CVE-2021-45464 – CVE-2021-45464 is an out-of-bounds write vulner... (How to Fix)

Q: What is the severity of CVE-2021-45464?

CVE-2021-45464 has a CVSS score of 8.8 (HIGH). CVE-2021-45464 is an out-of-bounds write vulnerability in kvmtool's virtio balloon and PCI components that allows a guest OS user to execute arbitrary code on the host machine. This affects systems running kvmtool for virtualization. The vulnerability enables full host compromise from within a guest VM.

📋 TL;DR

CVE-2021-45464 is an out-of-bounds write vulnerability in kvmtool's virtio balloon and PCI components that allows a guest OS user to execute arbitrary code on the host machine. This affects systems running kvmtool for virtualization. The vulnerability enables full host compromise from within a guest VM.

💻 Affected Systems

Products:

kvmtool

Versions: All versions through commit 39181fc (specifically vulnerable in virtio/balloon.c and virtio/pci.c)

Operating Systems: Linux systems using kvmtool for virtualization

Default Config Vulnerable: ⚠️ Yes

Notes: Affects systems where kvmtool is used as a lightweight KVM-based virtualization tool. The virtio balloon device must be enabled (common default).

📦 What is this software?

Kvmtool by Kvmtool Project

View all CVEs affecting Kvmtool →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete host takeover allowing attacker to execute arbitrary code with host privileges, access all host resources, and compromise other VMs on the same host.

🟠

Likely Case

Privilege escalation from guest to host leading to data theft, lateral movement, and persistent backdoor installation.

🟢

If Mitigated

Limited impact if proper network segmentation and minimal guest privileges are enforced, though host compromise risk remains.

🌐 Internet-Facing: LOW - kvmtool is typically used internally for virtualization, not directly internet-facing.

🏢 Internal Only: HIGH - Any guest VM user can potentially exploit this to compromise the host and other VMs on the same hypervisor.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploit code is publicly available. Requires guest OS user access but no special privileges within guest. The vulnerability was demonstrated in CTF competitions (hxp 2021).

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in commit after 39181fc6429f4e9e71473284940e35857b42772a

Vendor Advisory: https://git.kernel.org/pub/scm/linux/kernel/git/will/kvmtool.git/commit/?id=39181fc6429f4e9e71473284940e35857b42772a

Restart Required: Yes

Instructions:

1. Update kvmtool to latest version from git repository. 2. Rebuild kvmtool from source. 3. Restart all VMs using the updated kvmtool binary. 4. Verify the fix by checking git commit history for fixes after 39181fc.

🔧 Temporary Workarounds

Disable virtio-balloon device

linux

Remove or disable the virtio-balloon device from VM configurations to prevent exploitation through this vector.

Edit VM configuration to remove '-device virtio-balloon' or equivalent balloon device parameters

Restrict guest user privileges

all

Implement strict user privilege separation within guest VMs to limit who can trigger the vulnerability.

Use sudo restrictions, SELinux/AppArmor in guests, and minimal user privileges

🧯 If You Can't Patch

Isolate affected VMs on dedicated hosts with no other critical systems
Implement strict network segmentation between VMs and limit guest-to-host communication

🔍 How to Verify

Check if Vulnerable:

Check kvmtool version/git commit: if using code from commit 39181fc or earlier, system is vulnerable. Examine virtio/balloon.c and virtio/pci.c for out-of-bounds write fixes.

Check Version:

kvmtool --version or check git commit hash in source directory

Verify Fix Applied:

Verify kvmtool is built from source after the fix commit. Check that virtio balloon device bounds checking is implemented in the source code.

📡 Detection & Monitoring

Log Indicators:

Unusual virtio device activity
Guest VM attempting unusual memory operations
Kernel oops or crashes related to virtio-balloon

Network Indicators:

Unexpected guest-to-host communication patterns
Anomalous VM escape attempts

SIEM Query:

source="kvmtool" AND (event="virtio_balloon" OR event="out_of_bounds") OR source="kernel" AND message="*virtio*" AND (severity="critical" OR severity="error")

📊 Metadata

CVE ID: CVE-2021-45464

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-787

Published: April 15, 2023

Last Updated: February 6, 2025

🔗 References

https://cdn.discordapp.com/attachments/921419715170164776/921882173517230100/exploit.c Broken Link
https://git.kernel.org/pub/scm/linux/kernel/git/will/kvmtool.git/commit/?id=39181fc6429f4e9e71473284940e35857b42772a Patch
https://git.kernel.org/pub/scm/linux/kernel/git/will/kvmtool.git/log/ Patch
https://www.kalmarunionen.dk/writeups/2021/hxp-2021/lkvm/ Exploit,Third Party Advisory
https://cdn.discordapp.com/attachments/921419715170164776/921882173517230100/exploit.c Broken Link
https://git.kernel.org/pub/scm/linux/kernel/git/will/kvmtool.git/commit/?id=39181fc6429f4e9e71473284940e35857b42772a Patch
https://git.kernel.org/pub/scm/linux/kernel/git/will/kvmtool.git/log/ Patch
https://www.kalmarunionen.dk/writeups/2021/hxp-2021/lkvm/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-45464, you might also want to check these: