CVE-2021-47094: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: KVM: x86/mmu: Don't advance iterator after restart due to yielding After dropping mmu_lock in the TDP MMU, restart the iterator during tdp_iter_next() and do not advance the iterator. Advancing the iterator results in skipping the top-level SPTE and all its children, which is fatal if any of the skipped SPTEs were not visited before yielding. When zapping all SPTEs, i.e. when min_level == root_level, restarting the iter and then invoking tdp_iter_next() is always fatal if the current gfn has as a valid SPTE, as advancing the iterator results in try_step_side() skipping the current gfn, which wasn't visited before yielding. Sprinkle WARNs on iter->yielded being true in various helpers that are often used in conjunction with yielding, and tag the helper with __must_check to reduce the probabily of improper usage. Failing to zap a top-level SPTE manifests in one of two ways. If a valid SPTE is skipped by both kvm_tdp_mmu_zap_all() and kvm_tdp_mmu_put_root(), the shadow page will be leaked and KVM will WARN accordingly. WARNING: CPU: 1 PID: 3509 at arch/x86/kvm/mmu/tdp_mmu.c:46 [kvm] RIP: 0010:kvm_mmu_uninit_tdp_mmu+0x3e/0x50 [kvm] Call Trace: <TASK> kvm_arch_destroy_vm+0x130/0x1b0 [kvm] kvm_destroy_vm+0x162/0x2a0 [kvm] kvm_vcpu_release+0x34/0x60 [kvm] __fput+0x82/0x240 task_work_run+0x5c/0x90 do_exit+0x364/0xa10 ? futex_unqueue+0x38/0x60 do_group_exit+0x33/0xa0 get_signal+0x155/0x850 arch_do_signal_or_restart+0xed/0x750 exit_to_user_mode_prepare+0xc5/0x120 syscall_exit_to_user_mode+0x1d/0x40 do_syscall_64+0x48/0xc0 entry_SYSCALL_64_after_hwframe+0x44/0xae If kvm_tdp_mmu_zap_all() skips a gfn/SPTE but that SPTE is then zapped by kvm_tdp_mmu_put_root(), KVM triggers a use-after-free in the form of marking a struct page as dirty/accessed after it has been put back on the free list. This directly triggers a WARN due to encountering a page with page_count() == 0, but it can also lead to data corruption and additional errors in the kernel. WARNING: CPU: 7 PID: 1995658 at arch/x86/kvm/../../../virt/kvm/kvm_main.c:171 RIP: 0010:kvm_is_zone_device_pfn.part.0+0x9e/0xd0 [kvm] Call Trace: <TASK> kvm_set_pfn_dirty+0x120/0x1d0 [kvm] __handle_changed_spte+0x92e/0xca0 [kvm] __handle_changed_spte+0x63c/0xca0 [kvm] __handle_changed_spte+0x63c/0xca0 [kvm] __handle_changed_spte+0x63c/0xca0 [kvm] zap_gfn_range+0x549/0x620 [kvm] kvm_tdp_mmu_put_root+0x1b6/0x270 [kvm] mmu_free_root_page+0x219/0x2c0 [kvm] kvm_mmu_free_roots+0x1b4/0x4e0 [kvm] kvm_mmu_unload+0x1c/0xa0 [kvm] kvm_arch_destroy_vm+0x1f2/0x5c0 [kvm] kvm_put_kvm+0x3b1/0x8b0 [kvm] kvm_vcpu_release+0x4e/0x70 [kvm] __fput+0x1f7/0x8c0 task_work_run+0xf8/0x1a0 do_exit+0x97b/0x2230 do_group_exit+0xda/0x2a0 get_signal+0x3be/0x1e50 arch_do_signal_or_restart+0x244/0x17f0 exit_to_user_mode_prepare+0xcb/0x120 syscall_exit_to_user_mode+0x1d/0x40 do_syscall_64+0x4d/0x90 entry_SYSCALL_64_after_hwframe+0x44/0xae Note, the underlying bug existed even before commit 1af4a96025b3 ("KVM: x86/mmu: Yield in TDU MMU iter even if no SPTES changed") moved calls to tdp_mmu_iter_cond_resched() to the beginning of loops, as KVM could still incorrectly advance past a top-level entry when yielding on a lower-level entry. But with respect to leaking shadow pages, the bug was introduced by yielding before processing the current gfn. Alternatively, tdp_mmu_iter_cond_resched() could simply fall through, or callers could jump to their "retry" label. The downside of that approach is that tdp_mmu_iter_cond_resched() _must_ be called before anything else in the loop, and there's no easy way to enfornce that requirement. Ideally, KVM would handling the cond_resched() fully within the iterator macro (the code is actually quite clean) and avoid this entire class of bugs, but that is extremely difficult do wh ---truncated---
AI Analysis
Technical Summary
CVE-2021-47094 is a vulnerability in the Linux kernel's KVM (Kernel-based Virtual Machine) subsystem, specifically within the x86 architecture's memory management unit (MMU) handling code. The flaw arises from improper iterator advancement in the TDP (Two-Dimensional Paging) MMU iterator during shadow page table entry (SPTE) management. When the iterator is incorrectly advanced after a restart due to yielding, it causes the skipping of top-level SPTEs and their children. This skipping is critical because it leads to unprocessed SPTEs that should have been zapped (invalidated). The failure to zap these SPTEs results in either shadow page leaks or use-after-free conditions. The leaked shadow pages cause warnings and potential resource exhaustion, while the use-after-free can lead to marking freed pages as dirty or accessed, triggering kernel warnings and potentially causing data corruption or kernel instability. The vulnerability is triggered during VM destruction or MMU teardown, where the iterator logic incorrectly handles yielding and rescheduling, leading to these unsafe states. The issue was introduced by changes that moved calls to tdp_mmu_iter_cond_resched() but did not fully address iterator advancement logic. The vulnerability requires local privileges (PR:L) and no user interaction (UI:N), with low attack complexity (AC:L). It impacts confidentiality and availability, as it can cause data corruption and kernel crashes, but does not directly affect integrity. The CVSS score is 7.1 (high severity). No known exploits are reported in the wild yet. The vulnerability affects Linux kernel versions containing the specified commit hashes prior to the fix.
Potential Impact
For European organizations, this vulnerability poses a significant risk to environments running Linux-based virtualization infrastructure using KVM, which is common in cloud providers, data centers, and enterprise virtualization setups. Exploitation could lead to denial of service through kernel crashes or data corruption affecting virtual machines, potentially disrupting critical services and workloads. Confidentiality impact arises from potential memory leaks or unintended information exposure due to improper SPTE handling. Organizations relying on KVM for multi-tenant virtualization could face stability issues, impacting service availability and reliability. Given the local privilege requirement, attackers would need some level of access to the host or guest environment, which elevates the importance of internal threat monitoring and access controls. The vulnerability could also complicate incident response and forensic analysis due to kernel warnings and instability. Overall, the threat could affect cloud service providers, hosting companies, and enterprises with Linux virtualization infrastructure across Europe, potentially impacting sectors like finance, telecommunications, and government services where uptime and data integrity are critical.
Mitigation Recommendations
1. Apply the official Linux kernel patches that address CVE-2021-47094 as soon as possible. Monitor vendor advisories for backported fixes in enterprise Linux distributions such as Red Hat, SUSE, and Ubuntu. 2. For environments where immediate patching is not feasible, consider temporarily disabling KVM or limiting access to KVM-enabled hosts to trusted administrators only to reduce the attack surface. 3. Implement strict local access controls and monitoring to detect any unusual activity or attempts to exploit kernel vulnerabilities. 4. Use kernel hardening features such as Kernel Address Space Layout Randomization (KASLR) and Kernel Page Table Isolation (KPTI) to reduce exploitation likelihood. 5. Regularly audit and restrict privileged user accounts and container/VM escape vectors to prevent local privilege escalation. 6. Employ comprehensive logging and alerting on kernel warnings related to KVM and MMU operations to detect early signs of exploitation or instability. 7. Test patches in staging environments to ensure stability before production deployment, as kernel updates can impact system behavior. 8. Coordinate with cloud providers or virtualization platform vendors to confirm patch status and mitigation strategies if using managed services.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2021-47094: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: KVM: x86/mmu: Don't advance iterator after restart due to yielding After dropping mmu_lock in the TDP MMU, restart the iterator during tdp_iter_next() and do not advance the iterator. Advancing the iterator results in skipping the top-level SPTE and all its children, which is fatal if any of the skipped SPTEs were not visited before yielding. When zapping all SPTEs, i.e. when min_level == root_level, restarting the iter and then invoking tdp_iter_next() is always fatal if the current gfn has as a valid SPTE, as advancing the iterator results in try_step_side() skipping the current gfn, which wasn't visited before yielding. Sprinkle WARNs on iter->yielded being true in various helpers that are often used in conjunction with yielding, and tag the helper with __must_check to reduce the probabily of improper usage. Failing to zap a top-level SPTE manifests in one of two ways. If a valid SPTE is skipped by both kvm_tdp_mmu_zap_all() and kvm_tdp_mmu_put_root(), the shadow page will be leaked and KVM will WARN accordingly. WARNING: CPU: 1 PID: 3509 at arch/x86/kvm/mmu/tdp_mmu.c:46 [kvm] RIP: 0010:kvm_mmu_uninit_tdp_mmu+0x3e/0x50 [kvm] Call Trace: <TASK> kvm_arch_destroy_vm+0x130/0x1b0 [kvm] kvm_destroy_vm+0x162/0x2a0 [kvm] kvm_vcpu_release+0x34/0x60 [kvm] __fput+0x82/0x240 task_work_run+0x5c/0x90 do_exit+0x364/0xa10 ? futex_unqueue+0x38/0x60 do_group_exit+0x33/0xa0 get_signal+0x155/0x850 arch_do_signal_or_restart+0xed/0x750 exit_to_user_mode_prepare+0xc5/0x120 syscall_exit_to_user_mode+0x1d/0x40 do_syscall_64+0x48/0xc0 entry_SYSCALL_64_after_hwframe+0x44/0xae If kvm_tdp_mmu_zap_all() skips a gfn/SPTE but that SPTE is then zapped by kvm_tdp_mmu_put_root(), KVM triggers a use-after-free in the form of marking a struct page as dirty/accessed after it has been put back on the free list. This directly triggers a WARN due to encountering a page with page_count() == 0, but it can also lead to data corruption and additional errors in the kernel. WARNING: CPU: 7 PID: 1995658 at arch/x86/kvm/../../../virt/kvm/kvm_main.c:171 RIP: 0010:kvm_is_zone_device_pfn.part.0+0x9e/0xd0 [kvm] Call Trace: <TASK> kvm_set_pfn_dirty+0x120/0x1d0 [kvm] __handle_changed_spte+0x92e/0xca0 [kvm] __handle_changed_spte+0x63c/0xca0 [kvm] __handle_changed_spte+0x63c/0xca0 [kvm] __handle_changed_spte+0x63c/0xca0 [kvm] zap_gfn_range+0x549/0x620 [kvm] kvm_tdp_mmu_put_root+0x1b6/0x270 [kvm] mmu_free_root_page+0x219/0x2c0 [kvm] kvm_mmu_free_roots+0x1b4/0x4e0 [kvm] kvm_mmu_unload+0x1c/0xa0 [kvm] kvm_arch_destroy_vm+0x1f2/0x5c0 [kvm] kvm_put_kvm+0x3b1/0x8b0 [kvm] kvm_vcpu_release+0x4e/0x70 [kvm] __fput+0x1f7/0x8c0 task_work_run+0xf8/0x1a0 do_exit+0x97b/0x2230 do_group_exit+0xda/0x2a0 get_signal+0x3be/0x1e50 arch_do_signal_or_restart+0x244/0x17f0 exit_to_user_mode_prepare+0xcb/0x120 syscall_exit_to_user_mode+0x1d/0x40 do_syscall_64+0x4d/0x90 entry_SYSCALL_64_after_hwframe+0x44/0xae Note, the underlying bug existed even before commit 1af4a96025b3 ("KVM: x86/mmu: Yield in TDU MMU iter even if no SPTES changed") moved calls to tdp_mmu_iter_cond_resched() to the beginning of loops, as KVM could still incorrectly advance past a top-level entry when yielding on a lower-level entry. But with respect to leaking shadow pages, the bug was introduced by yielding before processing the current gfn. Alternatively, tdp_mmu_iter_cond_resched() could simply fall through, or callers could jump to their "retry" label. The downside of that approach is that tdp_mmu_iter_cond_resched() _must_ be called before anything else in the loop, and there's no easy way to enfornce that requirement. Ideally, KVM would handling the cond_resched() fully within the iterator macro (the code is actually quite clean) and avoid this entire class of bugs, but that is extremely difficult do wh ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2021-47094 is a vulnerability in the Linux kernel's KVM (Kernel-based Virtual Machine) subsystem, specifically within the x86 architecture's memory management unit (MMU) handling code. The flaw arises from improper iterator advancement in the TDP (Two-Dimensional Paging) MMU iterator during shadow page table entry (SPTE) management. When the iterator is incorrectly advanced after a restart due to yielding, it causes the skipping of top-level SPTEs and their children. This skipping is critical because it leads to unprocessed SPTEs that should have been zapped (invalidated). The failure to zap these SPTEs results in either shadow page leaks or use-after-free conditions. The leaked shadow pages cause warnings and potential resource exhaustion, while the use-after-free can lead to marking freed pages as dirty or accessed, triggering kernel warnings and potentially causing data corruption or kernel instability. The vulnerability is triggered during VM destruction or MMU teardown, where the iterator logic incorrectly handles yielding and rescheduling, leading to these unsafe states. The issue was introduced by changes that moved calls to tdp_mmu_iter_cond_resched() but did not fully address iterator advancement logic. The vulnerability requires local privileges (PR:L) and no user interaction (UI:N), with low attack complexity (AC:L). It impacts confidentiality and availability, as it can cause data corruption and kernel crashes, but does not directly affect integrity. The CVSS score is 7.1 (high severity). No known exploits are reported in the wild yet. The vulnerability affects Linux kernel versions containing the specified commit hashes prior to the fix.
Potential Impact
For European organizations, this vulnerability poses a significant risk to environments running Linux-based virtualization infrastructure using KVM, which is common in cloud providers, data centers, and enterprise virtualization setups. Exploitation could lead to denial of service through kernel crashes or data corruption affecting virtual machines, potentially disrupting critical services and workloads. Confidentiality impact arises from potential memory leaks or unintended information exposure due to improper SPTE handling. Organizations relying on KVM for multi-tenant virtualization could face stability issues, impacting service availability and reliability. Given the local privilege requirement, attackers would need some level of access to the host or guest environment, which elevates the importance of internal threat monitoring and access controls. The vulnerability could also complicate incident response and forensic analysis due to kernel warnings and instability. Overall, the threat could affect cloud service providers, hosting companies, and enterprises with Linux virtualization infrastructure across Europe, potentially impacting sectors like finance, telecommunications, and government services where uptime and data integrity are critical.
Mitigation Recommendations
1. Apply the official Linux kernel patches that address CVE-2021-47094 as soon as possible. Monitor vendor advisories for backported fixes in enterprise Linux distributions such as Red Hat, SUSE, and Ubuntu. 2. For environments where immediate patching is not feasible, consider temporarily disabling KVM or limiting access to KVM-enabled hosts to trusted administrators only to reduce the attack surface. 3. Implement strict local access controls and monitoring to detect any unusual activity or attempts to exploit kernel vulnerabilities. 4. Use kernel hardening features such as Kernel Address Space Layout Randomization (KASLR) and Kernel Page Table Isolation (KPTI) to reduce exploitation likelihood. 5. Regularly audit and restrict privileged user accounts and container/VM escape vectors to prevent local privilege escalation. 6. Employ comprehensive logging and alerting on kernel warnings related to KVM and MMU operations to detect early signs of exploitation or instability. 7. Test patches in staging environments to ensure stability before production deployment, as kernel updates can impact system behavior. 8. Coordinate with cloud providers or virtualization platform vendors to confirm patch status and mitigation strategies if using managed services.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-29T22:33:44.300Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9834c4522896dcbe9cd4
Added to database: 5/21/2025, 9:09:08 AM
Last enriched: 7/3/2025, 5:56:25 AM
Last updated: 8/1/2025, 7:34:35 AM
Views: 16
Related Threats
CVE-2025-9052: SQL Injection in projectworlds Travel Management System
MediumPlex warns users to patch security vulnerability immediately
HighCVE-2025-9019: Heap-based Buffer Overflow in tcpreplay
LowCVE-2025-9017: Cross Site Scripting in PHPGurukul Zoo Management System
MediumCVE-2025-9051: SQL Injection in projectworlds Travel Management System
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.