CVE-2021-47450 is a vulnerability identified in the Linux kernel's KVM (Kernel-based Virtual Machine) implementation for the ARM64 architecture. Specifically, it concerns the management of stage-2 page global directories (PGDs) used in virtualized environments running on ARM64 processors. The vulnerability arises from incorrect reference counting of pages in the KVM page-table library. Normally, the library refcounts pages of concatenated stage-2 PGDs individually to manage memory correctly. However, when KVM operates in protected mode, the host's stage-2 PGD is managed by the EL2 exception level as a single high-order compound page rather than individual pages. This discrepancy can cause the reference count of the tail pages to erroneously drop to zero, leading to premature freeing or corruption of page-table entries. Such corruption can destabilize the virtual machine's memory management, potentially causing crashes, data corruption, or enabling privilege escalation within the guest or host environment. The fix involves introducing a new helper function, hyp_split_page(), in the EL2 page allocator to properly split and manage compound pages, aligning the reference counting with the kernel's split_page() function. This correction ensures that the host stage-2 PGD pages are correctly accounted for, preventing the refcount underflow and subsequent page-table corruption. The vulnerability affects Linux kernel versions identified by the commit hash 1025c8c0c6accfcbdc8f52ca1940160f65cd87d6 and was published on May 22, 2024. There are no known exploits in the wild at this time, and no CVSS score has been assigned yet.

For European organizations, this vulnerability poses a risk primarily to environments using ARM64-based virtualization with KVM, which is increasingly common in cloud infrastructure, edge computing, and specialized server deployments. Exploitation could lead to memory corruption within virtual machines, causing instability, data loss, or potential privilege escalation that might allow attackers to escape guest VM isolation and compromise the host system. This could undermine the confidentiality and integrity of sensitive data processed in virtualized environments. Organizations relying on ARM64 KVM virtualization for critical workloads, including financial institutions, research centers, and government agencies, could face operational disruptions or data breaches if the vulnerability is exploited. Although no active exploits are known, the complexity of the issue and its presence in the Linux kernel—a widely used OS kernel in Europe—means that timely patching is essential to maintain secure virtualization infrastructure.

European organizations should prioritize updating their Linux kernels to versions that include the patch for CVE-2021-47450. Since the vulnerability is specific to ARM64 KVM virtualization, organizations should audit their infrastructure to identify ARM64 hosts running KVM and verify kernel versions. For environments where immediate patching is not feasible, consider temporarily disabling KVM protected mode on ARM64 hosts if operationally acceptable, to mitigate the risk of refcount corruption. Additionally, implement strict access controls and monitoring on virtualization hosts to detect anomalous behavior that might indicate exploitation attempts. Regularly review and test backup and recovery procedures for virtual machines to minimize impact in case of corruption or crashes. Engage with Linux distribution vendors and cloud providers to ensure timely deployment of security updates. Finally, maintain awareness of any emerging exploit reports related to this vulnerability to adjust defenses accordingly.