CVE-2021-46921: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: locking/qrwlock: Fix ordering in queued_write_lock_slowpath() While this code is executed with the wait_lock held, a reader can acquire the lock without holding wait_lock. The writer side loops checking the value with the atomic_cond_read_acquire(), but only truly acquires the lock when the compare-and-exchange is completed successfully which isn’t ordered. This exposes the window between the acquire and the cmpxchg to an A-B-A problem which allows reads following the lock acquisition to observe values speculatively before the write lock is truly acquired. We've seen a problem in epoll where the reader does a xchg while holding the read lock, but the writer can see a value change out from under it. Writer | Reader -------------------------------------------------------------------------------- ep_scan_ready_list() | |- write_lock_irq() | |- queued_write_lock_slowpath() | |- atomic_cond_read_acquire() | | read_lock_irqsave(&ep->lock, flags); --> (observes value before unlock) | chain_epi_lockless() | | epi->next = xchg(&ep->ovflist, epi); | | read_unlock_irqrestore(&ep->lock, flags); | | | atomic_cmpxchg_relaxed() | |-- READ_ONCE(ep->ovflist); | A core can order the read of the ovflist ahead of the atomic_cmpxchg_relaxed(). Switching the cmpxchg to use acquire semantics addresses this issue at which point the atomic_cond_read can be switched to use relaxed semantics. [peterz: use try_cmpxchg()]
AI Analysis
Technical Summary
CVE-2021-46921 is a concurrency vulnerability in the Linux kernel's locking mechanism, specifically within the queued_write_lock_slowpath() function of the queued read-write lock (qrwlock) implementation. The flaw arises due to improper ordering of atomic operations during lock acquisition. While the writer thread holds a wait_lock and attempts to acquire the write lock, it uses atomic_cond_read_acquire() followed by an atomic compare-and-exchange (cmpxchg) operation. However, the cmpxchg operation lacks proper acquire semantics, which can cause a speculative read by a concurrent reader thread to observe stale or inconsistent data before the write lock is fully acquired. This leads to an A-B-A problem where the reader sees intermediate states that should be protected by the lock. The vulnerability is exemplified in the epoll subsystem, where a reader performing an atomic exchange (xchg) under a read lock can observe changes that the writer has not yet fully committed, potentially causing data races or inconsistent state observations. The fix involves switching the cmpxchg to use acquire semantics and relaxing the atomic_cond_read to use relaxed semantics, ensuring proper memory ordering and eliminating the speculative read window. This vulnerability affects Linux kernel versions identified by the commit hash b519b56e378ee82caf9b079b04f5db87dedc3251 and similar versions prior to the patch. No known exploits are reported in the wild as of the publication date (February 27, 2024).
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running vulnerable Linux kernel versions, especially those using epoll for event notification in multi-threaded or multi-core environments. Potential impacts include data corruption, race conditions, or inconsistent application behavior due to improper synchronization. While the vulnerability does not directly enable privilege escalation or remote code execution, it undermines the integrity of kernel-level synchronization primitives, which could be leveraged in complex attack chains or cause system instability. Critical infrastructure, cloud service providers, and enterprises relying on Linux-based servers or embedded systems could experience degraded reliability or subtle data integrity issues. Given the widespread use of Linux in European data centers, telecommunications, and industrial control systems, the vulnerability could affect a broad range of sectors. However, the absence of known exploits and the requirement for specific kernel versions and conditions limit immediate exploitation risk. Nonetheless, unpatched systems remain vulnerable to potential future exploit development.
Mitigation Recommendations
European organizations should prioritize updating Linux kernel versions to those containing the patch that enforces acquire semantics on the cmpxchg operation within queued_write_lock_slowpath(). Specifically, kernel upgrades incorporating the fix identified by commit b519b56e378ee82caf9b079b04f5db87dedc3251 or later should be deployed promptly. For environments where immediate patching is not feasible, organizations should audit and monitor applications relying heavily on epoll and concurrent locking mechanisms for anomalous behavior or data inconsistencies. Employ kernel live patching solutions where available to minimize downtime. Additionally, rigorous testing of multi-threaded applications on updated kernels can help detect latent issues caused by the vulnerability. Security teams should maintain awareness of any emerging exploit reports and coordinate with Linux distribution vendors for timely security advisories. Finally, implementing strict change management and kernel version control policies will reduce exposure to unpatched vulnerable kernels.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2021-46921: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: locking/qrwlock: Fix ordering in queued_write_lock_slowpath() While this code is executed with the wait_lock held, a reader can acquire the lock without holding wait_lock. The writer side loops checking the value with the atomic_cond_read_acquire(), but only truly acquires the lock when the compare-and-exchange is completed successfully which isn’t ordered. This exposes the window between the acquire and the cmpxchg to an A-B-A problem which allows reads following the lock acquisition to observe values speculatively before the write lock is truly acquired. We've seen a problem in epoll where the reader does a xchg while holding the read lock, but the writer can see a value change out from under it. Writer | Reader -------------------------------------------------------------------------------- ep_scan_ready_list() | |- write_lock_irq() | |- queued_write_lock_slowpath() | |- atomic_cond_read_acquire() | | read_lock_irqsave(&ep->lock, flags); --> (observes value before unlock) | chain_epi_lockless() | | epi->next = xchg(&ep->ovflist, epi); | | read_unlock_irqrestore(&ep->lock, flags); | | | atomic_cmpxchg_relaxed() | |-- READ_ONCE(ep->ovflist); | A core can order the read of the ovflist ahead of the atomic_cmpxchg_relaxed(). Switching the cmpxchg to use acquire semantics addresses this issue at which point the atomic_cond_read can be switched to use relaxed semantics. [peterz: use try_cmpxchg()]
AI-Powered Analysis
Technical Analysis
CVE-2021-46921 is a concurrency vulnerability in the Linux kernel's locking mechanism, specifically within the queued_write_lock_slowpath() function of the queued read-write lock (qrwlock) implementation. The flaw arises due to improper ordering of atomic operations during lock acquisition. While the writer thread holds a wait_lock and attempts to acquire the write lock, it uses atomic_cond_read_acquire() followed by an atomic compare-and-exchange (cmpxchg) operation. However, the cmpxchg operation lacks proper acquire semantics, which can cause a speculative read by a concurrent reader thread to observe stale or inconsistent data before the write lock is fully acquired. This leads to an A-B-A problem where the reader sees intermediate states that should be protected by the lock. The vulnerability is exemplified in the epoll subsystem, where a reader performing an atomic exchange (xchg) under a read lock can observe changes that the writer has not yet fully committed, potentially causing data races or inconsistent state observations. The fix involves switching the cmpxchg to use acquire semantics and relaxing the atomic_cond_read to use relaxed semantics, ensuring proper memory ordering and eliminating the speculative read window. This vulnerability affects Linux kernel versions identified by the commit hash b519b56e378ee82caf9b079b04f5db87dedc3251 and similar versions prior to the patch. No known exploits are reported in the wild as of the publication date (February 27, 2024).
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running vulnerable Linux kernel versions, especially those using epoll for event notification in multi-threaded or multi-core environments. Potential impacts include data corruption, race conditions, or inconsistent application behavior due to improper synchronization. While the vulnerability does not directly enable privilege escalation or remote code execution, it undermines the integrity of kernel-level synchronization primitives, which could be leveraged in complex attack chains or cause system instability. Critical infrastructure, cloud service providers, and enterprises relying on Linux-based servers or embedded systems could experience degraded reliability or subtle data integrity issues. Given the widespread use of Linux in European data centers, telecommunications, and industrial control systems, the vulnerability could affect a broad range of sectors. However, the absence of known exploits and the requirement for specific kernel versions and conditions limit immediate exploitation risk. Nonetheless, unpatched systems remain vulnerable to potential future exploit development.
Mitigation Recommendations
European organizations should prioritize updating Linux kernel versions to those containing the patch that enforces acquire semantics on the cmpxchg operation within queued_write_lock_slowpath(). Specifically, kernel upgrades incorporating the fix identified by commit b519b56e378ee82caf9b079b04f5db87dedc3251 or later should be deployed promptly. For environments where immediate patching is not feasible, organizations should audit and monitor applications relying heavily on epoll and concurrent locking mechanisms for anomalous behavior or data inconsistencies. Employ kernel live patching solutions where available to minimize downtime. Additionally, rigorous testing of multi-threaded applications on updated kernels can help detect latent issues caused by the vulnerability. Security teams should maintain awareness of any emerging exploit reports and coordinate with Linux distribution vendors for timely security advisories. Finally, implementing strict change management and kernel version control policies will reduce exposure to unpatched vulnerable kernels.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-25T13:45:52.719Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9835c4522896dcbea6ba
Added to database: 5/21/2025, 9:09:09 AM
Last enriched: 6/26/2025, 9:53:13 AM
Last updated: 8/11/2025, 8:20:54 AM
Views: 12
Related Threats
CVE-2025-9091: Hard-coded Credentials in Tenda AC20
LowCVE-2025-9090: Command Injection in Tenda AC20
MediumCVE-2025-9092: CWE-400 Uncontrolled Resource Consumption in Legion of the Bouncy Castle Inc. Bouncy Castle for Java - BC-FJA 2.1.0
LowCVE-2025-9089: Stack-based Buffer Overflow in Tenda AC20
HighCVE-2025-9088: Stack-based Buffer Overflow in Tenda AC20
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.