CVE-2021-46997: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: arm64: entry: always set GIC_PRIO_PSR_I_SET during entry Zenghui reports that booting a kernel with "irqchip.gicv3_pseudo_nmi=1" on the command line hits a warning during kernel entry, due to the way we manipulate the PMR. Early in the entry sequence, we call lockdep_hardirqs_off() to inform lockdep that interrupts have been masked (as the HW sets DAIF wqhen entering an exception). Architecturally PMR_EL1 is not affected by exception entry, and we don't set GIC_PRIO_PSR_I_SET in the PMR early in the exception entry sequence, so early in exception entry the PMR can indicate that interrupts are unmasked even though they are masked by DAIF. If DEBUG_LOCKDEP is selected, lockdep_hardirqs_off() will check that interrupts are masked, before we set GIC_PRIO_PSR_I_SET in any of the exception entry paths, and hence lockdep_hardirqs_off() will WARN() that something is amiss. We can avoid this by consistently setting GIC_PRIO_PSR_I_SET during exception entry so that kernel code sees a consistent environment. We must also update local_daif_inherit() to undo this, as currently only touches DAIF. For other paths, local_daif_restore() will update both DAIF and the PMR. With this done, we can remove the existing special cases which set this later in the entry code. We always use (GIC_PRIO_IRQON | GIC_PRIO_PSR_I_SET) for consistency with local_daif_save(), as this will warn if it ever encounters (GIC_PRIO_IRQOFF | GIC_PRIO_PSR_I_SET), and never sets this itself. This matches the gic_prio_kentry_setup that we have to retain for ret_to_user. The original splat from Zenghui's report was: | DEBUG_LOCKS_WARN_ON(!irqs_disabled()) | WARNING: CPU: 3 PID: 125 at kernel/locking/lockdep.c:4258 lockdep_hardirqs_off+0xd4/0xe8 | Modules linked in: | CPU: 3 PID: 125 Comm: modprobe Tainted: G W 5.12.0-rc8+ #463 | Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015 | pstate: 604003c5 (nZCv DAIF +PAN -UAO -TCO BTYPE=--) | pc : lockdep_hardirqs_off+0xd4/0xe8 | lr : lockdep_hardirqs_off+0xd4/0xe8 | sp : ffff80002a39bad0 | pmr_save: 000000e0 | x29: ffff80002a39bad0 x28: ffff0000de214bc0 | x27: ffff0000de1c0400 x26: 000000000049b328 | x25: 0000000000406f30 x24: ffff0000de1c00a0 | x23: 0000000020400005 x22: ffff8000105f747c | x21: 0000000096000044 x20: 0000000000498ef9 | x19: ffff80002a39bc88 x18: ffffffffffffffff | x17: 0000000000000000 x16: ffff800011c61eb0 | x15: ffff800011700a88 x14: 0720072007200720 | x13: 0720072007200720 x12: 0720072007200720 | x11: 0720072007200720 x10: 0720072007200720 | x9 : ffff80002a39bad0 x8 : ffff80002a39bad0 | x7 : ffff8000119f0800 x6 : c0000000ffff7fff | x5 : ffff8000119f07a8 x4 : 0000000000000001 | x3 : 9bcdab23f2432800 x2 : ffff800011730538 | x1 : 9bcdab23f2432800 x0 : 0000000000000000 | Call trace: | lockdep_hardirqs_off+0xd4/0xe8 | enter_from_kernel_mode.isra.5+0x7c/0xa8 | el1_abort+0x24/0x100 | el1_sync_handler+0x80/0xd0 | el1_sync+0x6c/0x100 | __arch_clear_user+0xc/0x90 | load_elf_binary+0x9fc/0x1450 | bprm_execve+0x404/0x880 | kernel_execve+0x180/0x188 | call_usermodehelper_exec_async+0xdc/0x158 | ret_from_fork+0x10/0x18
AI Analysis
Technical Summary
CVE-2021-46997 is a vulnerability identified in the Linux kernel specifically affecting the ARM64 architecture's interrupt handling during kernel entry. The issue arises from inconsistent handling of the Priority Mask Register (PMR_EL1) and the Generic Interrupt Controller (GIC) priority bits during exception entry sequences when the kernel is booted with the "irqchip.gicv3_pseudo_nmi=1" parameter. The vulnerability manifests as a warning triggered by the kernel's lock dependency checker (lockdep) due to a mismatch between the hardware interrupt masking state and the software's internal representation of interrupt priority. Specifically, early in the exception entry, interrupts are masked by the hardware via the DAIF register, but the PMR does not reflect this masking because the GIC_PRIO_PSR_I_SET bit is not set consistently. This discrepancy causes lockdep_hardirqs_off() to issue warnings, indicating a potential inconsistency in interrupt state tracking. The root cause is that the PMR_EL1 is not updated early enough to reflect the masked interrupt state, leading to a window where kernel code might observe interrupts as unmasked when they are actually masked by hardware. The fix involves always setting the GIC_PRIO_PSR_I_SET bit during exception entry to ensure consistent interrupt masking state visibility within the kernel, and updating local_daif_inherit() to correctly handle this bit alongside DAIF. This correction removes the need for special cases in the entry code and aligns the software's interrupt state tracking with hardware behavior. While the vulnerability primarily causes warnings and inconsistencies in kernel debugging and lock dependency checks, it highlights a subtle race condition in interrupt state management that could potentially lead to incorrect assumptions about interrupt masking during critical kernel operations. No known exploits are reported in the wild, and the vulnerability is more about correctness and stability in kernel interrupt handling rather than a direct exploit vector for privilege escalation or denial of service.
Potential Impact
For European organizations, the impact of CVE-2021-46997 is primarily related to system stability and reliability on ARM64-based Linux systems, which are increasingly used in embedded devices, servers, and cloud infrastructure. Although this vulnerability does not directly enable remote code execution or privilege escalation, the inconsistent interrupt masking state could lead to subtle kernel bugs or race conditions that might affect system behavior under specific workloads or debugging scenarios. Organizations relying on ARM64 Linux kernels, especially those using custom kernel builds or running with the irqchip.gicv3_pseudo_nmi=1 parameter, may experience kernel warnings or instability, potentially complicating system diagnostics and maintenance. This could impact critical infrastructure, telecommunications equipment, or cloud services that utilize ARM64 servers. The lack of known exploits reduces immediate risk, but the vulnerability underscores the importance of kernel correctness for maintaining secure and stable operations. European entities with ARM64 deployments in sectors such as telecommunications, automotive, industrial control, and cloud computing should be aware of this issue to avoid potential operational disruptions.
Mitigation Recommendations
Mitigation involves updating the Linux kernel to a version where this vulnerability is patched, ensuring that the GIC_PRIO_PSR_I_SET bit is consistently set during exception entry sequences. Organizations should: 1) Apply the latest stable Linux kernel updates from trusted vendors or distributions that include the fix for CVE-2021-46997. 2) Review kernel boot parameters and avoid using irqchip.gicv3_pseudo_nmi=1 unless necessary, as this parameter is directly related to the vulnerability trigger. 3) For custom kernel builds or embedded systems, incorporate the patch that sets GIC_PRIO_PSR_I_SET early in exception entry and updates local_daif_inherit() accordingly. 4) Monitor kernel logs for lockdep warnings related to hardirqs_off(), which may indicate the presence of this issue. 5) Conduct thorough testing of ARM64 Linux systems after patching to confirm stability and absence of interrupt-related warnings. 6) Engage with hardware and software vendors to ensure ARM64 platforms receive timely kernel updates. These steps go beyond generic advice by focusing on kernel parameter management, patch application, and proactive monitoring specific to this vulnerability's nature.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Norway, Denmark
CVE-2021-46997: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: arm64: entry: always set GIC_PRIO_PSR_I_SET during entry Zenghui reports that booting a kernel with "irqchip.gicv3_pseudo_nmi=1" on the command line hits a warning during kernel entry, due to the way we manipulate the PMR. Early in the entry sequence, we call lockdep_hardirqs_off() to inform lockdep that interrupts have been masked (as the HW sets DAIF wqhen entering an exception). Architecturally PMR_EL1 is not affected by exception entry, and we don't set GIC_PRIO_PSR_I_SET in the PMR early in the exception entry sequence, so early in exception entry the PMR can indicate that interrupts are unmasked even though they are masked by DAIF. If DEBUG_LOCKDEP is selected, lockdep_hardirqs_off() will check that interrupts are masked, before we set GIC_PRIO_PSR_I_SET in any of the exception entry paths, and hence lockdep_hardirqs_off() will WARN() that something is amiss. We can avoid this by consistently setting GIC_PRIO_PSR_I_SET during exception entry so that kernel code sees a consistent environment. We must also update local_daif_inherit() to undo this, as currently only touches DAIF. For other paths, local_daif_restore() will update both DAIF and the PMR. With this done, we can remove the existing special cases which set this later in the entry code. We always use (GIC_PRIO_IRQON | GIC_PRIO_PSR_I_SET) for consistency with local_daif_save(), as this will warn if it ever encounters (GIC_PRIO_IRQOFF | GIC_PRIO_PSR_I_SET), and never sets this itself. This matches the gic_prio_kentry_setup that we have to retain for ret_to_user. The original splat from Zenghui's report was: | DEBUG_LOCKS_WARN_ON(!irqs_disabled()) | WARNING: CPU: 3 PID: 125 at kernel/locking/lockdep.c:4258 lockdep_hardirqs_off+0xd4/0xe8 | Modules linked in: | CPU: 3 PID: 125 Comm: modprobe Tainted: G W 5.12.0-rc8+ #463 | Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015 | pstate: 604003c5 (nZCv DAIF +PAN -UAO -TCO BTYPE=--) | pc : lockdep_hardirqs_off+0xd4/0xe8 | lr : lockdep_hardirqs_off+0xd4/0xe8 | sp : ffff80002a39bad0 | pmr_save: 000000e0 | x29: ffff80002a39bad0 x28: ffff0000de214bc0 | x27: ffff0000de1c0400 x26: 000000000049b328 | x25: 0000000000406f30 x24: ffff0000de1c00a0 | x23: 0000000020400005 x22: ffff8000105f747c | x21: 0000000096000044 x20: 0000000000498ef9 | x19: ffff80002a39bc88 x18: ffffffffffffffff | x17: 0000000000000000 x16: ffff800011c61eb0 | x15: ffff800011700a88 x14: 0720072007200720 | x13: 0720072007200720 x12: 0720072007200720 | x11: 0720072007200720 x10: 0720072007200720 | x9 : ffff80002a39bad0 x8 : ffff80002a39bad0 | x7 : ffff8000119f0800 x6 : c0000000ffff7fff | x5 : ffff8000119f07a8 x4 : 0000000000000001 | x3 : 9bcdab23f2432800 x2 : ffff800011730538 | x1 : 9bcdab23f2432800 x0 : 0000000000000000 | Call trace: | lockdep_hardirqs_off+0xd4/0xe8 | enter_from_kernel_mode.isra.5+0x7c/0xa8 | el1_abort+0x24/0x100 | el1_sync_handler+0x80/0xd0 | el1_sync+0x6c/0x100 | __arch_clear_user+0xc/0x90 | load_elf_binary+0x9fc/0x1450 | bprm_execve+0x404/0x880 | kernel_execve+0x180/0x188 | call_usermodehelper_exec_async+0xdc/0x158 | ret_from_fork+0x10/0x18
AI-Powered Analysis
Technical Analysis
CVE-2021-46997 is a vulnerability identified in the Linux kernel specifically affecting the ARM64 architecture's interrupt handling during kernel entry. The issue arises from inconsistent handling of the Priority Mask Register (PMR_EL1) and the Generic Interrupt Controller (GIC) priority bits during exception entry sequences when the kernel is booted with the "irqchip.gicv3_pseudo_nmi=1" parameter. The vulnerability manifests as a warning triggered by the kernel's lock dependency checker (lockdep) due to a mismatch between the hardware interrupt masking state and the software's internal representation of interrupt priority. Specifically, early in the exception entry, interrupts are masked by the hardware via the DAIF register, but the PMR does not reflect this masking because the GIC_PRIO_PSR_I_SET bit is not set consistently. This discrepancy causes lockdep_hardirqs_off() to issue warnings, indicating a potential inconsistency in interrupt state tracking. The root cause is that the PMR_EL1 is not updated early enough to reflect the masked interrupt state, leading to a window where kernel code might observe interrupts as unmasked when they are actually masked by hardware. The fix involves always setting the GIC_PRIO_PSR_I_SET bit during exception entry to ensure consistent interrupt masking state visibility within the kernel, and updating local_daif_inherit() to correctly handle this bit alongside DAIF. This correction removes the need for special cases in the entry code and aligns the software's interrupt state tracking with hardware behavior. While the vulnerability primarily causes warnings and inconsistencies in kernel debugging and lock dependency checks, it highlights a subtle race condition in interrupt state management that could potentially lead to incorrect assumptions about interrupt masking during critical kernel operations. No known exploits are reported in the wild, and the vulnerability is more about correctness and stability in kernel interrupt handling rather than a direct exploit vector for privilege escalation or denial of service.
Potential Impact
For European organizations, the impact of CVE-2021-46997 is primarily related to system stability and reliability on ARM64-based Linux systems, which are increasingly used in embedded devices, servers, and cloud infrastructure. Although this vulnerability does not directly enable remote code execution or privilege escalation, the inconsistent interrupt masking state could lead to subtle kernel bugs or race conditions that might affect system behavior under specific workloads or debugging scenarios. Organizations relying on ARM64 Linux kernels, especially those using custom kernel builds or running with the irqchip.gicv3_pseudo_nmi=1 parameter, may experience kernel warnings or instability, potentially complicating system diagnostics and maintenance. This could impact critical infrastructure, telecommunications equipment, or cloud services that utilize ARM64 servers. The lack of known exploits reduces immediate risk, but the vulnerability underscores the importance of kernel correctness for maintaining secure and stable operations. European entities with ARM64 deployments in sectors such as telecommunications, automotive, industrial control, and cloud computing should be aware of this issue to avoid potential operational disruptions.
Mitigation Recommendations
Mitigation involves updating the Linux kernel to a version where this vulnerability is patched, ensuring that the GIC_PRIO_PSR_I_SET bit is consistently set during exception entry sequences. Organizations should: 1) Apply the latest stable Linux kernel updates from trusted vendors or distributions that include the fix for CVE-2021-46997. 2) Review kernel boot parameters and avoid using irqchip.gicv3_pseudo_nmi=1 unless necessary, as this parameter is directly related to the vulnerability trigger. 3) For custom kernel builds or embedded systems, incorporate the patch that sets GIC_PRIO_PSR_I_SET early in exception entry and updates local_daif_inherit() accordingly. 4) Monitor kernel logs for lockdep warnings related to hardirqs_off(), which may indicate the presence of this issue. 5) Conduct thorough testing of ARM64 Linux systems after patching to confirm stability and absence of interrupt-related warnings. 6) Engage with hardware and software vendors to ensure ARM64 platforms receive timely kernel updates. These steps go beyond generic advice by focusing on kernel parameter management, patch application, and proactive monitoring specific to this vulnerability's nature.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-27T18:42:55.950Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9834c4522896dcbe9a0e
Added to database: 5/21/2025, 9:09:08 AM
Last enriched: 6/30/2025, 6:57:26 PM
Last updated: 7/26/2025, 8:33:58 AM
Views: 8
Related Threats
CVE-2025-8081: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in elemntor Elementor Website Builder – More Than Just a Page Builder
MediumCVE-2025-6253: CWE-862 Missing Authorization in uicore UiCore Elements – Free Elementor widgets and templates
HighCVE-2025-3892: CWE-250: Execution with Unnecessary Privileges in Axis Communications AB AXIS OS
MediumCVE-2025-30027: CWE-1287: Improper Validation of Specified Type of Input in Axis Communications AB AXIS OS
MediumCVE-2025-7622: CWE-918: Server-Side Request Forgery (SSRF) in Axis Communications AB AXIS Camera Station Pro
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.