CVE-2021-47092: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: KVM: VMX: Always clear vmx->fail on emulation_required Revert a relatively recent change that set vmx->fail if the vCPU is in L2 and emulation_required is true, as that behavior is completely bogus. Setting vmx->fail and synthesizing a VM-Exit is contradictory and wrong: (a) it's impossible to have both a VM-Fail and VM-Exit (b) vmcs.EXIT_REASON is not modified on VM-Fail (c) emulation_required refers to guest state and guest state checks are always VM-Exits, not VM-Fails. For KVM specifically, emulation_required is handled before nested exits in __vmx_handle_exit(), thus setting vmx->fail has no immediate effect, i.e. KVM calls into handle_invalid_guest_state() and vmx->fail is ignored. Setting vmx->fail can ultimately result in a WARN in nested_vmx_vmexit() firing when tearing down the VM as KVM never expects vmx->fail to be set when L2 is active, KVM always reflects those errors into L1. ------------[ cut here ]------------ WARNING: CPU: 0 PID: 21158 at arch/x86/kvm/vmx/nested.c:4548 nested_vmx_vmexit+0x16bd/0x17e0 arch/x86/kvm/vmx/nested.c:4547 Modules linked in: CPU: 0 PID: 21158 Comm: syz-executor.1 Not tainted 5.16.0-rc3-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:nested_vmx_vmexit+0x16bd/0x17e0 arch/x86/kvm/vmx/nested.c:4547 Code: <0f> 0b e9 2e f8 ff ff e8 57 b3 5d 00 0f 0b e9 00 f1 ff ff 89 e9 80 Call Trace: vmx_leave_nested arch/x86/kvm/vmx/nested.c:6220 [inline] nested_vmx_free_vcpu+0x83/0xc0 arch/x86/kvm/vmx/nested.c:330 vmx_free_vcpu+0x11f/0x2a0 arch/x86/kvm/vmx/vmx.c:6799 kvm_arch_vcpu_destroy+0x6b/0x240 arch/x86/kvm/x86.c:10989 kvm_vcpu_destroy+0x29/0x90 arch/x86/kvm/../../../virt/kvm/kvm_main.c:441 kvm_free_vcpus arch/x86/kvm/x86.c:11426 [inline] kvm_arch_destroy_vm+0x3ef/0x6b0 arch/x86/kvm/x86.c:11545 kvm_destroy_vm arch/x86/kvm/../../../virt/kvm/kvm_main.c:1189 [inline] kvm_put_kvm+0x751/0xe40 arch/x86/kvm/../../../virt/kvm/kvm_main.c:1220 kvm_vcpu_release+0x53/0x60 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3489 __fput+0x3fc/0x870 fs/file_table.c:280 task_work_run+0x146/0x1c0 kernel/task_work.c:164 exit_task_work include/linux/task_work.h:32 [inline] do_exit+0x705/0x24f0 kernel/exit.c:832 do_group_exit+0x168/0x2d0 kernel/exit.c:929 get_signal+0x1740/0x2120 kernel/signal.c:2852 arch_do_signal_or_restart+0x9c/0x730 arch/x86/kernel/signal.c:868 handle_signal_work kernel/entry/common.c:148 [inline] exit_to_user_mode_loop kernel/entry/common.c:172 [inline] exit_to_user_mode_prepare+0x191/0x220 kernel/entry/common.c:207 __syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline] syscall_exit_to_user_mode+0x2e/0x70 kernel/entry/common.c:300 do_syscall_64+0x53/0xd0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x44/0xae
AI Analysis
Technical Summary
CVE-2021-47092 is a vulnerability identified in the Linux kernel's KVM (Kernel-based Virtual Machine) module, specifically affecting the VMX (Intel Virtualization Technology) nested virtualization implementation. The issue arises from improper handling of the vmx->fail flag during emulation-required conditions when the virtual CPU (vCPU) is operating in L2 (nested guest) mode. The vulnerability stems from a recent change that incorrectly set the vmx->fail flag if emulation was required for the vCPU in L2. This behavior is fundamentally flawed because setting vmx->fail and synthesizing a VM-Exit are mutually exclusive operations; a VM-Fail cannot coexist with a VM-Exit, and the VMCS (Virtual Machine Control Structure) exit reason is not updated on VM-Fail events. Emulation-required conditions pertain to guest state checks that always trigger VM-Exits, not VM-Fails. In practice, KVM handles emulation-required conditions before nested VM exits, so setting vmx->fail has no immediate effect but can cause warnings and instability during VM teardown, particularly in nested virtualization scenarios. This can lead to kernel warnings (WARNs) and potentially unstable behavior or crashes when nested VMs are destroyed. The vulnerability does not appear to be exploitable for remote code execution or privilege escalation directly but can cause denial of service conditions due to kernel warnings and instability in nested virtualization environments. The issue was resolved by reverting the problematic change to ensure vmx->fail is cleared appropriately during emulation-required conditions, maintaining correct VM exit semantics and preventing erroneous kernel warnings.
Potential Impact
For European organizations, the impact of CVE-2021-47092 primarily concerns environments utilizing nested virtualization on Linux hosts with Intel VT-x support. Enterprises running cloud infrastructure, virtualized data centers, or development/testing environments that rely on nested KVM virtualization could experience instability or denial of service conditions when the vulnerability is triggered. This may affect service availability, particularly in scenarios where nested VMs are frequently created and destroyed, such as CI/CD pipelines, multi-tenant cloud platforms, or complex virtualized network functions. Although the vulnerability does not enable direct code execution or privilege escalation, the resulting kernel warnings and potential crashes could disrupt critical workloads, leading to downtime and increased operational costs. Organizations using nested virtualization for security sandboxing or multi-layered virtualization strategies should be particularly cautious. The vulnerability's impact is mitigated if nested virtualization is not in use or if affected kernel versions are patched promptly.
Mitigation Recommendations
To mitigate CVE-2021-47092, European organizations should: 1) Apply the latest Linux kernel updates that include the fix reverting the incorrect vmx->fail handling in the KVM VMX nested virtualization code. This is the definitive solution to prevent the vulnerability from manifesting. 2) Audit virtualization infrastructure to identify hosts running nested KVM virtualization with Intel VT-x and prioritize patching these systems. 3) Where possible, limit or disable nested virtualization if it is not required, reducing the attack surface and exposure to this vulnerability. 4) Monitor kernel logs for WARN messages related to nested_vmx_vmexit or vmx->fail conditions as indicators of potential exploitation or instability. 5) Implement robust VM lifecycle management to avoid excessive creation and destruction of nested VMs until patches are applied. 6) Coordinate with cloud service providers to confirm that underlying hypervisors are patched if nested virtualization services are consumed externally.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Ireland, Poland, Italy, Spain
CVE-2021-47092: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: KVM: VMX: Always clear vmx->fail on emulation_required Revert a relatively recent change that set vmx->fail if the vCPU is in L2 and emulation_required is true, as that behavior is completely bogus. Setting vmx->fail and synthesizing a VM-Exit is contradictory and wrong: (a) it's impossible to have both a VM-Fail and VM-Exit (b) vmcs.EXIT_REASON is not modified on VM-Fail (c) emulation_required refers to guest state and guest state checks are always VM-Exits, not VM-Fails. For KVM specifically, emulation_required is handled before nested exits in __vmx_handle_exit(), thus setting vmx->fail has no immediate effect, i.e. KVM calls into handle_invalid_guest_state() and vmx->fail is ignored. Setting vmx->fail can ultimately result in a WARN in nested_vmx_vmexit() firing when tearing down the VM as KVM never expects vmx->fail to be set when L2 is active, KVM always reflects those errors into L1. ------------[ cut here ]------------ WARNING: CPU: 0 PID: 21158 at arch/x86/kvm/vmx/nested.c:4548 nested_vmx_vmexit+0x16bd/0x17e0 arch/x86/kvm/vmx/nested.c:4547 Modules linked in: CPU: 0 PID: 21158 Comm: syz-executor.1 Not tainted 5.16.0-rc3-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:nested_vmx_vmexit+0x16bd/0x17e0 arch/x86/kvm/vmx/nested.c:4547 Code: <0f> 0b e9 2e f8 ff ff e8 57 b3 5d 00 0f 0b e9 00 f1 ff ff 89 e9 80 Call Trace: vmx_leave_nested arch/x86/kvm/vmx/nested.c:6220 [inline] nested_vmx_free_vcpu+0x83/0xc0 arch/x86/kvm/vmx/nested.c:330 vmx_free_vcpu+0x11f/0x2a0 arch/x86/kvm/vmx/vmx.c:6799 kvm_arch_vcpu_destroy+0x6b/0x240 arch/x86/kvm/x86.c:10989 kvm_vcpu_destroy+0x29/0x90 arch/x86/kvm/../../../virt/kvm/kvm_main.c:441 kvm_free_vcpus arch/x86/kvm/x86.c:11426 [inline] kvm_arch_destroy_vm+0x3ef/0x6b0 arch/x86/kvm/x86.c:11545 kvm_destroy_vm arch/x86/kvm/../../../virt/kvm/kvm_main.c:1189 [inline] kvm_put_kvm+0x751/0xe40 arch/x86/kvm/../../../virt/kvm/kvm_main.c:1220 kvm_vcpu_release+0x53/0x60 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3489 __fput+0x3fc/0x870 fs/file_table.c:280 task_work_run+0x146/0x1c0 kernel/task_work.c:164 exit_task_work include/linux/task_work.h:32 [inline] do_exit+0x705/0x24f0 kernel/exit.c:832 do_group_exit+0x168/0x2d0 kernel/exit.c:929 get_signal+0x1740/0x2120 kernel/signal.c:2852 arch_do_signal_or_restart+0x9c/0x730 arch/x86/kernel/signal.c:868 handle_signal_work kernel/entry/common.c:148 [inline] exit_to_user_mode_loop kernel/entry/common.c:172 [inline] exit_to_user_mode_prepare+0x191/0x220 kernel/entry/common.c:207 __syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline] syscall_exit_to_user_mode+0x2e/0x70 kernel/entry/common.c:300 do_syscall_64+0x53/0xd0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x44/0xae
AI-Powered Analysis
Technical Analysis
CVE-2021-47092 is a vulnerability identified in the Linux kernel's KVM (Kernel-based Virtual Machine) module, specifically affecting the VMX (Intel Virtualization Technology) nested virtualization implementation. The issue arises from improper handling of the vmx->fail flag during emulation-required conditions when the virtual CPU (vCPU) is operating in L2 (nested guest) mode. The vulnerability stems from a recent change that incorrectly set the vmx->fail flag if emulation was required for the vCPU in L2. This behavior is fundamentally flawed because setting vmx->fail and synthesizing a VM-Exit are mutually exclusive operations; a VM-Fail cannot coexist with a VM-Exit, and the VMCS (Virtual Machine Control Structure) exit reason is not updated on VM-Fail events. Emulation-required conditions pertain to guest state checks that always trigger VM-Exits, not VM-Fails. In practice, KVM handles emulation-required conditions before nested VM exits, so setting vmx->fail has no immediate effect but can cause warnings and instability during VM teardown, particularly in nested virtualization scenarios. This can lead to kernel warnings (WARNs) and potentially unstable behavior or crashes when nested VMs are destroyed. The vulnerability does not appear to be exploitable for remote code execution or privilege escalation directly but can cause denial of service conditions due to kernel warnings and instability in nested virtualization environments. The issue was resolved by reverting the problematic change to ensure vmx->fail is cleared appropriately during emulation-required conditions, maintaining correct VM exit semantics and preventing erroneous kernel warnings.
Potential Impact
For European organizations, the impact of CVE-2021-47092 primarily concerns environments utilizing nested virtualization on Linux hosts with Intel VT-x support. Enterprises running cloud infrastructure, virtualized data centers, or development/testing environments that rely on nested KVM virtualization could experience instability or denial of service conditions when the vulnerability is triggered. This may affect service availability, particularly in scenarios where nested VMs are frequently created and destroyed, such as CI/CD pipelines, multi-tenant cloud platforms, or complex virtualized network functions. Although the vulnerability does not enable direct code execution or privilege escalation, the resulting kernel warnings and potential crashes could disrupt critical workloads, leading to downtime and increased operational costs. Organizations using nested virtualization for security sandboxing or multi-layered virtualization strategies should be particularly cautious. The vulnerability's impact is mitigated if nested virtualization is not in use or if affected kernel versions are patched promptly.
Mitigation Recommendations
To mitigate CVE-2021-47092, European organizations should: 1) Apply the latest Linux kernel updates that include the fix reverting the incorrect vmx->fail handling in the KVM VMX nested virtualization code. This is the definitive solution to prevent the vulnerability from manifesting. 2) Audit virtualization infrastructure to identify hosts running nested KVM virtualization with Intel VT-x and prioritize patching these systems. 3) Where possible, limit or disable nested virtualization if it is not required, reducing the attack surface and exposure to this vulnerability. 4) Monitor kernel logs for WARN messages related to nested_vmx_vmexit or vmx->fail conditions as indicators of potential exploitation or instability. 5) Implement robust VM lifecycle management to avoid excessive creation and destruction of nested VMs until patches are applied. 6) Coordinate with cloud service providers to confirm that underlying hypervisors are patched if nested virtualization services are consumed externally.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-29T22:33:44.300Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9834c4522896dcbe9cca
Added to database: 5/21/2025, 9:09:08 AM
Last enriched: 6/30/2025, 9:25:32 PM
Last updated: 8/13/2025, 6:37:36 PM
Views: 16
Related Threats
CVE-2025-8958: Stack-based Buffer Overflow in Tenda TX3
HighCVE-2025-8957: SQL Injection in Campcodes Online Flight Booking Management System
MediumCVE-2025-54707: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in RealMag777 MDTF
CriticalCVE-2025-54706: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Noor Alam Magical Posts Display
MediumCVE-2025-54705: CWE-862 Missing Authorization in magepeopleteam WpEvently
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.