CVE-2021-47390: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Fix stack-out-of-bounds memory access from ioapic_write_indirect() KASAN reports the following issue: BUG: KASAN: stack-out-of-bounds in kvm_make_vcpus_request_mask+0x174/0x440 [kvm] Read of size 8 at addr ffffc9001364f638 by task qemu-kvm/4798 CPU: 0 PID: 4798 Comm: qemu-kvm Tainted: G X --------- --- Hardware name: AMD Corporation DAYTONA_X/DAYTONA_X, BIOS RYM0081C 07/13/2020 Call Trace: dump_stack+0xa5/0xe6 print_address_description.constprop.0+0x18/0x130 ? kvm_make_vcpus_request_mask+0x174/0x440 [kvm] __kasan_report.cold+0x7f/0x114 ? kvm_make_vcpus_request_mask+0x174/0x440 [kvm] kasan_report+0x38/0x50 kasan_check_range+0xf5/0x1d0 kvm_make_vcpus_request_mask+0x174/0x440 [kvm] kvm_make_scan_ioapic_request_mask+0x84/0xc0 [kvm] ? kvm_arch_exit+0x110/0x110 [kvm] ? sched_clock+0x5/0x10 ioapic_write_indirect+0x59f/0x9e0 [kvm] ? static_obj+0xc0/0xc0 ? __lock_acquired+0x1d2/0x8c0 ? kvm_ioapic_eoi_inject_work+0x120/0x120 [kvm] The problem appears to be that 'vcpu_bitmap' is allocated as a single long on stack and it should really be KVM_MAX_VCPUS long. We also seem to clear the lower 16 bits of it with bitmap_zero() for no particular reason (my guess would be that 'bitmap' and 'vcpu_bitmap' variables in kvm_bitmap_or_dest_vcpus() caused the confusion: while the later is indeed 16-bit long, the later should accommodate all possible vCPUs).
AI Analysis
Technical Summary
CVE-2021-47390 is a vulnerability identified in the Linux kernel's KVM (Kernel-based Virtual Machine) module, specifically affecting the x86 architecture. The issue arises from a stack-out-of-bounds memory access in the function ioapic_write_indirect(), as detected by Kernel Address Sanitizer (KASAN). The root cause is improper allocation of the 'vcpu_bitmap' variable on the stack. Instead of allocating enough space for all possible virtual CPUs (vCPUs) defined by KVM_MAX_VCPUS, it is allocated as a single long integer. This leads to out-of-bounds memory access when the code attempts to manipulate the bitmap representing vCPUs. Additionally, the code erroneously clears the lower 16 bits of this bitmap, likely due to confusion between similarly named variables with different sizes. The vulnerability manifests during operations involving virtual CPU requests and IOAPIC (I/O Advanced Programmable Interrupt Controller) write operations within the KVM module. Exploitation could potentially cause kernel crashes or undefined behavior due to memory corruption. However, there are no known exploits in the wild at this time, and no CVSS score has been assigned. The vulnerability affects Linux kernel versions identified by the commit hash 7ee30bc132c683d06a6d9e360e39e483e3990708 and likely other versions containing the same flawed code. The issue has been publicly disclosed and patched by the Linux kernel maintainers.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to environments running Linux-based virtualization infrastructure using KVM on x86 hardware. Organizations relying on virtualized workloads, cloud services, or private data centers with KVM virtualization could experience denial of service (DoS) conditions if the vulnerability is triggered, as the stack-out-of-bounds access may cause kernel panics or crashes. While direct remote exploitation is unlikely without additional vulnerabilities, a malicious or compromised guest VM or local user with access to the KVM subsystem could potentially trigger the flaw, leading to host instability or potential privilege escalation if combined with other bugs. This could disrupt critical services, affecting availability and operational continuity. Confidentiality and integrity impacts are less certain but cannot be ruled out if the memory corruption leads to arbitrary code execution. Given the widespread use of Linux and KVM in European public and private sectors, including government, finance, and telecommunications, the vulnerability warrants prompt attention to avoid service disruptions and maintain trust in virtualized infrastructure.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernel to the latest patched versions that address CVE-2021-47390. Specifically, kernel versions incorporating the fix for the KVM ioapic_write_indirect() stack-out-of-bounds issue should be deployed. For environments where immediate patching is not feasible, administrators should restrict access to KVM management interfaces and limit the ability of untrusted users or guest VMs to invoke IOAPIC write operations or other KVM functions that could trigger the vulnerability. Employing strict access controls, SELinux/AppArmor policies, and isolating critical virtual machines can reduce risk. Monitoring kernel logs for KASAN reports or unusual KVM behavior can help detect attempts to exploit the flaw. Additionally, organizations should review their virtualization security posture, ensuring that hypervisor and guest isolation mechanisms are robust. Regular vulnerability scanning and patch management processes should be enforced to prevent exploitation of this and similar vulnerabilities.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Poland, Italy, Spain
CVE-2021-47390: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Fix stack-out-of-bounds memory access from ioapic_write_indirect() KASAN reports the following issue: BUG: KASAN: stack-out-of-bounds in kvm_make_vcpus_request_mask+0x174/0x440 [kvm] Read of size 8 at addr ffffc9001364f638 by task qemu-kvm/4798 CPU: 0 PID: 4798 Comm: qemu-kvm Tainted: G X --------- --- Hardware name: AMD Corporation DAYTONA_X/DAYTONA_X, BIOS RYM0081C 07/13/2020 Call Trace: dump_stack+0xa5/0xe6 print_address_description.constprop.0+0x18/0x130 ? kvm_make_vcpus_request_mask+0x174/0x440 [kvm] __kasan_report.cold+0x7f/0x114 ? kvm_make_vcpus_request_mask+0x174/0x440 [kvm] kasan_report+0x38/0x50 kasan_check_range+0xf5/0x1d0 kvm_make_vcpus_request_mask+0x174/0x440 [kvm] kvm_make_scan_ioapic_request_mask+0x84/0xc0 [kvm] ? kvm_arch_exit+0x110/0x110 [kvm] ? sched_clock+0x5/0x10 ioapic_write_indirect+0x59f/0x9e0 [kvm] ? static_obj+0xc0/0xc0 ? __lock_acquired+0x1d2/0x8c0 ? kvm_ioapic_eoi_inject_work+0x120/0x120 [kvm] The problem appears to be that 'vcpu_bitmap' is allocated as a single long on stack and it should really be KVM_MAX_VCPUS long. We also seem to clear the lower 16 bits of it with bitmap_zero() for no particular reason (my guess would be that 'bitmap' and 'vcpu_bitmap' variables in kvm_bitmap_or_dest_vcpus() caused the confusion: while the later is indeed 16-bit long, the later should accommodate all possible vCPUs).
AI-Powered Analysis
Technical Analysis
CVE-2021-47390 is a vulnerability identified in the Linux kernel's KVM (Kernel-based Virtual Machine) module, specifically affecting the x86 architecture. The issue arises from a stack-out-of-bounds memory access in the function ioapic_write_indirect(), as detected by Kernel Address Sanitizer (KASAN). The root cause is improper allocation of the 'vcpu_bitmap' variable on the stack. Instead of allocating enough space for all possible virtual CPUs (vCPUs) defined by KVM_MAX_VCPUS, it is allocated as a single long integer. This leads to out-of-bounds memory access when the code attempts to manipulate the bitmap representing vCPUs. Additionally, the code erroneously clears the lower 16 bits of this bitmap, likely due to confusion between similarly named variables with different sizes. The vulnerability manifests during operations involving virtual CPU requests and IOAPIC (I/O Advanced Programmable Interrupt Controller) write operations within the KVM module. Exploitation could potentially cause kernel crashes or undefined behavior due to memory corruption. However, there are no known exploits in the wild at this time, and no CVSS score has been assigned. The vulnerability affects Linux kernel versions identified by the commit hash 7ee30bc132c683d06a6d9e360e39e483e3990708 and likely other versions containing the same flawed code. The issue has been publicly disclosed and patched by the Linux kernel maintainers.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to environments running Linux-based virtualization infrastructure using KVM on x86 hardware. Organizations relying on virtualized workloads, cloud services, or private data centers with KVM virtualization could experience denial of service (DoS) conditions if the vulnerability is triggered, as the stack-out-of-bounds access may cause kernel panics or crashes. While direct remote exploitation is unlikely without additional vulnerabilities, a malicious or compromised guest VM or local user with access to the KVM subsystem could potentially trigger the flaw, leading to host instability or potential privilege escalation if combined with other bugs. This could disrupt critical services, affecting availability and operational continuity. Confidentiality and integrity impacts are less certain but cannot be ruled out if the memory corruption leads to arbitrary code execution. Given the widespread use of Linux and KVM in European public and private sectors, including government, finance, and telecommunications, the vulnerability warrants prompt attention to avoid service disruptions and maintain trust in virtualized infrastructure.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernel to the latest patched versions that address CVE-2021-47390. Specifically, kernel versions incorporating the fix for the KVM ioapic_write_indirect() stack-out-of-bounds issue should be deployed. For environments where immediate patching is not feasible, administrators should restrict access to KVM management interfaces and limit the ability of untrusted users or guest VMs to invoke IOAPIC write operations or other KVM functions that could trigger the vulnerability. Employing strict access controls, SELinux/AppArmor policies, and isolating critical virtual machines can reduce risk. Monitoring kernel logs for KASAN reports or unusual KVM behavior can help detect attempts to exploit the flaw. Additionally, organizations should review their virtualization security posture, ensuring that hypervisor and guest isolation mechanisms are robust. Regular vulnerability scanning and patch management processes should be enforced to prevent exploitation of this and similar vulnerabilities.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-21T14:58:30.813Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9833c4522896dcbe8fac
Added to database: 5/21/2025, 9:09:07 AM
Last enriched: 6/30/2025, 12:13:53 PM
Last updated: 7/31/2025, 11:47:30 PM
Views: 15
Related Threats
CVE-2025-55286: CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer in vancluever z2d
HighCVE-2025-52621: CWE-346 Origin Validation Error in HCL Software BigFix SaaS Remediate
MediumCVE-2025-52620: CWE-20 Improper Input Validation in HCL Software BigFix SaaS Remediate
MediumCVE-2025-52619: CWE-209 Generation of Error Message Containing Sensitive Information in HCL Software BigFix SaaS Remediate
MediumCVE-2025-52618: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in HCL Software BigFix SaaS Remediate
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.