CVE-2021-3501

Q: What is the severity of CVE-2021-3501?

CVE-2021-3501 has a CVSS score of 7.1 (HIGH). This vulnerability in the Linux kernel's KVM API allows a user process to trigger an out-of-bounds write by manipulating the internal.ndata value. It affects Linux kernel versions before 5.12, potentially compromising data integrity and system availability. Any system running vulnerable kernel versions with KVM enabled is at risk.

7.1 HIGH

Denial of Service

📋 TL;DR

This vulnerability in the Linux kernel's KVM API allows a user process to trigger an out-of-bounds write by manipulating the internal.ndata value. It affects Linux kernel versions before 5.12, potentially compromising data integrity and system availability. Any system running vulnerable kernel versions with KVM enabled is at risk.

💻 Affected Systems

Products:

Linux kernel

Versions: Versions before 5.12

Operating Systems: Linux distributions using kernel versions before 5.12

Default Config Vulnerable: ✅ No

Notes: Only vulnerable if KVM (Kernel-based Virtual Machine) is enabled and configured. Most desktop systems don't have KVM enabled by default.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Solidfire Baseboard Management Controller Firmware by Netapp

View all CVEs affecting Solidfire Baseboard Management Controller Firmware →

Virtualization by Redhat

View all CVEs affecting Virtualization →

Virtualization Host by Redhat

View all CVEs affecting Virtualization Host →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise leading to data corruption, denial of service, or potential privilege escalation through kernel memory corruption.

🟠

Likely Case

System instability, crashes, or denial of service affecting virtualized environments using KVM.

🟢

If Mitigated

Limited impact if KVM is not enabled or proper access controls restrict user access to KVM interfaces.

🌐 Internet-Facing: LOW - Requires local access to the system and KVM privileges.

🏢 Internal Only: MEDIUM - Local users with KVM access could exploit this, particularly in multi-tenant or shared hosting environments.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires local access and KVM privileges. The vulnerability involves manipulating kernel memory structures.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Linux kernel 5.12 and later

Vendor Advisory: https://bugzilla.redhat.com/show_bug.cgi?id=1950136

Restart Required: Yes

Instructions:

1. Update to Linux kernel 5.12 or later. 2. For Red Hat/CentOS: Apply security updates via 'yum update kernel'. 3. For Ubuntu/Debian: Apply security updates via 'apt update && apt upgrade'. 4. Reboot the system after kernel update.

🔧 Temporary Workarounds

Disable KVM

linux

Disable KVM kernel module if not required for virtualization

modprobe -r kvm
echo 'blacklist kvm' >> /etc/modprobe.d/blacklist.conf

Restrict KVM access

linux

Limit access to KVM device files to trusted users only

chmod 600 /dev/kvm
chown root:root /dev/kvm

🧯 If You Can't Patch

Disable KVM functionality if not required for system operation
Implement strict access controls to limit which users can access KVM interfaces

🔍 How to Verify

Check if Vulnerable:

Check kernel version with 'uname -r' and verify if it's below 5.12. Check if KVM is loaded with 'lsmod | grep kvm'.

Check Version:

uname -r

Verify Fix Applied:

After update, verify kernel version is 5.12 or higher with 'uname -r'. Check that KVM module is still functional if needed.

📡 Detection & Monitoring

Log Indicators:

Kernel panic logs
System crash dumps
Unexpected KVM-related errors in dmesg

Network Indicators:

None - this is a local vulnerability

SIEM Query:

Search for kernel panic events or KVM module errors in system logs

📊 Metadata

CVE ID: CVE-2021-3501

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

CWE: CWE-787

Published: May 6, 2021

Last Updated: November 21, 2024

🔗 References

https://bugzilla.redhat.com/show_bug.cgi?id=1950136 Issue Tracking,Patch,Third Party Advisory
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=04c4f2ee3f68c9a4bf1653d15f1a9a435ae33f7a Mailing List,Patch,Vendor Advisory
https://security.netapp.com/advisory/ntap-20210618-0008/ Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1950136 Issue Tracking,Patch,Third Party Advisory
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=04c4f2ee3f68c9a4bf1653d15f1a9a435ae33f7a Mailing List,Patch,Vendor Advisory
https://security.netapp.com/advisory/ntap-20210618-0008/ Third Party Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Cloud Backup by Netapp

Enterprise Linux by Redhat

Enterprise Linux For Real Time by Redhat

Enterprise Linux For Real Time For Nfv by Redhat

Enterprise Linux For Real Time For Nfv Tus by Redhat

Enterprise Linux For Real Time Tus by Redhat

Fedora by Fedoraproject

H300e Firmware by Netapp

H300s Firmware by Netapp

H410c Firmware by Netapp

H410s Firmware by Netapp

H500e Firmware by Netapp

H500s Firmware by Netapp

H700e Firmware by Netapp

H700s Firmware by Netapp