CVE-2021-47262: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Ensure liveliness of nested VM-Enter fail tracepoint message Use the __string() machinery provided by the tracing subystem to make a copy of the string literals consumed by the "nested VM-Enter failed" tracepoint. A complete copy is necessary to ensure that the tracepoint can't outlive the data/memory it consumes and deference stale memory. Because the tracepoint itself is defined by kvm, if kvm-intel and/or kvm-amd are built as modules, the memory holding the string literals defined by the vendor modules will be freed when the module is unloaded, whereas the tracepoint and its data in the ring buffer will live until kvm is unloaded (or "indefinitely" if kvm is built-in). This bug has existed since the tracepoint was added, but was recently exposed by a new check in tracing to detect exactly this type of bug. fmt: '%s%s ' current_buffer: ' vmx_dirty_log_t-140127 [003] .... kvm_nested_vmenter_failed: ' WARNING: CPU: 3 PID: 140134 at kernel/trace/trace.c:3759 trace_check_vprintf+0x3be/0x3e0 CPU: 3 PID: 140134 Comm: less Not tainted 5.13.0-rc1-ce2e73ce600a-req #184 Hardware name: ASUS Q87M-E/Q87M-E, BIOS 1102 03/03/2014 RIP: 0010:trace_check_vprintf+0x3be/0x3e0 Code: <0f> 0b 44 8b 4c 24 1c e9 a9 fe ff ff c6 44 02 ff 00 49 8b 97 b0 20 RSP: 0018:ffffa895cc37bcb0 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffffa895cc37bd08 RCX: 0000000000000027 RDX: 0000000000000027 RSI: 00000000ffffdfff RDI: ffff9766cfad74f8 RBP: ffffffffc0a041d4 R08: ffff9766cfad74f0 R09: ffffa895cc37bad8 R10: 0000000000000001 R11: 0000000000000001 R12: ffffffffc0a041d4 R13: ffffffffc0f4dba8 R14: 0000000000000000 R15: ffff976409f2c000 FS: 00007f92fa200740(0000) GS:ffff9766cfac0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000559bd11b0000 CR3: 000000019fbaa002 CR4: 00000000001726e0 Call Trace: trace_event_printf+0x5e/0x80 trace_raw_output_kvm_nested_vmenter_failed+0x3a/0x60 [kvm] print_trace_line+0x1dd/0x4e0 s_show+0x45/0x150 seq_read_iter+0x2d5/0x4c0 seq_read+0x106/0x150 vfs_read+0x98/0x180 ksys_read+0x5f/0xe0 do_syscall_64+0x40/0xb0 entry_SYSCALL_64_after_hwframe+0x44/0xae
AI Analysis
Technical Summary
CVE-2021-47262 is a vulnerability identified in the Linux kernel's KVM (Kernel-based Virtual Machine) subsystem, specifically related to the x86 architecture nested virtualization feature. The issue arises from improper handling of string literals used in tracepoints for nested VM-Enter failure messages. Tracepoints are debugging hooks in the kernel that log events; in this case, the tracepoint logs failures when entering a nested virtual machine. The vulnerability stems from the fact that the tracepoint uses string literals defined in vendor-specific modules (kvm-intel and kvm-amd). When these modules are built as loadable kernel modules and subsequently unloaded, the memory holding these string literals is freed. However, the tracepoint and its ring buffer data persist until the main kvm module is unloaded or indefinitely if kvm is built into the kernel. This leads to a use-after-free condition where the tracepoint attempts to access stale memory, potentially causing kernel crashes or undefined behavior. The fix involves using the __string() mechanism provided by the Linux kernel's tracing subsystem, which makes a safe copy of the string literals to ensure their lifetime matches the tracepoint's usage. This vulnerability has existed since the tracepoint was introduced but was recently exposed due to enhanced checks in the tracing subsystem. The CVSS 3.1 score of 7.1 (High) reflects that exploitation requires local access with low complexity and privileges but can lead to high confidentiality impact and availability disruption. No known exploits are reported in the wild. The vulnerability affects Linux kernel versions containing the vulnerable tracepoint implementation, particularly those with KVM nested virtualization enabled and using kvm-intel or kvm-amd modules as loadable components.
Potential Impact
For European organizations, the impact of CVE-2021-47262 can be significant, especially for those relying on Linux-based virtualization infrastructure using KVM with nested virtualization enabled. The vulnerability could lead to kernel crashes or denial of service on hosts running nested VMs, potentially disrupting critical services and workloads. Confidentiality impact is high because kernel memory corruption could be leveraged to leak sensitive information, although exploitation complexity and required privileges limit this risk to local users or processes with some level of access. Organizations using cloud environments, private data centers, or development/testing platforms with nested virtualization are particularly at risk. Service availability could be affected, leading to downtime and operational disruptions. While no remote exploitation is indicated, insider threats or compromised local accounts could exploit this vulnerability. The issue also poses risks to system stability and reliability, which are critical for sectors such as finance, healthcare, and government services prevalent in Europe.
Mitigation Recommendations
European organizations should prioritize patching Linux kernels to versions where this vulnerability is fixed, ensuring that the __string() mechanism is properly applied in the tracing subsystem for KVM nested VM-Enter failure tracepoints. Specifically, they should: 1) Identify all systems running Linux kernels with KVM nested virtualization enabled, especially those using kvm-intel or kvm-amd as loadable modules. 2) Apply vendor-provided kernel updates or mainline kernel patches that address CVE-2021-47262. 3) If immediate patching is not feasible, consider disabling nested virtualization temporarily to mitigate risk. 4) Monitor kernel logs and tracing outputs for unusual tracepoint warnings or errors that may indicate attempts to trigger this vulnerability. 5) Limit local user privileges and restrict access to systems running nested virtualization to trusted personnel only. 6) Implement robust host-based intrusion detection to detect anomalous kernel behavior or crashes. 7) Coordinate with virtualization platform vendors to ensure compatibility and timely updates. These steps go beyond generic advice by focusing on the specific kernel modules and virtualization configurations involved.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Poland, Italy, Spain
CVE-2021-47262: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Ensure liveliness of nested VM-Enter fail tracepoint message Use the __string() machinery provided by the tracing subystem to make a copy of the string literals consumed by the "nested VM-Enter failed" tracepoint. A complete copy is necessary to ensure that the tracepoint can't outlive the data/memory it consumes and deference stale memory. Because the tracepoint itself is defined by kvm, if kvm-intel and/or kvm-amd are built as modules, the memory holding the string literals defined by the vendor modules will be freed when the module is unloaded, whereas the tracepoint and its data in the ring buffer will live until kvm is unloaded (or "indefinitely" if kvm is built-in). This bug has existed since the tracepoint was added, but was recently exposed by a new check in tracing to detect exactly this type of bug. fmt: '%s%s ' current_buffer: ' vmx_dirty_log_t-140127 [003] .... kvm_nested_vmenter_failed: ' WARNING: CPU: 3 PID: 140134 at kernel/trace/trace.c:3759 trace_check_vprintf+0x3be/0x3e0 CPU: 3 PID: 140134 Comm: less Not tainted 5.13.0-rc1-ce2e73ce600a-req #184 Hardware name: ASUS Q87M-E/Q87M-E, BIOS 1102 03/03/2014 RIP: 0010:trace_check_vprintf+0x3be/0x3e0 Code: <0f> 0b 44 8b 4c 24 1c e9 a9 fe ff ff c6 44 02 ff 00 49 8b 97 b0 20 RSP: 0018:ffffa895cc37bcb0 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffffa895cc37bd08 RCX: 0000000000000027 RDX: 0000000000000027 RSI: 00000000ffffdfff RDI: ffff9766cfad74f8 RBP: ffffffffc0a041d4 R08: ffff9766cfad74f0 R09: ffffa895cc37bad8 R10: 0000000000000001 R11: 0000000000000001 R12: ffffffffc0a041d4 R13: ffffffffc0f4dba8 R14: 0000000000000000 R15: ffff976409f2c000 FS: 00007f92fa200740(0000) GS:ffff9766cfac0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000559bd11b0000 CR3: 000000019fbaa002 CR4: 00000000001726e0 Call Trace: trace_event_printf+0x5e/0x80 trace_raw_output_kvm_nested_vmenter_failed+0x3a/0x60 [kvm] print_trace_line+0x1dd/0x4e0 s_show+0x45/0x150 seq_read_iter+0x2d5/0x4c0 seq_read+0x106/0x150 vfs_read+0x98/0x180 ksys_read+0x5f/0xe0 do_syscall_64+0x40/0xb0 entry_SYSCALL_64_after_hwframe+0x44/0xae
AI-Powered Analysis
Technical Analysis
CVE-2021-47262 is a vulnerability identified in the Linux kernel's KVM (Kernel-based Virtual Machine) subsystem, specifically related to the x86 architecture nested virtualization feature. The issue arises from improper handling of string literals used in tracepoints for nested VM-Enter failure messages. Tracepoints are debugging hooks in the kernel that log events; in this case, the tracepoint logs failures when entering a nested virtual machine. The vulnerability stems from the fact that the tracepoint uses string literals defined in vendor-specific modules (kvm-intel and kvm-amd). When these modules are built as loadable kernel modules and subsequently unloaded, the memory holding these string literals is freed. However, the tracepoint and its ring buffer data persist until the main kvm module is unloaded or indefinitely if kvm is built into the kernel. This leads to a use-after-free condition where the tracepoint attempts to access stale memory, potentially causing kernel crashes or undefined behavior. The fix involves using the __string() mechanism provided by the Linux kernel's tracing subsystem, which makes a safe copy of the string literals to ensure their lifetime matches the tracepoint's usage. This vulnerability has existed since the tracepoint was introduced but was recently exposed due to enhanced checks in the tracing subsystem. The CVSS 3.1 score of 7.1 (High) reflects that exploitation requires local access with low complexity and privileges but can lead to high confidentiality impact and availability disruption. No known exploits are reported in the wild. The vulnerability affects Linux kernel versions containing the vulnerable tracepoint implementation, particularly those with KVM nested virtualization enabled and using kvm-intel or kvm-amd modules as loadable components.
Potential Impact
For European organizations, the impact of CVE-2021-47262 can be significant, especially for those relying on Linux-based virtualization infrastructure using KVM with nested virtualization enabled. The vulnerability could lead to kernel crashes or denial of service on hosts running nested VMs, potentially disrupting critical services and workloads. Confidentiality impact is high because kernel memory corruption could be leveraged to leak sensitive information, although exploitation complexity and required privileges limit this risk to local users or processes with some level of access. Organizations using cloud environments, private data centers, or development/testing platforms with nested virtualization are particularly at risk. Service availability could be affected, leading to downtime and operational disruptions. While no remote exploitation is indicated, insider threats or compromised local accounts could exploit this vulnerability. The issue also poses risks to system stability and reliability, which are critical for sectors such as finance, healthcare, and government services prevalent in Europe.
Mitigation Recommendations
European organizations should prioritize patching Linux kernels to versions where this vulnerability is fixed, ensuring that the __string() mechanism is properly applied in the tracing subsystem for KVM nested VM-Enter failure tracepoints. Specifically, they should: 1) Identify all systems running Linux kernels with KVM nested virtualization enabled, especially those using kvm-intel or kvm-amd as loadable modules. 2) Apply vendor-provided kernel updates or mainline kernel patches that address CVE-2021-47262. 3) If immediate patching is not feasible, consider disabling nested virtualization temporarily to mitigate risk. 4) Monitor kernel logs and tracing outputs for unusual tracepoint warnings or errors that may indicate attempts to trigger this vulnerability. 5) Limit local user privileges and restrict access to systems running nested virtualization to trusted personnel only. 6) Implement robust host-based intrusion detection to detect anomalous kernel behavior or crashes. 7) Coordinate with virtualization platform vendors to ensure compatibility and timely updates. These steps go beyond generic advice by focusing on the specific kernel modules and virtualization configurations involved.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-21T13:27:52.126Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9835c4522896dcbea229
Added to database: 5/21/2025, 9:09:09 AM
Last enriched: 7/3/2025, 6:09:57 AM
Last updated: 8/6/2025, 1:45:55 PM
Views: 13
Related Threats
CVE-2025-9002: SQL Injection in Surbowl dormitory-management-php
MediumCVE-2025-9001: Stack-based Buffer Overflow in LemonOS
MediumCVE-2025-8867: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in iqonicdesign Graphina – Elementor Charts and Graphs
MediumCVE-2025-8680: CWE-918 Server-Side Request Forgery (SSRF) in bplugins B Slider- Gutenberg Slider Block for WP
MediumCVE-2025-8676: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in bplugins B Slider- Gutenberg Slider Block for WP
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.