CVE-2021-3656 [High] | Information Disclosure in Linux Kernel

A flaw was found in the KVM's AMD code for supporting SVM nested virtualization. The flaw occurs when processing the VMCB (virtual machine control block) provided by the L1 guest to spawn/handle a nested guest (L2). Due to improper validation of the "virt_ext" field, this issue could allow a malicious L1 to disable both VMLOAD/VMSAVE intercepts and VLS (Virtual VMLOAD/VMSAVE) for the L2 guest. As a result, the L2 guest would be allowed to read/write physical pages of the host, resulting in a crash of the entire system, leak of sensitive data or potential guest-to-host escape.

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2025-11-21	0.21%	0.06%	-0.15%
2	2025-11-18	0.05%	0.21%	+0.16%
3	2025-04-28	—	0.05%	—

Date

Old EPSS score

New EPSS score

Delta (New - Old)

2025-11-21

0.21%

0.06%

-0.15%

2025-11-18

0.05%

0.21%

+0.16%

2025-04-28

—

0.05%

—

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
8.8	3.1	HIGH	`CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H` Click to expand Attack vector (AV:L) They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:L) A normal user session is enough; they don’t have to be admin. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:C) Breaking this can reach past the original component and bite other resources—bigger blast radius. Confidentiality (C:H) Serious risk that confidential data gets exposed in a big way. Integrity (I:H) They could widely tamper with or forge data—trust in the data is badly hurt. Availability (A:H) Could take the service down hard or make it unusable for people who depend on it.	2.0	6.0	[email protected]
7.2	2.0	HIGH	`AV:L/AC:L/Au:N/C:C/I:C/A:C` Click to expand Access vector (AV:L) Requires local access to the target system. Access complexity (AC:L) Exploitation conditions are straightforward and predictable. Authentication (AU:N) No authentication is required. Confidentiality impact (C:C) Complete confidentiality impact. Integrity impact (I:C) Complete integrity impact. Availability impact (A:C) Complete availability impact.	3.9	10.0	[email protected]

Base score

Version

Severity

Vector

Exploitability

Impact

Score source

8.8

3.1

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H Click to expand

Attack vector (AV:L): They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by.
Attack complexity (AC:L): Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:L): A normal user session is enough; they don’t have to be admin.
User interaction (UI:N): Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:C): Breaking this can reach past the original component and bite other resources—bigger blast radius.
Confidentiality (C:H): Serious risk that confidential data gets exposed in a big way.
Integrity (I:H): They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:H): Could take the service down hard or make it unusable for people who depend on it.

2.0

6.0

[email protected]

7.2

2.0

HIGH

AV:L/AC:L/Au:N/C:C/I:C/A:C Click to expand

Access vector (AV:L): Requires local access to the target system.
Access complexity (AC:L): Exploitation conditions are straightforward and predictable.
Authentication (AU:N): No authentication is required.
Confidentiality impact (C:C): Complete confidentiality impact.
Integrity impact (I:C): Complete integrity impact.
Availability impact (A:C): Complete availability impact.

3.9

10.0

[email protected]

OS Trackers for CVE-2021-3656

vendor	priority	summary	link
`debian`	not yet assigned	CVE-2021-3656 not yet assigned priority: Debian including 1 source packages (linux), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5.	https://security-tracker.debian.org/tracker/CVE-2021-3656
`redhat`	medium	—	https://access.redhat.com/security/cve/CVE-2021-3656
`suse`	high	—	https://www.suse.com/security/cve/CVE-2021-3656/
`ubuntu`	high	CVE-2021-3656 high priority: Ubuntu including 168 source packages (linux, linux-allwinner, …), 2116 status rows across 15 suites (bionic, focal, hirsute, impish, jammy, kinetic, lunar, mantic, noble, oracular, plucky, questing, trusty, upstream, xenial): DNE 1640, not-affected 227, released 208, ignored 41.	https://ubuntu.com/security/CVE-2021-3656

Affected software / configurations for CVE-2021-3656

Vendor	Product	Version	Raw CPE
linux	linux_kernel	>= 4.13, < 4.14.245	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 4.15, < 4.19.205	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 4.20, < 5.4.142	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 5.5, < 5.10.60	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 5.11, < 5.13.12	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	5.14	cpe:2.3:o:linux:linux_kernel:5.14:-::::::
linux	linux_kernel	5.14	cpe:2.3:o:linux:linux_kernel:5.14:rc1::::::
linux	linux_kernel	5.14	cpe:2.3:o:linux:linux_kernel:5.14:rc2::::::
linux	linux_kernel	5.14	cpe:2.3:o:linux:linux_kernel:5.14:rc3::::::
linux	linux_kernel	5.14	cpe:2.3:o:linux:linux_kernel:5.14:rc4::::::
linux	linux_kernel	5.14	cpe:2.3:o:linux:linux_kernel:5.14:rc5::::::
linux	linux_kernel	5.14	cpe:2.3:o:linux:linux_kernel:5.14:rc6::::::
fedoraproject	fedora	33	cpe:2.3:o:fedoraproject:fedora:33:::::::*
fedoraproject	fedora	34	cpe:2.3:o:fedoraproject:fedora:34:::::::*
redhat	software_collections	—	cpe:2.3:a:redhat:software_collections:-:::::::*
redhat	openstack	13	cpe:2.3:a:redhat:openstack:13:::::::*
redhat	enterprise_linux	8.0	cpe:2.3:o:redhat:enterprise_linux:8.0:::::::*
redhat	enterprise_linux_desktop	7.0	cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:::::::*
redhat	enterprise_linux_eus	8.1	cpe:2.3:o:redhat:enterprise_linux_eus:8.1:::::::*
redhat	enterprise_linux_eus	8.2	cpe:2.3:o:redhat:enterprise_linux_eus:8.2:::::::*
redhat	enterprise_linux_eus	8.4	cpe:2.3:o:redhat:enterprise_linux_eus:8.4:::::::*
redhat	enterprise_linux_for_ibm_z_systems	7.0	cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:7.0:::::::*
redhat	enterprise_linux_for_ibm_z_systems	8.0	cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:8.0:::::::*
redhat	enterprise_linux_for_ibm_z_systems_eus	8.1	cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:8.1:::::::*
redhat	enterprise_linux_for_ibm_z_systems_eus	8.2	cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:8.2:::::::*
redhat	enterprise_linux_for_ibm_z_systems_eus	8.4	cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:8.4:::::::*
redhat	enterprise_linux_for_power_big_endian	7.0	cpe:2.3:o:redhat:enterprise_linux_for_power_big_endian:7.0:::::::*
redhat	enterprise_linux_for_power_little_endian	7.0	cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:7.0:::::::*
redhat	enterprise_linux_for_power_little_endian	8.0	cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:8.0:::::::*
redhat	enterprise_linux_for_power_little_endian_eus	8.1	cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:8.1:::::::*
redhat	enterprise_linux_for_power_little_endian_eus	8.2	cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:8.2:::::::*
redhat	enterprise_linux_for_power_little_endian_eus	8.4	cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:8.4:::::::*
redhat	enterprise_linux_for_real_time	7	cpe:2.3:o:redhat:enterprise_linux_for_real_time:7:::::::*
redhat	enterprise_linux_for_real_time	8	cpe:2.3:o:redhat:enterprise_linux_for_real_time:8:::::::*
redhat	enterprise_linux_for_real_time_for_nfv	7	cpe:2.3:o:redhat:enterprise_linux_for_real_time_for_nfv:7:::::::*
redhat	enterprise_linux_for_real_time_for_nfv	8	cpe:2.3:o:redhat:enterprise_linux_for_real_time_for_nfv:8:::::::*
redhat	enterprise_linux_for_real_time_for_nfv_tus	8.2	cpe:2.3:o:redhat:enterprise_linux_for_real_time_for_nfv_tus:8.2:::::::*
redhat	enterprise_linux_for_real_time_for_nfv_tus	8.4	cpe:2.3:o:redhat:enterprise_linux_for_real_time_for_nfv_tus:8.4:::::::*
redhat	enterprise_linux_for_real_time_tus	8.2	cpe:2.3:o:redhat:enterprise_linux_for_real_time_tus:8.2:::::::*
redhat	enterprise_linux_for_real_time_tus	8.4	cpe:2.3:o:redhat:enterprise_linux_for_real_time_tus:8.4:::::::*
redhat	enterprise_linux_for_scientific_computing	7.0	cpe:2.3:o:redhat:enterprise_linux_for_scientific_computing:7.0:::::::*
redhat	enterprise_linux_server	7.0	cpe:2.3:o:redhat:enterprise_linux_server:7.0:::::::*
redhat	enterprise_linux_server_aus	7.6	cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:::::::*
redhat	enterprise_linux_server_aus	7.7	cpe:2.3:o:redhat:enterprise_linux_server_aus:7.7:::::::*
redhat	enterprise_linux_server_aus	8.2	cpe:2.3:o:redhat:enterprise_linux_server_aus:8.2:::::::*
redhat	enterprise_linux_server_aus	8.4	cpe:2.3:o:redhat:enterprise_linux_server_aus:8.4:::::::*
redhat	enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions	7.6	cpe:2.3:o:redhat:enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions:7.6:::::::*
redhat	enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions	8.1	cpe:2.3:o:redhat:enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions:8.1:::::::*
redhat	enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions	8.2	cpe:2.3:o:redhat:enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions:8.2:::::::*
redhat	enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions	8.4	cpe:2.3:o:redhat:enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions:8.4:::::::*
redhat	enterprise_linux_server_tus	7.6	cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:::::::*
redhat	enterprise_linux_server_tus	7.7	cpe:2.3:o:redhat:enterprise_linux_server_tus:7.7:::::::*
redhat	enterprise_linux_server_tus	8.2	cpe:2.3:o:redhat:enterprise_linux_server_tus:8.2:::::::*
redhat	enterprise_linux_server_tus	8.4	cpe:2.3:o:redhat:enterprise_linux_server_tus:8.4:::::::*
redhat	enterprise_linux_server_update_services_for_sap_solutions	7.6	cpe:2.3:o:redhat:enterprise_linux_server_update_services_for_sap_solutions:7.6:::::::*
redhat	enterprise_linux_server_update_services_for_sap_solutions	7.7	cpe:2.3:o:redhat:enterprise_linux_server_update_services_for_sap_solutions:7.7:::::::*
redhat	enterprise_linux_server_update_services_for_sap_solutions	8.1	cpe:2.3:o:redhat:enterprise_linux_server_update_services_for_sap_solutions:8.1:::::::*
redhat	enterprise_linux_server_update_services_for_sap_solutions	8.2	cpe:2.3:o:redhat:enterprise_linux_server_update_services_for_sap_solutions:8.2:::::::*
redhat	enterprise_linux_server_update_services_for_sap_solutions	8.4	cpe:2.3:o:redhat:enterprise_linux_server_update_services_for_sap_solutions:8.4:::::::*
redhat	enterprise_linux_workstation	7.0	cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:::::::*
redhat	3scale_api_management	2.0	cpe:2.3:a:redhat:3scale_api_management:2.0:::::::*
redhat	codeready_linux_builder	—	cpe:2.3:a:redhat:codeready_linux_builder:-:::::::*
redhat	virtualization_host	4.0	cpe:2.3:a:redhat:virtualization_host:4.0:::::::*

References for CVE-2021-3656

URL	Tags
https://bugzilla.redhat.com/show_bug.cgi?id=1983988	Issue Tracking Third Party Advisory
https://git.kernel.org/pub/scm/virt/kvm/kvm.git/commit/?id=c7dfa4009965a9b2d7b329ee970eb8da0d32f0bc	Patch Third Party Advisory
https://github.com/torvalds/linux/commit/c7dfa4009965a9b2d7b329ee970eb8da0d32f0bc	Patch Third Party Advisory
https://www.openwall.com/lists/oss-security/2021/08/16/1	Mailing List Third Party Advisory

URL

CVE-2021-3656

Exploit prediction scoring system (EPSS) score for CVE-2021-3656

Common vulnerability scoring system (CVSS) metrics for CVE-2021-3656

Weakness enumeration for CVE-2021-3656

OS Trackers for CVE-2021-3656

Affected software / configurations for CVE-2021-3656

References for CVE-2021-3656