CVE-2021-47062

KVM: SVM: Use online_vcpus, not created_vcpus, to iterate over vCPUs

Description

In the Linux kernel, the following vulnerability has been resolved: KVM: SVM: Use online_vcpus, not created_vcpus, to iterate over vCPUs Use the kvm_for_each_vcpu() helper to iterate over vCPUs when encrypting VMSAs for SEV, which effectively switches to use online_vcpus instead of created_vcpus. This fixes a possible null-pointer dereference as created_vcpus does not guarantee a vCPU exists, since it is updated at the very beginning of KVM_CREATE_VCPU. created_vcpus exists to allow the bulk of vCPU creation to run in parallel, while still correctly restricting the max number of max vCPUs.

Category

5.5
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 0.02%
Affected: Linux Linux
Affected: Linux Linux
Published at:
Updated at:

References

Link Tags
https://git.kernel.org/stable/c/bd0cced2ae93195668f983d443f7f17e8efd24d2 patch
https://git.kernel.org/stable/c/ba7bf5d6336aa9c0d977b161bfa420c56d46ee40 patch
https://git.kernel.org/stable/c/c36b16d29f3af5f32fc1b2a3401bf48f71cabee1 patch

Frequently Asked Questions

What is the severity of CVE-2021-47062?
CVE-2021-47062 has been scored as a medium severity vulnerability.
How to fix CVE-2021-47062?
To fix CVE-2021-47062, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2021-47062 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2021-47062 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2021-47062?
CVE-2021-47062 affects Linux Linux, Linux Linux.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.