CVE-2021-3656
📋 TL;DR
This vulnerability in KVM's AMD SVM nested virtualization allows a malicious L1 guest to disable security intercepts for L2 guests, potentially enabling L2 guests to read/write host physical memory. This could lead to system crashes, data leaks, or guest-to-host escape. Affects systems using KVM with AMD processors and nested virtualization enabled.
💻 Affected Systems
- Linux Kernel KVM module
📦 What is this software?
Enterprise Linux For Ibm Z Systems by Redhat
View all CVEs affecting Enterprise Linux For Ibm Z Systems →
Enterprise Linux For Ibm Z Systems by Redhat
View all CVEs affecting Enterprise Linux For Ibm Z Systems →
Enterprise Linux For Ibm Z Systems Eus by Redhat
View all CVEs affecting Enterprise Linux For Ibm Z Systems Eus →
Enterprise Linux For Ibm Z Systems Eus by Redhat
View all CVEs affecting Enterprise Linux For Ibm Z Systems Eus →
Enterprise Linux For Ibm Z Systems Eus by Redhat
View all CVEs affecting Enterprise Linux For Ibm Z Systems Eus →
Enterprise Linux For Power Big Endian by Redhat
View all CVEs affecting Enterprise Linux For Power Big Endian →
Enterprise Linux For Power Little Endian by Redhat
View all CVEs affecting Enterprise Linux For Power Little Endian →
Enterprise Linux For Power Little Endian by Redhat
View all CVEs affecting Enterprise Linux For Power Little Endian →
Enterprise Linux For Power Little Endian Eus by Redhat
View all CVEs affecting Enterprise Linux For Power Little Endian Eus →
Enterprise Linux For Power Little Endian Eus by Redhat
View all CVEs affecting Enterprise Linux For Power Little Endian Eus →
Enterprise Linux For Power Little Endian Eus by Redhat
View all CVEs affecting Enterprise Linux For Power Little Endian Eus →
Enterprise Linux For Real Time For Nfv by Redhat
View all CVEs affecting Enterprise Linux For Real Time For Nfv →
Enterprise Linux For Real Time For Nfv by Redhat
View all CVEs affecting Enterprise Linux For Real Time For Nfv →
Enterprise Linux For Real Time For Nfv Tus by Redhat
View all CVEs affecting Enterprise Linux For Real Time For Nfv Tus →
Enterprise Linux For Real Time For Nfv Tus by Redhat
View all CVEs affecting Enterprise Linux For Real Time For Nfv Tus →
Enterprise Linux For Real Time Tus by Redhat
View all CVEs affecting Enterprise Linux For Real Time Tus →
Enterprise Linux For Real Time Tus by Redhat
View all CVEs affecting Enterprise Linux For Real Time Tus →
Enterprise Linux For Scientific Computing by Redhat
View all CVEs affecting Enterprise Linux For Scientific Computing →
Enterprise Linux Server Update Services For Sap Solutions by Redhat
View all CVEs affecting Enterprise Linux Server Update Services For Sap Solutions →
Enterprise Linux Server Update Services For Sap Solutions by Redhat
View all CVEs affecting Enterprise Linux Server Update Services For Sap Solutions →
Enterprise Linux Server Update Services For Sap Solutions by Redhat
View all CVEs affecting Enterprise Linux Server Update Services For Sap Solutions →
Enterprise Linux Server Update Services For Sap Solutions by Redhat
View all CVEs affecting Enterprise Linux Server Update Services For Sap Solutions →
Enterprise Linux Server Update Services For Sap Solutions by Redhat
View all CVEs affecting Enterprise Linux Server Update Services For Sap Solutions →
Fedora by Fedoraproject
Fedora by Fedoraproject
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Openstack by Redhat
⚠️ Risk & Real-World Impact
Worst Case
Complete guest-to-host escape allowing L2 guest to execute arbitrary code on host, access all host memory, and potentially compromise the entire physical system.
Likely Case
System crash/DoS or sensitive data leakage from host memory to malicious guest.
If Mitigated
No impact if nested virtualization is disabled or systems are patched.
🎯 Exploit Status
Exploitation requires: 1) AMD processor with SVM, 2) nested virtualization enabled, 3) malicious L1 guest access, 4) knowledge of KVM internals. No public exploits known.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Linux kernel with commit c7dfa4009965a9b2d7b329ee970eb8da0d32f0bc
Vendor Advisory: https://bugzilla.redhat.com/show_bug.cgi?id=1983988
Restart Required: Yes
Instructions:
1. Update Linux kernel to version containing the fix. 2. For RHEL/CentOS: yum update kernel. 3. For Ubuntu/Debian: apt update && apt upgrade linux-image. 4. Reboot system to load new kernel.
🔧 Temporary Workarounds
Disable nested virtualization
linuxPrevents exploitation by disabling the vulnerable feature entirely
echo 'options kvm-amd nested=0' > /etc/modprobe.d/kvm-amd.conf
rmmod kvm-amd
modprobe kvm-amd
🧯 If You Can't Patch
- Disable nested virtualization on all AMD hosts
- Isolate/restrict access to VMs that require nested virtualization capabilities
🔍 How to Verify
Check if Vulnerable:
Check kernel version and if nested virtualization is enabled: cat /sys/module/kvm_amd/parameters/nestedCheck Version:
uname -rVerify Fix Applied:
Verify kernel version contains the fix commit: uname -r and check kernel changelog for commit c7dfa4009965a9b2d7b329ee970eb8da0d32f0bc📡 Detection & Monitoring
Log Indicators:
- Kernel crashes or panics
- Unexpected VM exits in KVM logs
- Suspicious nested VM creation patterns
Network Indicators:
- None - this is a local hypervisor vulnerability
SIEM Query:
source="kvm" AND ("nested" OR "vmcb" OR "virt_ext")🔗 References
- https://bugzilla.redhat.com/show_bug.cgi?id=1983988
- https://git.kernel.org/pub/scm/virt/kvm/kvm.git/commit/?id=c7dfa4009965a9b2d7b329ee970eb8da0d32f0bc
- https://github.com/torvalds/linux/commit/c7dfa4009965a9b2d7b329ee970eb8da0d32f0bc
- https://www.openwall.com/lists/oss-security/2021/08/16/1
- https://bugzilla.redhat.com/show_bug.cgi?id=1983988
- https://git.kernel.org/pub/scm/virt/kvm/kvm.git/commit/?id=c7dfa4009965a9b2d7b329ee970eb8da0d32f0bc
- https://github.com/torvalds/linux/commit/c7dfa4009965a9b2d7b329ee970eb8da0d32f0bc
- https://www.openwall.com/lists/oss-security/2021/08/16/1
