{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-06T03:22:22.759","vulnerabilities":[{"cve":{"id":"CVE-2021-46978","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2024-02-28T09:15:37.183","lastModified":"2025-03-14T18:45:27.233","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: nVMX: Always make an attempt to map eVMCS after migration\n\nWhen enlightened VMCS is in use and nested state is migrated with\nvmx_get_nested_state()/vmx_set_nested_state() KVM can't map evmcs\npage right away: evmcs gpa is not 'struct kvm_vmx_nested_state_hdr'\nand we can't read it from VP assist page because userspace may decide\nto restore HV_X64_MSR_VP_ASSIST_PAGE after restoring nested state\n(and QEMU, for example, does exactly that). To make sure eVMCS is\nmapped /vmx_set_nested_state() raises KVM_REQ_GET_NESTED_STATE_PAGES\nrequest.\n\nCommit f2c7ef3ba955 (\"KVM: nSVM: cancel KVM_REQ_GET_NESTED_STATE_PAGES\non nested vmexit\") added KVM_REQ_GET_NESTED_STATE_PAGES clearing to\nnested_vmx_vmexit() to make sure MSR permission bitmap is not switched\nwhen an immediate exit from L2 to L1 happens right after migration (caused\nby a pending event, for example). Unfortunately, in the exact same\nsituation we still need to have eVMCS mapped so\nnested_sync_vmcs12_to_shadow() reflects changes in VMCS12 to eVMCS.\n\nAs a band-aid, restore nested_get_evmcs_page() when clearing\nKVM_REQ_GET_NESTED_STATE_PAGES in nested_vmx_vmexit(). The 'fix' is far\nfrom being ideal as we can't easily propagate possible failures and even if\nwe could, this is most likely already too late to do so. The whole\n'KVM_REQ_GET_NESTED_STATE_PAGES' idea for mapping eVMCS after migration\nseems to be fragile as we diverge too much from the 'native' path when\nvmptr loading happens on vmx_set_nested_state()."},{"lang":"es","value":"En el kernel de Linux, se resolvió la siguiente vulnerabilidad: KVM: nVMX: siempre intente asignar eVMCS después de la migración Cuando se utiliza VMCS iluminado y el estado anidado se migra con vmx_get_nested_state()/vmx_set_nested_state() KVM no puede asignar evmcs página de inmediato: evmcs gpa no es 'struct kvm_vmx_nested_state_hdr' y no podemos leerlo desde la página de asistencia de VP porque el espacio de usuario puede decidir restaurar HV_X64_MSR_VP_ASSIST_PAGE después de restaurar el estado anidado (y QEMU, por ejemplo, hace exactamente eso). Para asegurarse de que eVMCS esté asignado, /vmx_set_nested_state() genera la solicitud KVM_REQ_GET_NESTED_STATE_PAGES. el commit f2c7ef3ba955 (\"KVM: nSVM: cancelar KVM_REQ_GET_NESTED_STATE_PAGES en vmexit anidado\") agregó la limpieza KVM_REQ_GET_NESTED_STATE_PAGES a nested_vmx_vmexit() para asegurarse de que el mapa de bits del permiso MSR no se cambie cuando ocurre una salida inmediata de L2 a L1 justo después de la migración (causada por un evento pendiente, Por ejemplo). Desafortunadamente, en exactamente la misma situación todavía necesitamos tener eVMCS mapeado para que nested_sync_vmcs12_to_shadow() refleje los cambios en VMCS12 a eVMCS. Como curita, restaure nested_get_evmcs_page() al borrar KVM_REQ_GET_NESTED_STATE_PAGES en nested_vmx_vmexit(). La \"solución\" está lejos de ser ideal, ya que no podemos propagar fácilmente posibles fallas e incluso si pudiéramos, lo más probable es que ya sea demasiado tarde para hacerlo. Toda la idea 'KVM_REQ_GET_NESTED_STATE_PAGES' para mapear eVMCS después de la migración parece ser frágil ya que nos desviamos demasiado de la ruta 'nativa' cuando la carga de vmptr ocurre en vmx_set_nested_state()."}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.10.13","versionEndExcluding":"5.10.38","matchCriteriaId":"83890D4F-3082-4BD8-BA7F-790C0CF89417"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.11","versionEndExcluding":"5.11.22","matchCriteriaId":"83B53E9A-F426-4C03-9A5F-A931FF79827E"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.12","versionEndExcluding":"5.12.5","matchCriteriaId":"0274929A-B36C-4F4C-AB22-30A0DD6B995B"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:5.13:rc1:*:*:*:*:*:*","matchCriteriaId":"0CBAD0FC-C281-4666-AB2F-F8E6E1165DF7"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/200a45649ab7361bc80c70aebf7165b64f9a6c9f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/bd0e8455b85b651a4c77de9616e307129b15aaa7","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/c8bf64e3fb77cc19bad146fbe26651985b117194","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/f5c7e8425f18fdb9bdb7d13340651d7876890329","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/200a45649ab7361bc80c70aebf7165b64f9a6c9f","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/bd0e8455b85b651a4c77de9616e307129b15aaa7","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/c8bf64e3fb77cc19bad146fbe26651985b117194","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/f5c7e8425f18fdb9bdb7d13340651d7876890329","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]}]}}]}