CVE-2021-36144

Vulnerability

A use-after-free vulnerability exists in the polling timer handler for virtio devices in ACRN before version 2.5. The flaw resides in devicemodel/hw/pci/virtio/*.c. When virtio polling mode is enabled, a timer runs in the virtio backend service. If the frontend driver does not perform a device reset during shutdown, the timer may still fire after the virtio device has been freed, leading to access of freed memory [1].

Exploitation

An attacker with control over a guest VM can trigger the vulnerability by enabling virtio polling mode and then shutting down the VM without performing a device reset. This causes the polling timer to fire after the virtio device has been freed, resulting in a use-after-free condition [1].

Impact

Successful exploitation of the use-after-free can lead to a denial of service (crash) or potentially arbitrary code execution within the hypervisor context, depending on the attacker's ability to control the freed memory. The exact impact is limited by the attacker's ability to manipulate the heap state [1].

Mitigation

The vulnerability is fixed in ACRN version 2.5. The fix involves calling the virtio reset() callback to clear the polling timer before freeing the device [1]. No workarounds are documented, and the issue is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.