CVE-2021-47230: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Immediately reset the MMU context when the SMM flag is cleared Immediately reset the MMU context when the vCPU's SMM flag is cleared so that the SMM flag in the MMU role is always synchronized with the vCPU's flag. If RSM fails (which isn't correctly emulated), KVM will bail without calling post_leave_smm() and leave the MMU in a bad state. The bad MMU role can lead to a NULL pointer dereference when grabbing a shadow page's rmap for a page fault as the initial lookups for the gfn will happen with the vCPU's SMM flag (=0), whereas the rmap lookup will use the shadow page's SMM flag, which comes from the MMU (=1). SMM has an entirely different set of memslots, and so the initial lookup can find a memslot (SMM=0) and then explode on the rmap memslot lookup (SMM=1). general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 1 PID: 8410 Comm: syz-executor382 Not tainted 5.13.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:__gfn_to_rmap arch/x86/kvm/mmu/mmu.c:935 [inline] RIP: 0010:gfn_to_rmap+0x2b0/0x4d0 arch/x86/kvm/mmu/mmu.c:947 Code: <42> 80 3c 20 00 74 08 4c 89 ff e8 f1 79 a9 00 4c 89 fb 4d 8b 37 44 RSP: 0018:ffffc90000ffef98 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff888015b9f414 RCX: ffff888019669c40 RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000001 RBP: 0000000000000001 R08: ffffffff811d9cdb R09: ffffed10065a6002 R10: ffffed10065a6002 R11: 0000000000000000 R12: dffffc0000000000 R13: 0000000000000003 R14: 0000000000000001 R15: 0000000000000000 FS: 000000000124b300(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 0000000028e31000 CR4: 00000000001526e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: rmap_add arch/x86/kvm/mmu/mmu.c:965 [inline] mmu_set_spte+0x862/0xe60 arch/x86/kvm/mmu/mmu.c:2604 __direct_map arch/x86/kvm/mmu/mmu.c:2862 [inline] direct_page_fault+0x1f74/0x2b70 arch/x86/kvm/mmu/mmu.c:3769 kvm_mmu_do_page_fault arch/x86/kvm/mmu.h:124 [inline] kvm_mmu_page_fault+0x199/0x1440 arch/x86/kvm/mmu/mmu.c:5065 vmx_handle_exit+0x26/0x160 arch/x86/kvm/vmx/vmx.c:6122 vcpu_enter_guest+0x3bdd/0x9630 arch/x86/kvm/x86.c:9428 vcpu_run+0x416/0xc20 arch/x86/kvm/x86.c:9494 kvm_arch_vcpu_ioctl_run+0x4e8/0xa40 arch/x86/kvm/x86.c:9722 kvm_vcpu_ioctl+0x70f/0xbb0 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3460 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:1069 [inline] __se_sys_ioctl+0xfb/0x170 fs/ioctl.c:1055 do_syscall_64+0x3f/0xb0 arch/x86/entry/common.c:47 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x440ce9
AI Analysis
Technical Summary
CVE-2021-47230 is a vulnerability in the Linux kernel's KVM (Kernel-based Virtual Machine) subsystem specifically affecting x86 virtualization. The issue arises from improper handling of the System Management Mode (SMM) flag synchronization between the virtual CPU (vCPU) and the Memory Management Unit (MMU) context. When the SMM flag is cleared on the vCPU, the MMU context is supposed to be immediately reset to keep the MMU role synchronized with the vCPU's state. However, if the Resume from System Management Mode (RSM) instruction fails — a scenario not correctly emulated by KVM — the kernel bypasses the post_leave_smm() call, leaving the MMU in an inconsistent state. This desynchronization causes a NULL pointer dereference during shadow page reverse mapping (rmap) lookups triggered by page faults. Specifically, the initial guest frame number (gfn) lookup uses the vCPU's SMM flag (cleared), while the rmap lookup uses the MMU's stale SMM flag (set), leading to mismatched memory slot references. Since SMM memory slots differ from normal ones, this mismatch results in a NULL pointer dereference and a general protection fault, causing a kernel crash or denial of service. The vulnerability is identified as CWE-476 (NULL Pointer Dereference) and has a CVSS v3.1 score of 6.6 (medium severity), with an attack vector of local access, requiring low privileges and user interaction. Exploitation requires the ability to run code on the host or guest VM to trigger the faulty MMU state. While no known exploits are reported in the wild, the flaw can cause system instability or crashes in virtualized environments using KVM on affected Linux kernel versions. The vulnerability affects Linux kernel versions prior to the patch that synchronizes the MMU context immediately upon clearing the SMM flag, preventing the inconsistent MMU state.
Potential Impact
For European organizations, the impact of CVE-2021-47230 is primarily on infrastructures relying on Linux KVM virtualization, which is widely used in cloud services, data centers, and enterprise virtualization platforms. A successful exploitation can lead to denial of service via kernel crashes, impacting availability of virtual machines and hosted services. This can disrupt business operations, especially for providers of critical services or cloud infrastructure. Although the vulnerability does not directly expose confidentiality or integrity breaches, the induced instability can be leveraged as part of a broader attack chain or cause operational downtime. Organizations running multi-tenant environments or public cloud services with KVM-based virtualization are at higher risk. The requirement for local access and user interaction limits remote exploitation but insider threats or compromised guest VMs could trigger the issue. Given the widespread adoption of Linux and KVM in European IT environments, the vulnerability poses a tangible risk to service continuity and reliability.
Mitigation Recommendations
European organizations should prioritize applying the official Linux kernel patches that address this vulnerability by ensuring the MMU context is reset immediately when the SMM flag is cleared. Specific mitigation steps include: 1) Updating Linux kernels to versions containing the fix for CVE-2021-47230, typically available in recent stable kernel releases or vendor-provided security updates. 2) For environments using custom or long-term support kernels, backport the patch or upgrade to a supported kernel version. 3) Implement strict access controls to limit local user privileges on hosts running KVM to reduce the risk of exploitation. 4) Monitor virtualization hosts for unusual kernel crashes or general protection faults indicative of this issue. 5) Employ runtime security tools capable of detecting kernel NULL pointer dereferences or anomalous MMU behavior. 6) In multi-tenant or cloud environments, isolate guest VMs and restrict guest-to-host interactions to minimize the potential for triggering the vulnerability. 7) Conduct regular vulnerability scanning and compliance checks to ensure all virtualization hosts are patched promptly. These measures go beyond generic advice by focusing on kernel patching, access restriction, and monitoring tailored to the virtualization context.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Ireland, Italy, Spain, Poland
CVE-2021-47230: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Immediately reset the MMU context when the SMM flag is cleared Immediately reset the MMU context when the vCPU's SMM flag is cleared so that the SMM flag in the MMU role is always synchronized with the vCPU's flag. If RSM fails (which isn't correctly emulated), KVM will bail without calling post_leave_smm() and leave the MMU in a bad state. The bad MMU role can lead to a NULL pointer dereference when grabbing a shadow page's rmap for a page fault as the initial lookups for the gfn will happen with the vCPU's SMM flag (=0), whereas the rmap lookup will use the shadow page's SMM flag, which comes from the MMU (=1). SMM has an entirely different set of memslots, and so the initial lookup can find a memslot (SMM=0) and then explode on the rmap memslot lookup (SMM=1). general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 1 PID: 8410 Comm: syz-executor382 Not tainted 5.13.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:__gfn_to_rmap arch/x86/kvm/mmu/mmu.c:935 [inline] RIP: 0010:gfn_to_rmap+0x2b0/0x4d0 arch/x86/kvm/mmu/mmu.c:947 Code: <42> 80 3c 20 00 74 08 4c 89 ff e8 f1 79 a9 00 4c 89 fb 4d 8b 37 44 RSP: 0018:ffffc90000ffef98 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff888015b9f414 RCX: ffff888019669c40 RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000001 RBP: 0000000000000001 R08: ffffffff811d9cdb R09: ffffed10065a6002 R10: ffffed10065a6002 R11: 0000000000000000 R12: dffffc0000000000 R13: 0000000000000003 R14: 0000000000000001 R15: 0000000000000000 FS: 000000000124b300(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 0000000028e31000 CR4: 00000000001526e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: rmap_add arch/x86/kvm/mmu/mmu.c:965 [inline] mmu_set_spte+0x862/0xe60 arch/x86/kvm/mmu/mmu.c:2604 __direct_map arch/x86/kvm/mmu/mmu.c:2862 [inline] direct_page_fault+0x1f74/0x2b70 arch/x86/kvm/mmu/mmu.c:3769 kvm_mmu_do_page_fault arch/x86/kvm/mmu.h:124 [inline] kvm_mmu_page_fault+0x199/0x1440 arch/x86/kvm/mmu/mmu.c:5065 vmx_handle_exit+0x26/0x160 arch/x86/kvm/vmx/vmx.c:6122 vcpu_enter_guest+0x3bdd/0x9630 arch/x86/kvm/x86.c:9428 vcpu_run+0x416/0xc20 arch/x86/kvm/x86.c:9494 kvm_arch_vcpu_ioctl_run+0x4e8/0xa40 arch/x86/kvm/x86.c:9722 kvm_vcpu_ioctl+0x70f/0xbb0 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3460 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:1069 [inline] __se_sys_ioctl+0xfb/0x170 fs/ioctl.c:1055 do_syscall_64+0x3f/0xb0 arch/x86/entry/common.c:47 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x440ce9
AI-Powered Analysis
Technical Analysis
CVE-2021-47230 is a vulnerability in the Linux kernel's KVM (Kernel-based Virtual Machine) subsystem specifically affecting x86 virtualization. The issue arises from improper handling of the System Management Mode (SMM) flag synchronization between the virtual CPU (vCPU) and the Memory Management Unit (MMU) context. When the SMM flag is cleared on the vCPU, the MMU context is supposed to be immediately reset to keep the MMU role synchronized with the vCPU's state. However, if the Resume from System Management Mode (RSM) instruction fails — a scenario not correctly emulated by KVM — the kernel bypasses the post_leave_smm() call, leaving the MMU in an inconsistent state. This desynchronization causes a NULL pointer dereference during shadow page reverse mapping (rmap) lookups triggered by page faults. Specifically, the initial guest frame number (gfn) lookup uses the vCPU's SMM flag (cleared), while the rmap lookup uses the MMU's stale SMM flag (set), leading to mismatched memory slot references. Since SMM memory slots differ from normal ones, this mismatch results in a NULL pointer dereference and a general protection fault, causing a kernel crash or denial of service. The vulnerability is identified as CWE-476 (NULL Pointer Dereference) and has a CVSS v3.1 score of 6.6 (medium severity), with an attack vector of local access, requiring low privileges and user interaction. Exploitation requires the ability to run code on the host or guest VM to trigger the faulty MMU state. While no known exploits are reported in the wild, the flaw can cause system instability or crashes in virtualized environments using KVM on affected Linux kernel versions. The vulnerability affects Linux kernel versions prior to the patch that synchronizes the MMU context immediately upon clearing the SMM flag, preventing the inconsistent MMU state.
Potential Impact
For European organizations, the impact of CVE-2021-47230 is primarily on infrastructures relying on Linux KVM virtualization, which is widely used in cloud services, data centers, and enterprise virtualization platforms. A successful exploitation can lead to denial of service via kernel crashes, impacting availability of virtual machines and hosted services. This can disrupt business operations, especially for providers of critical services or cloud infrastructure. Although the vulnerability does not directly expose confidentiality or integrity breaches, the induced instability can be leveraged as part of a broader attack chain or cause operational downtime. Organizations running multi-tenant environments or public cloud services with KVM-based virtualization are at higher risk. The requirement for local access and user interaction limits remote exploitation but insider threats or compromised guest VMs could trigger the issue. Given the widespread adoption of Linux and KVM in European IT environments, the vulnerability poses a tangible risk to service continuity and reliability.
Mitigation Recommendations
European organizations should prioritize applying the official Linux kernel patches that address this vulnerability by ensuring the MMU context is reset immediately when the SMM flag is cleared. Specific mitigation steps include: 1) Updating Linux kernels to versions containing the fix for CVE-2021-47230, typically available in recent stable kernel releases or vendor-provided security updates. 2) For environments using custom or long-term support kernels, backport the patch or upgrade to a supported kernel version. 3) Implement strict access controls to limit local user privileges on hosts running KVM to reduce the risk of exploitation. 4) Monitor virtualization hosts for unusual kernel crashes or general protection faults indicative of this issue. 5) Employ runtime security tools capable of detecting kernel NULL pointer dereferences or anomalous MMU behavior. 6) In multi-tenant or cloud environments, isolate guest VMs and restrict guest-to-host interactions to minimize the potential for triggering the vulnerability. 7) Conduct regular vulnerability scanning and compliance checks to ensure all virtualization hosts are patched promptly. These measures go beyond generic advice by focusing on kernel patching, access restriction, and monitoring tailored to the virtualization context.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-04-10T18:59:19.530Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9835c4522896dcbea116
Added to database: 5/21/2025, 9:09:09 AM
Last enriched: 6/26/2025, 2:51:06 PM
Last updated: 8/11/2025, 11:03:22 PM
Views: 12
Related Threats
CVE-2025-7622: CWE-918: Server-Side Request Forgery (SSRF) in Axis Communications AB AXIS Camera Station Pro
MediumCVE-2025-8314: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in emarket-design Project Management, Bug and Issue Tracking Plugin – Software Issue Manager
MediumCVE-2025-8059: CWE-862 Missing Authorization in bplugins B Blocks – The ultimate block collection
CriticalCVE-2025-8690: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in addix Simple Responsive Slider
MediumCVE-2025-8688: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in ebernstein Inline Stock Quotes
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.