Auth bypass in Linux Linux_kernel
CVE-2021-3656
A flaw was found in the KVM's AMD code for supporting SVM nested virtualization. The flaw occurs when processing the VMCB (virtual machine control block) provided by the L1 guest to spawn/handle a nested guest (L2). Due to improper validat…
Vulnerability class: Broken Access Control
EPSS: 0.007 (46.6th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 8.8 (High). Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H.
Affected products
- Linux Linux_kernel — versions 5.14
- Fedoraproject Fedora — versions 33, 34
- Redhat 3scale_api_management — versions 2.0
- Redhat Codeready_linux_builder
- Redhat Enterprise_linux — versions 8.0, 7.0
- Redhat Enterprise_linux_desktop — versions 7.0
- Redhat Enterprise_linux_eus — versions 8.1, 8.2, 8.4
- Redhat Enterprise_linux_for_ibm_z_systems — versions 7.0, 8.0
- Redhat Enterprise_linux_for_ibm_z_systems_eus — versions 8.1, 8.2, 8.4
- Redhat Enterprise_linux_for_power_big_endian — versions 7.0
Weakness classification (CWE)
Public proof-of-concept exploits
References
- secalert@redhat.com (Mailing List, Third Party Advisory, x_refsource_MISC)
- secalert@redhat.com (Patch, Third Party Advisory, x_refsource_MISC)
- secalert@redhat.com (Patch, Third Party Advisory, x_refsource_MISC)
- secalert@redhat.com (Third Party Advisory, x_refsource_MISC, Issue Tracking)
Frequently asked questions
- What is CVE-2021-3656?
- CVE-2021-3656 is a high-severity vulnerability in Linux Linux_kernel, classified under Missing Authorization. CVSS score: 8.8/10. Published 2022-03-04.
- How severe is CVE-2021-3656?
- High severity. CVSS v3 base score is 8.8 out of 10.
- Is CVE-2021-3656 known to be exploited?
- 3 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.