CVE-2021-3653: 
Linux Kernel vulnerability analysis and mitigation

A flaw was discovered in the KVM's AMD code for supporting SVM nested virtualization (CVE-2021-3653). The vulnerability was identified in the processing of the VMCB (virtual machine control block) provided by the L1 guest to spawn/handle a nested guest (L2). Due to improper validation of the "intctl" field, this issue could allow a malicious L1 to enable AVIC support (Advanced Virtual Interrupt Controller) for the L2 guest. The vulnerability affects Linux kernel versions prior to 5.14-rc7 and dates back to kernel 2.6.30 (OpenWall List, [RedHat Bugzilla](https://bugzilla.redhat.com/showbug.cgi?id=1983686)).

The vulnerability stems from missing validation of the int_ctl VMCB field in the KVM's AMD code. AVIC is currently not supported with nesting and is not advertised in the L1 CPUID. The issue was initially introduced via commit 3d6368ef580a in kernel 2.6.30. The vulnerability has been assigned a CVSS 3 Severity Score of 8.8 (High) (Ubuntu Security).

As a result of this vulnerability, the L2 guest would be allowed to read/write physical pages of the host, potentially leading to a crash of the entire system, leak of sensitive data, or potential guest-to-host escape (OpenWall List).

The vulnerability can be mitigated by disabling nested virtualization when loading the KVM AMD module using the command: modprobe kvm_amd nested=0. The issue has been fixed in Linux kernel version 5.14-rc7 with the patch commit 0f923e07124df069ba68d8bb12324398f4b6b709 (OpenWall List).