CVE-2021-47341
📋 TL;DR
This is a use-after-free vulnerability in the Linux kernel's KVM subsystem that allows a local attacker with access to the KVM ioctl interface to cause memory corruption. The vulnerability occurs when unregistering coalesced MMIO regions, potentially leading to kernel crashes or privilege escalation. Systems running affected Linux kernel versions with KVM enabled are vulnerable.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Local privilege escalation to root, kernel panic causing system crash, or arbitrary code execution in kernel context.
Likely Case
Kernel panic leading to denial of service, system instability, or potential privilege escalation in multi-tenant environments.
If Mitigated
Limited to denial of service if exploit fails or system has additional hardening.
🎯 Exploit Status
Exploitation requires local access and knowledge of KVM internals. The bug was found through fuzzing (syz-executor).
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in stable kernel commits: 069d44a24c0ff8f85adf49233aae7a8ca16f5c7e, 23fa2e46a5556f787ce2ea1a315d3ab93cced204, 679837dc0abaa2c6e2a7bcd86483e05eee1d5066, 8d7c539316d652d217e5e82b89ee204c812a7061, f2ff9d03432fcb160e9f7d4be26174d89de2779a
Vendor Advisory: https://git.kernel.org/stable/c/069d44a24c0ff8f85adf49233aae7a8ca16f5c7e
Restart Required: Yes
Instructions:
1. Update Linux kernel to version containing the fix. 2. Check your distribution's security advisories for specific patched versions. 3. Reboot the system after kernel update.
🔧 Temporary Workarounds
Restrict KVM device access
linuxLimit access to /dev/kvm to only trusted users by removing unnecessary users from the kvm group.
# Check current kvm group members: getent group kvm
# Remove user from kvm group: gpasswd -d username kvm
Disable KVM if not needed
linuxRemove KVM kernel module if virtualization is not required.
# Unload KVM modules: rmmod kvm_intel (or kvm_amd) && rmmod kvm
# Prevent auto-load: echo 'blacklist kvm' >> /etc/modprobe.d/blacklist.conf
🧯 If You Can't Patch
- Restrict access to /dev/kvm to minimal set of users
- Monitor for suspicious KVM ioctl operations and kernel panics
🔍 How to Verify
Check if Vulnerable:
Check kernel version and if KVM is loaded: uname -r && lsmod | grep kvmCheck Version:
uname -rVerify Fix Applied:
Verify kernel version is patched by checking if it includes the fix commits or is newer than vulnerable versions.📡 Detection & Monitoring
Log Indicators:
- Kernel panic logs
- KASAN reports of use-after-free in kvm_vm_ioctl_unregister_coalesced_mmio
- Multiple KVM ioctl operations from non-privileged users
Network Indicators:
- None - local vulnerability only
SIEM Query:
Search for: 'KASAN: use-after-free' OR 'kvm_vm_ioctl_unregister_coalesced_mmio' OR kernel panic with KVM stack traces🔗 References
- https://git.kernel.org/stable/c/069d44a24c0ff8f85adf49233aae7a8ca16f5c7e
- https://git.kernel.org/stable/c/23fa2e46a5556f787ce2ea1a315d3ab93cced204
- https://git.kernel.org/stable/c/679837dc0abaa2c6e2a7bcd86483e05eee1d5066
- https://git.kernel.org/stable/c/8d7c539316d652d217e5e82b89ee204c812a7061
- https://git.kernel.org/stable/c/f2ff9d03432fcb160e9f7d4be26174d89de2779a
- https://git.kernel.org/stable/c/069d44a24c0ff8f85adf49233aae7a8ca16f5c7e
- https://git.kernel.org/stable/c/23fa2e46a5556f787ce2ea1a315d3ab93cced204
- https://git.kernel.org/stable/c/679837dc0abaa2c6e2a7bcd86483e05eee1d5066
- https://git.kernel.org/stable/c/8d7c539316d652d217e5e82b89ee204c812a7061
- https://git.kernel.org/stable/c/f2ff9d03432fcb160e9f7d4be26174d89de2779a
