CVE-2021-3653
📋 TL;DR
A vulnerability in KVM's AMD SVM nested virtualization allows a malicious L1 guest to enable AVIC support for L2 guests, bypassing proper validation. This could lead to L2 guests reading/writing host physical memory, potentially causing system crashes, data leaks, or guest-to-host escape. Affects Linux kernel versions before 5.14-rc7 with KVM AMD SVM nested virtualization enabled.
💻 Affected Systems
- Linux Kernel KVM (Kernel-based Virtual Machine)
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Complete guest-to-host escape allowing L1 guest to execute arbitrary code on host, access all host memory, and compromise the entire physical system.
Likely Case
System crash/DoS from memory corruption, potential sensitive data leakage from host memory to malicious guest.
If Mitigated
Limited to denial of service if proper isolation controls prevent memory access escalation.
🎯 Exploit Status
Exploitation requires access to create/manage L1 guest VMs with nested virtualization capability. No public exploit code identified in references.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Linux kernel 5.14-rc7 and later
Vendor Advisory: https://bugzilla.redhat.com/show_bug.cgi?id=1983686
Restart Required: Yes
Instructions:
1. Update Linux kernel to 5.14-rc7 or later. 2. For distributions: Apply vendor kernel updates. 3. Reboot system to load patched kernel.
🔧 Temporary Workarounds
Disable nested virtualization
linuxDisable KVM AMD nested virtualization support to prevent exploitation.
echo 'options kvm_amd nested=0' > /etc/modprobe.d/kvm-amd-nested.conf
rmmod kvm_amd
modprobe kvm_amd
Disable AVIC support
linuxDisable Advanced Virtual Interrupt Controller feature.
Add 'avic=0' to kernel boot parameters in /etc/default/grub
🧯 If You Can't Patch
- Isolate KVM hosts from critical systems and implement strict access controls to prevent malicious L1 guest creation.
- Monitor for abnormal nested virtualization activity and implement host intrusion detection.
🔍 How to Verify
Check if Vulnerable:
Check kernel version: uname -r. If version is earlier than 5.14-rc7 and KVM AMD nested virtualization is enabled, system is vulnerable.Check Version:
uname -rVerify Fix Applied:
Verify kernel version is 5.14-rc7 or later with uname -r, and check that KVM modules are loaded from patched kernel.📡 Detection & Monitoring
Log Indicators:
- Kernel panic/crash logs
- KVM module loading errors
- Unusual nested guest creation in virtualization logs
Network Indicators:
- Not network exploitable - local vulnerability only
SIEM Query:
Search for: kernel_version < '5.14-rc7' AND (kvm_amd module loaded OR nested virtualization enabled)🔗 References
- http://packetstormsecurity.com/files/165477/Kernel-Live-Patch-Security-Notice-LSN-0083-1.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1983686
- https://lists.debian.org/debian-lts-announce/2021/10/msg00010.html
- https://lists.debian.org/debian-lts-announce/2021/12/msg00012.html
- https://www.openwall.com/lists/oss-security/2021/08/16/1
- http://packetstormsecurity.com/files/165477/Kernel-Live-Patch-Security-Notice-LSN-0083-1.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1983686
- https://lists.debian.org/debian-lts-announce/2021/10/msg00010.html
- https://lists.debian.org/debian-lts-announce/2021/12/msg00012.html
- https://www.openwall.com/lists/oss-security/2021/08/16/1
