{ "dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": { "cveId": "CVE-2021-47639", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-02-26T01:48:21.519Z", "datePublished": "2025-02-26T01:54:11.651Z", "dateUpdated": "2026-05-11T13:58:17.222Z" }, "containers": { "cna": { "providerMetadata": { "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T13:58:17.222Z" }, "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86/mmu: Zap _all_ roots when unmapping gfn range in TDP MMU\n\nZap both valid and invalid roots when zapping/unmapping a gfn range, as\nKVM must ensure it holds no references to the freed page after returning\nfrom the unmap operation. Most notably, the TDP MMU doesn't zap invalid\nroots in mmu_notifier callbacks. This leads to use-after-free and other\nissues if the mmu_notifier runs to completion while an invalid root\nzapper yields as KVM fails to honor the requirement that there must be\n_no_ references to the page after the mmu_notifier returns.\n\nThe bug is most easily reproduced by hacking KVM to cause a collision\nbetween set_nx_huge_pages() and kvm_mmu_notifier_release(), but the bug\nexists between kvm_mmu_notifier_invalidate_range_start() and memslot\nupdates as well. Invalidating a root ensures pages aren't accessible by\nthe guest, and KVM won't read or write page data itself, but KVM will\ntrigger e.g. kvm_set_pfn_dirty() when zapping SPTEs, and thus completing\na zap of an invalid root _after_ the mmu_notifier returns is fatal.\n\n WARNING: CPU: 24 PID: 1496 at arch/x86/kvm/../../../virt/kvm/kvm_main.c:173 [kvm]\n RIP: 0010:kvm_is_zone_device_pfn+0x96/0xa0 [kvm]\n Call Trace:\n \n kvm_set_pfn_dirty+0xa8/0xe0 [kvm]\n __handle_changed_spte+0x2ab/0x5e0 [kvm]\n __handle_changed_spte+0x2ab/0x5e0 [kvm]\n __handle_changed_spte+0x2ab/0x5e0 [kvm]\n zap_gfn_range+0x1f3/0x310 [kvm]\n kvm_tdp_mmu_zap_invalidated_roots+0x50/0x90 [kvm]\n kvm_mmu_zap_all_fast+0x177/0x1a0 [kvm]\n set_nx_huge_pages+0xb4/0x190 [kvm]\n param_attr_store+0x70/0x100\n module_attr_store+0x19/0x30\n kernfs_fop_write_iter+0x119/0x1b0\n new_sync_write+0x11c/0x1b0\n vfs_write+0x1cc/0x270\n ksys_write+0x5f/0xe0\n do_syscall_64+0x38/0xc0\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n " } ], "affected": [ { "product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": [ "arch/x86/kvm/mmu/tdp_mmu.c" ], "versions": [ { "version": "b7cccd397f310739fb85383033e95580f99927e0", "lessThan": "af47248407c0c5ae52a752af1ab5ce5b0db91502", "status": "affected", "versionType": "git" }, { "version": "b7cccd397f310739fb85383033e95580f99927e0", "lessThan": "0c8a8da182d4333d9bbb9131d765145568c847b2", "status": "affected", "versionType": "git" }, { "version": "b7cccd397f310739fb85383033e95580f99927e0", "lessThan": "8cf6f98ab1d16d5e607635a0c21c4231eb15367e", "status": "affected", "versionType": "git" }, { "version": "b7cccd397f310739fb85383033e95580f99927e0", "lessThan": "d62007edf01f5c11f75d0f4b1e538fc52a5b1982", "status": "affected", "versionType": "git" } ] }, { "product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": [ "arch/x86/kvm/mmu/tdp_mmu.c" ], "versions": [ { "version": "5.13", "status": "affected" }, { "version": "0", "lessThan": "5.13", "status": "unaffected", "versionType": "semver" }, { "version": "5.15.33", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver" }, { "version": "5.16.19", "lessThanOrEqual": "5.16.*", "status": "unaffected", "versionType": "semver" }, { "version": "5.17.2", "lessThanOrEqual": "5.17.*", "status": "unaffected", "versionType": "semver" }, { "version": "5.18", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "operator": "OR", "negate": false, "cpeMatch": [ { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.13", "versionEndExcluding": "5.15.33" }, { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.13", "versionEndExcluding": "5.16.19" }, { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.13", "versionEndExcluding": "5.17.2" }, { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.13", "versionEndExcluding": "5.18" } ] } ] } ], "references": [ { "url": "https://git.kernel.org/stable/c/af47248407c0c5ae52a752af1ab5ce5b0db91502" }, { "url": "https://git.kernel.org/stable/c/0c8a8da182d4333d9bbb9131d765145568c847b2" }, { "url": "https://git.kernel.org/stable/c/8cf6f98ab1d16d5e607635a0c21c4231eb15367e" }, { "url": "https://git.kernel.org/stable/c/d62007edf01f5c11f75d0f4b1e538fc52a5b1982" } ], "title": "KVM: x86/mmu: Zap _all_ roots when unmapping gfn range in TDP MMU", "x_generator": { "engine": "bippy-1.2.0" } }, "adp": [ { "metrics": [ { "cvssV3_1": { "scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH" } }, { "other": { "type": "ssvc", "content": { "id": "CVE-2021-47639", "role": "CISA Coordinator", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "total" } ], "version": "2.0.3", "timestamp": "2025-02-27T18:17:52.744634Z" } } } ], "problemTypes": [ { "descriptions": [ { "lang": "en", "type": "CWE", "cweId": "CWE-416", "description": "CWE-416 Use After Free" } ] } ], "title": "CISA ADP Vulnrichment", "providerMetadata": { "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-27T18:22:35.903Z" } } ] } }