USN-5071-1

Advisory lineage Upstream: 10 Downstream: 0
Published: 08 Sept 2021, 23:41
Last modified:03 Jun 2026, 13:34

Vulnerability Summary

Overall Risk (default)
minimal
0/100
CVSS Score
No data
EPSS Score
No data
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

08 Sept 2021, 23:41
Published
Vulnerability first disclosed
03 Jun 2026, 13:34
Last Modified
Vulnerability information updated

Description

linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gke, linux-gke-5.4, linux-gkeop, linux-gkeop-5.4, linux-kvm, linux-oracle, linux-oracle-5.4 vulnerabilities Maxim Levitsky and Paolo Bonzini discovered that the KVM hypervisor implementation for AMD processors in the Linux kernel allowed a guest VM to disable restrictions on VMLOAD/VMSAVE in a nested guest. An attacker in a guest VM could use this to read or write portions of the host's physical memory. (CVE-2021-3656) Maxim Levitsky discovered that the KVM hypervisor implementation for AMD processors in the Linux kernel did not properly prevent a guest VM from enabling AVIC in nested guest VMs. An attacker in a guest VM could use this to write to portions of the host's physical memory. (CVE-2021-3653) It was discovered that the KVM hypervisor implementation for AMD processors in the Linux kernel did not ensure enough processing time was given to perform cleanups of large SEV VMs. A local attacker could use this to cause a denial of service (soft lockup). (CVE-2020-36311) It was discovered that the KVM hypervisor implementation in the Linux kernel did not properly perform reference counting in some situations, leading to a use-after-free vulnerability. An attacker who could start and control a VM could possibly use this to expose sensitive information or execute arbitrary code. (CVE-2021-22543) Murray McAllister discovered that the joystick device interface in the Linux kernel did not properly validate data passed via an ioctl(). A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code on systems with a joystick device registered. (CVE-2021-3612)

Affected Systems

  • ubuntulinux

    < 5.4.0-84.94

  • ubuntulinux-aws

    < 5.4.0-1056.59

  • ubuntulinux-aws-5.4

    < 5.4.0-1056.59~18.04.1

  • ubuntulinux-azure

    < 5.4.0-1058.60

  • ubuntulinux-azure-5.4

    < 5.4.0-1058.60~18.04.1

  • ubuntulinux-gcp

    < 5.4.0-1052.56

  • ubuntulinux-gcp-5.4

    < 5.4.0-1052.56~18.04.1

  • ubuntulinux-gke

    < 5.4.0-1052.55

  • ubuntulinux-gke-5.4

    < 5.4.0-1052.55~18.04.1

  • ubuntulinux-gkeop

    < 5.4.0-1023.24

  • ubuntulinux-gkeop-5.4

    < 5.4.0-1023.24~18.04.1

  • ubuntulinux-kvm

    < 5.4.0-1046.48

  • ubuntulinux-oracle

    < 5.4.0-1054.58

  • ubuntulinux-oracle-5.4

    < 5.4.0-1054.58~18.04.1

References (6)