CVE-2021-47389 is a medium-severity vulnerability affecting the Linux kernel's KVM (Kernel-based Virtual Machine) subsystem, specifically the SVM (Secure Virtual Machine) implementation for AMD SEV (Secure Encrypted Virtualization). The vulnerability arises from a missing call to the 'sev_decommission' function during the handling of the 'RECEIVE_START' command in the SEV API. According to AMD's SEV specification, the RECEIVE_START command generates a new guest context and must be paired with a DECOMMISSION operation to properly release any previously allocated resources. The absence of this decommissioning step can cause the firmware to leak memory resources, leading to failures in subsequent SEV guest launches due to exhaustion of available guest contexts. This bug is similar to a previously fixed issue with the 'LAUNCH_START' command, which also required a decommission call if ASID (Address Space Identifier) binding failed. The vulnerability does not directly compromise confidentiality but impacts the integrity and availability of SEV guest virtual machines by causing launch failures and resource leaks. Exploitation requires local access (attack vector: local) but no privileges or user interaction, making it somewhat easier to exploit in environments where unprivileged local access is possible. No known exploits are currently reported in the wild. The CVSS v3.1 base score is 5.1, reflecting a medium severity level with impact primarily on integrity and availability. The underlying weakness corresponds to CWE-772 (Missing Release of Resource after Effective Lifetime).

For European organizations, especially those leveraging AMD SEV-enabled virtualization for secure cloud or on-premises workloads, this vulnerability can lead to denial of service conditions where SEV guest VMs fail to launch or operate correctly due to resource leaks in the firmware. This can disrupt critical services relying on confidential computing environments, potentially impacting sectors such as finance, healthcare, and government that prioritize data confidentiality and integrity. While the vulnerability does not expose data directly, the inability to reliably launch or maintain SEV guests can degrade service availability and trust in secure virtualization infrastructure. Organizations using Linux-based hypervisors with AMD SEV support must consider the risk of operational disruption and plan accordingly. The lack of known exploits reduces immediate risk but does not eliminate the threat, especially in multi-tenant or shared environments where local access might be attainable by malicious insiders or compromised accounts.

To mitigate CVE-2021-47389, organizations should promptly apply the Linux kernel patches that address the missing 'sev_decommission' call during RECEIVE_START processing. Since the vulnerability is in the kernel's KVM SVM code, updating to a Linux kernel version that includes the fix is essential. Additionally, organizations should audit their virtualization environments to identify AMD SEV usage and verify that hypervisor versions are up to date. Monitoring for unusual SEV guest launch failures or resource exhaustion symptoms can help detect exploitation attempts or misconfigurations. Restricting local access to hypervisor hosts and enforcing strict access controls reduces the risk of exploitation. For environments where patching is delayed, consider disabling SEV features if feasible or isolating vulnerable hosts. Finally, coordinate with hardware and firmware vendors to ensure that SEV firmware is also updated to compatible versions that handle resource management correctly.