Login Sign Up

CVE-2021-32847

7.1 HIGH

📋 TL;DR

CVE-2021-32847 is an out-of-bounds read vulnerability in HyperKit's virtio block driver that allows a malicious guest VM to read host memory. This can lead to sensitive information disclosure from the host to the guest. Affected users are those running HyperKit versions 0.20210107 and earlier with untrusted guest VMs.

💻 Affected Systems

Products:
  • HyperKit
Versions: Versions 0.20210107 and earlier
Operating Systems: macOS, Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability exists in the virtio block driver implementation; any configuration using this driver is affected.

📦 What is this software?

Hyperkit by Mobyproject

View all CVEs affecting Hyperkit →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete disclosure of sensitive host memory contents including credentials, encryption keys, and other privileged data to a malicious guest VM.

🟠

Likely Case

Partial memory disclosure exposing host system information, potentially including sensitive data from other processes.

🟢

If Mitigated

No impact if patched or if only trusted guest VMs are used.

🌐 Internet-Facing: MEDIUM - While the vulnerability requires guest VM access, internet-facing systems with VM hosting capabilities could be targeted.
🏢 Internal Only: HIGH - Internal systems running vulnerable HyperKit versions with untrusted guest VMs are at significant risk of data exfiltration.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires guest VM access and knowledge of the vulnerability; proof-of-concept details are publicly available in the GitHub advisory.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Commit cf60095a4d8c3cb2e182a14415467afd356e982f and later

Vendor Advisory: https://securitylab.github.com/advisories/GHSL-2021-058-moby-hyperkit/

Restart Required: Yes

Instructions:

1. Update HyperKit to commit cf60095a4d8c3cb2e182a14415467afd356e982f or later. 2. Rebuild from source if using custom builds. 3. Restart all HyperKit instances and affected guest VMs.

🔧 Temporary Workarounds

Disable virtio block driver

all

Use alternative storage drivers instead of the vulnerable virtio block driver

Configure HyperKit to use alternative storage backends (e.g., virtio-scsi, NVMe)

Isolate guest VMs

all

Run only trusted guest VMs to prevent exploitation

Implement strict VM trust policies and access controls

🧯 If You Can't Patch

  • Isolate HyperKit instances on separate network segments to limit lateral movement
  • Implement strict monitoring of guest VM behavior and memory access patterns

🔍 How to Verify

Check if Vulnerable:

Check HyperKit version: hyperkit --version should show version 0.20210107 or earlier

Check Version:

hyperkit --version

Verify Fix Applied:

Verify HyperKit is built from commit cf60095a4d8c3cb2e182a14415467afd356e982f or later using git log

📡 Detection & Monitoring

Log Indicators:

  • Unusual memory access patterns from guest VMs
  • Multiple failed virtio block operations

Network Indicators:

  • Abnormal data exfiltration from host to guest VM

SIEM Query:

source="hyperkit" AND (event="memory_access" OR event="virtio_block_error")

📊 Metadata

CVE ID: CVE-2021-32847
CVSS v3 Score: 7.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
CWE: CWE-125
Published: February 20, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-32847, you might also want to check these:

CVE-2021-41556 10.0

CVE-2021-41556 is a critical out-of-bounds read vulnerability in Squirrel scripting language that al...

Same vulnerability type (CWE-125)
CVE-2024-22004 10.0

This vulnerability allows attackers with privileged access on Linux non-secure operating systems to ...

Same vulnerability type (CWE-125)
CVE-2021-21777 10.0

CVE-2021-21777 is a critical out-of-bounds read vulnerability in the Ethernet/IP UDP handler of OpEN...

Same vulnerability type (CWE-125)