CVE-2021-47061 – This CVE describes a use-after-free vulnerabili... (How to Fix)

Q: What is the severity of CVE-2021-47061?

CVE-2021-47061 has a CVSS score of 7.8 (HIGH). This CVE describes a use-after-free vulnerability in the Linux kernel's KVM (Kernel-based Virtual Machine) subsystem. When unregistering an I/O bus device fails, the kernel could destroy devices before properly synchronizing with readers, potentially allowing attackers to exploit dangling pointers. This affects systems running vulnerable Linux kernel versions with KVM enabled.

📋 TL;DR

This CVE describes a use-after-free vulnerability in the Linux kernel's KVM (Kernel-based Virtual Machine) subsystem. When unregistering an I/O bus device fails, the kernel could destroy devices before properly synchronizing with readers, potentially allowing attackers to exploit dangling pointers. This affects systems running vulnerable Linux kernel versions with KVM enabled.

💻 Affected Systems

Products:

Linux kernel

Versions: Specific affected versions vary by distribution; generally Linux kernel versions before the fix commits listed in references.

Operating Systems: Linux distributions with KVM support

Default Config Vulnerable: ✅ No

Notes: Only vulnerable if KVM virtualization is enabled and in use. Many cloud providers and virtualization hosts are affected.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Privilege escalation to kernel-level code execution, potentially leading to full system compromise, container escape, or hypervisor escape in virtualized environments.

🟠

Likely Case

Kernel panic or system crash leading to denial of service, with potential for limited privilege escalation in carefully crafted attacks.

🟢

If Mitigated

Minimal impact if KVM is disabled or systems are properly patched; isolated crashes in virtualized environments.

🌐 Internet-Facing: LOW - This requires local access or ability to execute code on the target system.

🏢 Internal Only: MEDIUM - Internal attackers with local access could exploit this, particularly in multi-tenant virtualized environments.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: HIGH

Exploitation requires local access and knowledge of kernel memory layout. No public exploits known at this time.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Linux kernel versions containing commits: 03c6cccedd3913006744faa252a4da5145299343, 2ee3757424be7c1cd1d0bbfa6db29a7edd82a250, 30f46c6993731efb2a690c9197c0fd9ed425da2d, 4e899ca848636b37e9ac124bc1723862a7d7d927

Vendor Advisory: https://git.kernel.org/stable/c/03c6cccedd3913006744faa252a4da5145299343

Restart Required: Yes

Instructions:

1. Update Linux kernel to patched version from your distribution vendor. 2. Reboot system to load new kernel. 3. Verify KVM modules load correctly post-update.

🔧 Temporary Workarounds

Disable KVM

linux

Disable KVM virtualization if not required, eliminating the attack surface.

modprobe -r kvm
echo 'blacklist kvm' >> /etc/modprobe.d/blacklist.conf

🧯 If You Can't Patch

Restrict local user access to systems running KVM
Implement strict SELinux/AppArmor policies to limit kernel module interactions

🔍 How to Verify

Check if Vulnerable:

Check kernel version and if KVM modules are loaded: 'uname -r' and 'lsmod | grep kvm'

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version is patched and test KVM functionality remains operational

📡 Detection & Monitoring

Log Indicators:

Kernel oops messages
KVM module crash logs in dmesg
System crashes during device unregistration

Network Indicators:

None - this is a local vulnerability

SIEM Query:

Search for: 'kernel: BUG:', 'kernel: general protection fault', 'kvm' in crash logs

📊 Metadata

CVE ID: CVE-2021-47061

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-416

Published: February 29, 2024

Last Updated: December 10, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-47061, you might also want to check these: