7.1
HIGH
CVE-2021-47277
KVM Speculative Memory Access Vulnerability
Description

In the Linux kernel, the following vulnerability has been resolved: kvm: avoid speculation-based attacks from out-of-range memslot accesses KVM's mechanism for accessing guest memory translates a guest physical address (gpa) to a host virtual address using the right-shifted gpa (also known as gfn) and a struct kvm_memory_slot. The translation is performed in __gfn_to_hva_memslot using the following formula: hva = slot->userspace_addr + (gfn - slot->base_gfn) * PAGE_SIZE It is expected that gfn falls within the boundaries of the guest's physical memory. However, a guest can access invalid physical addresses in such a way that the gfn is invalid. __gfn_to_hva_memslot is called from kvm_vcpu_gfn_to_hva_prot, which first retrieves a memslot through __gfn_to_memslot. While __gfn_to_memslot does check that the gfn falls within the boundaries of the guest's physical memory or not, a CPU can speculate the result of the check and continue execution speculatively using an illegal gfn. The speculation can result in calculating an out-of-bounds hva. If the resulting host virtual address is used to load another guest physical address, this is effectively a Spectre gadget consisting of two consecutive reads, the second of which is data dependent on the first. Right now it's not clear if there are any cases in which this is exploitable. One interesting case was reported by the original author of this patch, and involves visiting guest page tables on x86. Right now these are not vulnerable because the hva read goes through get_user(), which contains an LFENCE speculation barrier. However, there are patches in progress for x86 uaccess.h to mask kernel addresses instead of using LFENCE; once these land, a guest could use speculation to read from the VMM's ring 3 address space. Other architectures such as ARM already use the address masking method, and would be susceptible to this same kind of data-dependent access gadgets. Therefore, this patch proactively protects from these attacks by masking out-of-bounds gfns in __gfn_to_hva_memslot, which blocks speculation of invalid hvas. Sean Christopherson noted that this patch does not cover kvm_read_guest_offset_cached. This however is limited to a few bytes past the end of the cache, and therefore it is unlikely to be useful in the context of building a chain of data dependent accesses.

INFO

Published Date :

May 21, 2024, 3:15 p.m.

Last Modified :

April 30, 2025, 2:30 p.m.

Source :

416baaa9-dc9f-4396-8d5f-8c081fb06d67

Remotely Exploitable :

No

Impact Score :

5.2

Exploitability Score :

1.8
Affected Products

The following products are affected by CVE-2021-47277 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 Linux linux_kernel
: Total Affected Vendor : 1 | Products : 1
References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2021-47277.

URL Resource
https://git.kernel.org/stable/c/22b87fb17a28d37331bb9c1110737627b17f6781 Patch
https://git.kernel.org/stable/c/3098b86390a6b9ea52657689f08410baf130ceff Patch
https://git.kernel.org/stable/c/361ce3b917aff93123e9e966d8608655c967f438 Patch
https://git.kernel.org/stable/c/740621309b25bbf619b8a0ba5fd50a8e58989441 Patch
https://git.kernel.org/stable/c/7af299b97734c7e7f465b42a2139ce4d77246975 Patch
https://git.kernel.org/stable/c/bff1fbf0cf0712686f1df59a83fba6e31d2746a0 Patch
https://git.kernel.org/stable/c/da27a83fd6cc7780fea190e1f5c19e87019da65c Patch
https://git.kernel.org/stable/c/ed0e2a893092c7fcb4ff7ba74e5efce53a6f5940 Patch
https://git.kernel.org/stable/c/22b87fb17a28d37331bb9c1110737627b17f6781 Patch
https://git.kernel.org/stable/c/3098b86390a6b9ea52657689f08410baf130ceff Patch
https://git.kernel.org/stable/c/361ce3b917aff93123e9e966d8608655c967f438 Patch
https://git.kernel.org/stable/c/740621309b25bbf619b8a0ba5fd50a8e58989441 Patch
https://git.kernel.org/stable/c/7af299b97734c7e7f465b42a2139ce4d77246975 Patch
https://git.kernel.org/stable/c/bff1fbf0cf0712686f1df59a83fba6e31d2746a0 Patch
https://git.kernel.org/stable/c/da27a83fd6cc7780fea190e1f5c19e87019da65c Patch
https://git.kernel.org/stable/c/ed0e2a893092c7fcb4ff7ba74e5efce53a6f5940 Patch

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2021-47277 vulnerability anywhere in the article.

The following table lists the changes that have been made to the CVE-2021-47277 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • Initial Analysis by [email protected]

    Apr. 30, 2025

    Action Type Old Value New Value
    Added CVSS V3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
    Added CWE CWE-125
    Added CPE Configuration OR *cpe:2.3:o:linux:linux_kernel:5.13:rc1:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:5.13:rc2:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:5.13:rc3:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:5.13:rc4:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:5.13:rc5:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.11 up to (excluding) 5.12.11 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions up to (excluding) 4.4.273 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 4.5 up to (excluding) 4.9.273 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 4.10 up to (excluding) 4.14.237 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 4.15 up to (excluding) 4.19.195 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 4.20 up to (excluding) 5.4.126 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.5 up to (excluding) 5.10.44
    Added Reference Type CVE: https://git.kernel.org/stable/c/22b87fb17a28d37331bb9c1110737627b17f6781 Types: Patch
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/22b87fb17a28d37331bb9c1110737627b17f6781 Types: Patch
    Added Reference Type CVE: https://git.kernel.org/stable/c/3098b86390a6b9ea52657689f08410baf130ceff Types: Patch
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/3098b86390a6b9ea52657689f08410baf130ceff Types: Patch
    Added Reference Type CVE: https://git.kernel.org/stable/c/361ce3b917aff93123e9e966d8608655c967f438 Types: Patch
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/361ce3b917aff93123e9e966d8608655c967f438 Types: Patch
    Added Reference Type CVE: https://git.kernel.org/stable/c/740621309b25bbf619b8a0ba5fd50a8e58989441 Types: Patch
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/740621309b25bbf619b8a0ba5fd50a8e58989441 Types: Patch
    Added Reference Type CVE: https://git.kernel.org/stable/c/7af299b97734c7e7f465b42a2139ce4d77246975 Types: Patch
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/7af299b97734c7e7f465b42a2139ce4d77246975 Types: Patch
    Added Reference Type CVE: https://git.kernel.org/stable/c/bff1fbf0cf0712686f1df59a83fba6e31d2746a0 Types: Patch
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/bff1fbf0cf0712686f1df59a83fba6e31d2746a0 Types: Patch
    Added Reference Type CVE: https://git.kernel.org/stable/c/da27a83fd6cc7780fea190e1f5c19e87019da65c Types: Patch
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/da27a83fd6cc7780fea190e1f5c19e87019da65c Types: Patch
    Added Reference Type CVE: https://git.kernel.org/stable/c/ed0e2a893092c7fcb4ff7ba74e5efce53a6f5940 Types: Patch
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/ed0e2a893092c7fcb4ff7ba74e5efce53a6f5940 Types: Patch
  • CVE Modified by af854a3a-2127-422b-91ae-364da2661108

    Nov. 21, 2024

    Action Type Old Value New Value
    Added Reference https://git.kernel.org/stable/c/22b87fb17a28d37331bb9c1110737627b17f6781
    Added Reference https://git.kernel.org/stable/c/3098b86390a6b9ea52657689f08410baf130ceff
    Added Reference https://git.kernel.org/stable/c/361ce3b917aff93123e9e966d8608655c967f438
    Added Reference https://git.kernel.org/stable/c/740621309b25bbf619b8a0ba5fd50a8e58989441
    Added Reference https://git.kernel.org/stable/c/7af299b97734c7e7f465b42a2139ce4d77246975
    Added Reference https://git.kernel.org/stable/c/bff1fbf0cf0712686f1df59a83fba6e31d2746a0
    Added Reference https://git.kernel.org/stable/c/da27a83fd6cc7780fea190e1f5c19e87019da65c
    Added Reference https://git.kernel.org/stable/c/ed0e2a893092c7fcb4ff7ba74e5efce53a6f5940
  • CVE Modified by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    May. 28, 2024

    Action Type Old Value New Value
  • CVE Received by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    May. 21, 2024

    Action Type Old Value New Value
    Added Description In the Linux kernel, the following vulnerability has been resolved: kvm: avoid speculation-based attacks from out-of-range memslot accesses KVM's mechanism for accessing guest memory translates a guest physical address (gpa) to a host virtual address using the right-shifted gpa (also known as gfn) and a struct kvm_memory_slot. The translation is performed in __gfn_to_hva_memslot using the following formula: hva = slot->userspace_addr + (gfn - slot->base_gfn) * PAGE_SIZE It is expected that gfn falls within the boundaries of the guest's physical memory. However, a guest can access invalid physical addresses in such a way that the gfn is invalid. __gfn_to_hva_memslot is called from kvm_vcpu_gfn_to_hva_prot, which first retrieves a memslot through __gfn_to_memslot. While __gfn_to_memslot does check that the gfn falls within the boundaries of the guest's physical memory or not, a CPU can speculate the result of the check and continue execution speculatively using an illegal gfn. The speculation can result in calculating an out-of-bounds hva. If the resulting host virtual address is used to load another guest physical address, this is effectively a Spectre gadget consisting of two consecutive reads, the second of which is data dependent on the first. Right now it's not clear if there are any cases in which this is exploitable. One interesting case was reported by the original author of this patch, and involves visiting guest page tables on x86. Right now these are not vulnerable because the hva read goes through get_user(), which contains an LFENCE speculation barrier. However, there are patches in progress for x86 uaccess.h to mask kernel addresses instead of using LFENCE; once these land, a guest could use speculation to read from the VMM's ring 3 address space. Other architectures such as ARM already use the address masking method, and would be susceptible to this same kind of data-dependent access gadgets. Therefore, this patch proactively protects from these attacks by masking out-of-bounds gfns in __gfn_to_hva_memslot, which blocks speculation of invalid hvas. Sean Christopherson noted that this patch does not cover kvm_read_guest_offset_cached. This however is limited to a few bytes past the end of the cache, and therefore it is unlikely to be useful in the context of building a chain of data dependent accesses.
    Added Reference kernel.org https://git.kernel.org/stable/c/3098b86390a6b9ea52657689f08410baf130ceff [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/740621309b25bbf619b8a0ba5fd50a8e58989441 [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/361ce3b917aff93123e9e966d8608655c967f438 [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/22b87fb17a28d37331bb9c1110737627b17f6781 [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/bff1fbf0cf0712686f1df59a83fba6e31d2746a0 [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/7af299b97734c7e7f465b42a2139ce4d77246975 [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/ed0e2a893092c7fcb4ff7ba74e5efce53a6f5940 [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/da27a83fd6cc7780fea190e1f5c19e87019da65c [No types assigned]
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2021-47277 is associated with the following CWEs:

Common Attack Pattern Enumeration and Classification (CAPEC)

Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of the common attributes and approaches employed by adversaries to exploit the CVE-2021-47277 weaknesses.

CVSS31 - Vulnerability Scoring System
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
:
© cvefeed.io
Latest DB Update: May. 15, 2025 12:39