious interrupts as early as possible in the GICv3 handler fixes this issue. [maz: rewrote commit message, corrected Fixes: tag]
AI-Powered Analysis
Technical Analysis
CVE-2021-46961 is a vulnerability in the Linux kernel specifically affecting the irqchip/gic-v3 interrupt controller driver. The issue arises from improper handling of spurious interrupts in the GICv3 interrupt controller implementation. When a spurious interrupt occurs, the kernel erroneously enables interrupts during the handling of a pseudo-NMI (Non-Maskable Interrupt), leading to nested NMI conditions that the kernel cannot safely handle. This results in a kernel BUG triggered by the 'BUG_ON(in_nmi())' check in the nmi_enter() function, causing a kernel panic and system crash. The problem is rooted in the interrupt preemption sequence where interrupt A is preempted by B, which is further interrupted by C, with B being a spurious interrupt that incorrectly re-enables interrupts and allows C to fire with NMI priority. The fix involves moving the handling of spurious interrupts earlier in the GICv3 interrupt handler to prevent any state changes or nested NMIs. This vulnerability affects Linux kernel versions that include the vulnerable GICv3 driver code, notably impacting ARM64 architectures using the 4.19 kernel with pseudo-NMI patches backported, as demonstrated in the provided kernel panic logs. The CVSS score is 5.5 (medium severity) with an attack vector of local access, requiring low privileges and no user interaction, impacting availability but not confidentiality or integrity. No known exploits are reported in the wild yet.
Potential Impact
For European organizations, this vulnerability primarily threatens the availability of Linux-based systems running on ARM64 platforms with the affected kernel versions, such as embedded devices, IoT infrastructure, and specialized servers. A kernel panic caused by this bug leads to system crashes and downtime, which can disrupt critical services, especially in industrial control systems, telecommunications, and cloud infrastructure relying on ARM64 Linux servers. Although it does not directly compromise confidentiality or integrity, the denial of service can have cascading effects on business operations, safety-critical environments, and service level agreements. Organizations using custom or older Linux kernels with backported patches are particularly at risk. The impact is more pronounced in sectors where ARM64 Linux is prevalent, including telecom providers deploying ARM-based network equipment and manufacturers of embedded devices used in European industries.
Mitigation Recommendations
To mitigate this vulnerability, European organizations should: 1) Immediately apply the official Linux kernel patches that move spurious interrupt handling earlier in the GICv3 handler, as provided by the Linux kernel maintainers. 2) Upgrade to a fixed kernel version that includes this patch, avoiding reliance on outdated or custom backported kernels. 3) For embedded and IoT devices, coordinate with hardware and software vendors to ensure updated firmware and kernel images are deployed. 4) Implement robust kernel crash monitoring and automated recovery mechanisms to minimize downtime in case of unexpected panics. 5) Restrict local access to systems running vulnerable kernels, as exploitation requires local privileges. 6) Conduct thorough testing of kernel updates in staging environments to ensure stability and compatibility before production rollout. 7) Maintain an inventory of ARM64 Linux systems and verify kernel versions to prioritize patching efforts.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-27T18:42:55.942Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9834c4522896dcbe98fd
Added to database: 5/21/2025, 9:09:08 AM
Last enriched: 6/30/2025, 6:12:13 PM
Last updated: 8/4/2025, 12:53:17 AM
Views: 19
Related Threats
CVE-2025-55195: CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in denoland std
HighCVE-2025-55192: CWE-94: Improper Control of Generation of Code ('Code Injection') in JurajNyiri HomeAssistant-Tapo-Control
HighCVE-2025-20220: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in Cisco Cisco Firepower Management Center
MediumCVE-2025-9043: CWE-428 Unquoted Search Path or Element in Seagate Toolkit
MediumCVE-2025-8969: SQL Injection in itsourcecode Online Tour and Travel Management System
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.