CVE-2021-22543 – This CVE-2021-22543 vulnerability in Linux KVM ... (How to Fix)

Q: What is the severity of CVE-2021-22543?

CVE-2021-22543 has a CVSS score of 7.8 (HIGH). This CVE-2021-22543 vulnerability in Linux KVM allows attackers with VM control privileges to bypass read-only memory checks, potentially leading to memory corruption and local privilege escalation. It affects systems running KVM virtualization with vulnerable kernel versions. Attackers could read/write arbitrary memory pages within the host system.

📋 TL;DR

This CVE-2021-22543 vulnerability in Linux KVM allows attackers with VM control privileges to bypass read-only memory checks, potentially leading to memory corruption and local privilege escalation. It affects systems running KVM virtualization with vulnerable kernel versions. Attackers could read/write arbitrary memory pages within the host system.

💻 Affected Systems

Products:

Linux Kernel KVM

Versions: Linux kernel versions before 5.12.13, 5.11.25, 5.10.42, 5.4.119, 4.19.191, 4.14.232, 4.9.272, 4.4.272

Operating Systems: Linux distributions with KVM support

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems using KVM virtualization. Requires ability to create/control VMs.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Solidfire Baseboard Management Controller Firmware by Netapp

View all CVEs affecting Solidfire Baseboard Management Controller Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full local privilege escalation from a VM guest to host root access, allowing complete system compromise and data exfiltration.

🟠

Likely Case

VM escape leading to host memory corruption, potential denial of service, or limited privilege escalation within the host.

🟢

If Mitigated

Limited impact if proper VM isolation and least-privilege access controls are enforced, though memory corruption risks remain.

🌐 Internet-Facing: LOW - Requires local VM access, not directly exploitable over network.

🏢 Internal Only: HIGH - Any user with VM creation/control privileges can potentially exploit this for privilege escalation.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploit requires VM control privileges. Proof-of-concept code is available in security research repositories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Linux kernel 5.12.13, 5.11.25, 5.10.42, 5.4.119, 4.19.191, 4.14.232, 4.9.272, 4.4.272 and later

Vendor Advisory: https://github.com/google/security-research/security/advisories/GHSA-7wq5-phmq-m584

Restart Required: Yes

Instructions:

1. Update Linux kernel to patched version. 2. Reboot system. 3. Verify kernel version with 'uname -r'. 4. Check distribution-specific security advisories for backported patches.

🔧 Temporary Workarounds

Disable KVM

linux

Remove KVM kernel module to prevent exploitation

sudo modprobe -r kvm
sudo modprobe -r kvm_intel (or kvm_amd)
echo 'blacklist kvm' | sudo tee /etc/modprobe.d/blacklist-kvm.conf

Restrict VM Creation

linux

Limit users who can create/control VMs to trusted administrators only

sudo usermod -a -G libvirt trusted_user
sudo chmod 640 /dev/kvm
sudo setfacl -m u:trusted_user:rw /dev/kvm

🧯 If You Can't Patch

Restrict VM creation/control to minimal set of trusted administrators
Implement strict VM isolation and monitor for unusual VM behavior

🔍 How to Verify

Check if Vulnerable:

Check kernel version: 'uname -r' and compare with vulnerable versions list

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version is patched: 'uname -r' should show 5.12.13+ or equivalent backported version

📡 Detection & Monitoring

Log Indicators:

Unusual VM creation/modification patterns
Kernel panic or oops messages
Failed memory access attempts in kernel logs

Network Indicators:

Not network exploitable

SIEM Query:

source="kernel" AND ("VM_IO" OR "VM_PFNMAP" OR "KVM" AND "memory" AND "error")

📊 Metadata

CVE ID: CVE-2021-22543

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-119

Published: May 26, 2021

Last Updated: November 21, 2024

🔗 References

http://www.openwall.com/lists/oss-security/2021/06/26/1 Mailing List
https://github.com/google/security-research/security/advisories/GHSA-7wq5-phmq-m584 Exploit,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/10/msg00010.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/12/msg00012.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4G5YBUVEPHZYXMKNGBZ3S6INFCTEEL4E/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ROQIXQB7ZAWI3KSGSHR6H5RDUWZI775S/
https://security.netapp.com/advisory/ntap-20210708-0002/ Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/06/26/1 Mailing List
https://github.com/google/security-research/security/advisories/GHSA-7wq5-phmq-m584 Exploit,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/10/msg00010.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/12/msg00012.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4G5YBUVEPHZYXMKNGBZ3S6INFCTEEL4E/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ROQIXQB7ZAWI3KSGSHR6H5RDUWZI775S/
https://security.netapp.com/advisory/ntap-20210708-0002/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-22543, you might also want to check these: