CVE-2021-46938: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: dm rq: fix double free of blk_mq_tag_set in dev remove after table load fails When loading a device-mapper table for a request-based mapped device, and the allocation/initialization of the blk_mq_tag_set for the device fails, a following device remove will cause a double free. E.g. (dmesg): device-mapper: core: Cannot initialize queue for request-based dm-mq mapped device device-mapper: ioctl: unable to set up device queue for new table. Unable to handle kernel pointer dereference in virtual kernel address space Failing address: 0305e098835de000 TEID: 0305e098835de803 Fault in home space mode while using kernel ASCE. AS:000000025efe0007 R3:0000000000000024 Oops: 0038 ilc:3 [#1] SMP Modules linked in: ... lots of modules ... Supported: Yes, External CPU: 0 PID: 7348 Comm: multipathd Kdump: loaded Tainted: G W X 5.3.18-53-default #1 SLE15-SP3 Hardware name: IBM 8561 T01 7I2 (LPAR) Krnl PSW : 0704e00180000000 000000025e368eca (kfree+0x42/0x330) R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:2 PM:0 RI:0 EA:3 Krnl GPRS: 000000000000004a 000000025efe5230 c1773200d779968d 0000000000000000 000000025e520270 000000025e8d1b40 0000000000000003 00000007aae10000 000000025e5202a2 0000000000000001 c1773200d779968d 0305e098835de640 00000007a8170000 000003ff80138650 000000025e5202a2 000003e00396faa8 Krnl Code: 000000025e368eb8: c4180041e100 lgrl %r1,25eba50b8 000000025e368ebe: ecba06b93a55 risbg %r11,%r10,6,185,58 #000000025e368ec4: e3b010000008 ag %r11,0(%r1) >000000025e368eca: e310b0080004 lg %r1,8(%r11) 000000025e368ed0: a7110001 tmll %r1,1 000000025e368ed4: a7740129 brc 7,25e369126 000000025e368ed8: e320b0080004 lg %r2,8(%r11) 000000025e368ede: b904001b lgr %r1,%r11 Call Trace: [<000000025e368eca>] kfree+0x42/0x330 [<000000025e5202a2>] blk_mq_free_tag_set+0x72/0xb8 [<000003ff801316a8>] dm_mq_cleanup_mapped_device+0x38/0x50 [dm_mod] [<000003ff80120082>] free_dev+0x52/0xd0 [dm_mod] [<000003ff801233f0>] __dm_destroy+0x150/0x1d0 [dm_mod] [<000003ff8012bb9a>] dev_remove+0x162/0x1c0 [dm_mod] [<000003ff8012a988>] ctl_ioctl+0x198/0x478 [dm_mod] [<000003ff8012ac8a>] dm_ctl_ioctl+0x22/0x38 [dm_mod] [<000000025e3b11ee>] ksys_ioctl+0xbe/0xe0 [<000000025e3b127a>] __s390x_sys_ioctl+0x2a/0x40 [<000000025e8c15ac>] system_call+0xd8/0x2c8 Last Breaking-Event-Address: [<000000025e52029c>] blk_mq_free_tag_set+0x6c/0xb8 Kernel panic - not syncing: Fatal exception: panic_on_oops When allocation/initialization of the blk_mq_tag_set fails in dm_mq_init_request_queue(), it is uninitialized/freed, but the pointer is not reset to NULL; so when dev_remove() later gets into dm_mq_cleanup_mapped_device() it sees the pointer and tries to uninitialize and free it again. Fix this by setting the pointer to NULL in dm_mq_init_request_queue() error-handling. Also set it to NULL in dm_mq_cleanup_mapped_device().
AI Analysis
Technical Summary
CVE-2021-46938 is a vulnerability in the Linux kernel's device-mapper (dm) subsystem, specifically related to the handling of request-based mapped devices using blk_mq_tag_set structures. The flaw arises during the loading of a device-mapper table when the allocation or initialization of the blk_mq_tag_set fails. In this failure scenario, the pointer to blk_mq_tag_set is freed but not reset to NULL. Subsequently, when the device is removed, the cleanup function attempts to free the blk_mq_tag_set pointer again, resulting in a double-free condition. This double-free can lead to kernel memory corruption, which may cause a kernel panic or crash, as demonstrated by the kernel oops and panic logs included in the description. The vulnerability is rooted in improper error handling in the dm_mq_init_request_queue() function and insufficient pointer management in dm_mq_cleanup_mapped_device(). The fix involves setting the pointer to NULL after freeing it to prevent double-free attempts. This vulnerability affects Linux kernel versions containing the vulnerable device-mapper code prior to the fix, and it is relevant to systems using request-based device-mapper tables, which are common in multipath I/O configurations and other storage virtualization scenarios. Exploitation does not require user interaction but does require the ability to trigger device-mapper table loading and removal operations, which typically requires administrative privileges. No known exploits are reported in the wild at this time.
Potential Impact
For European organizations, the impact of CVE-2021-46938 can be significant in environments relying on Linux servers with device-mapper configurations, especially those using multipath I/O for storage redundancy and performance. A successful exploitation can cause kernel crashes leading to denial of service (DoS), disrupting critical services and potentially causing data unavailability. In high-availability data centers, cloud infrastructure, and enterprise storage systems, such disruptions can result in operational downtime and financial losses. While the vulnerability does not directly enable privilege escalation or arbitrary code execution, the induced kernel panic can be leveraged in targeted attacks to cause service interruptions. Organizations in sectors such as finance, healthcare, telecommunications, and government, which often deploy Linux-based storage solutions, may face increased risk. Additionally, the complexity of the device-mapper subsystem means that recovery from crashes could require manual intervention, increasing incident response times.
Mitigation Recommendations
To mitigate CVE-2021-46938, European organizations should: 1) Apply the latest Linux kernel patches that address this vulnerability as soon as they become available from their Linux distribution vendors. 2) Audit and monitor device-mapper configurations, particularly those using request-based mapped devices and multipath setups, to identify systems potentially affected. 3) Limit administrative access to systems that can load or remove device-mapper tables to trusted personnel only, reducing the risk of accidental or malicious triggering of the vulnerability. 4) Implement kernel crash monitoring and automated recovery mechanisms to minimize downtime in case of kernel panics. 5) Consider deploying kernel hardening techniques such as Kernel Address Space Layout Randomization (KASLR) and Kernel Page Table Isolation (KPTI) to reduce the impact of memory corruption vulnerabilities. 6) Maintain up-to-date backups and disaster recovery plans to ensure data integrity and availability in case of service disruption. 7) Engage in proactive vulnerability management and threat hunting to detect any anomalous activity related to device-mapper operations.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Sweden, Poland
CVE-2021-46938: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: dm rq: fix double free of blk_mq_tag_set in dev remove after table load fails When loading a device-mapper table for a request-based mapped device, and the allocation/initialization of the blk_mq_tag_set for the device fails, a following device remove will cause a double free. E.g. (dmesg): device-mapper: core: Cannot initialize queue for request-based dm-mq mapped device device-mapper: ioctl: unable to set up device queue for new table. Unable to handle kernel pointer dereference in virtual kernel address space Failing address: 0305e098835de000 TEID: 0305e098835de803 Fault in home space mode while using kernel ASCE. AS:000000025efe0007 R3:0000000000000024 Oops: 0038 ilc:3 [#1] SMP Modules linked in: ... lots of modules ... Supported: Yes, External CPU: 0 PID: 7348 Comm: multipathd Kdump: loaded Tainted: G W X 5.3.18-53-default #1 SLE15-SP3 Hardware name: IBM 8561 T01 7I2 (LPAR) Krnl PSW : 0704e00180000000 000000025e368eca (kfree+0x42/0x330) R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:2 PM:0 RI:0 EA:3 Krnl GPRS: 000000000000004a 000000025efe5230 c1773200d779968d 0000000000000000 000000025e520270 000000025e8d1b40 0000000000000003 00000007aae10000 000000025e5202a2 0000000000000001 c1773200d779968d 0305e098835de640 00000007a8170000 000003ff80138650 000000025e5202a2 000003e00396faa8 Krnl Code: 000000025e368eb8: c4180041e100 lgrl %r1,25eba50b8 000000025e368ebe: ecba06b93a55 risbg %r11,%r10,6,185,58 #000000025e368ec4: e3b010000008 ag %r11,0(%r1) >000000025e368eca: e310b0080004 lg %r1,8(%r11) 000000025e368ed0: a7110001 tmll %r1,1 000000025e368ed4: a7740129 brc 7,25e369126 000000025e368ed8: e320b0080004 lg %r2,8(%r11) 000000025e368ede: b904001b lgr %r1,%r11 Call Trace: [<000000025e368eca>] kfree+0x42/0x330 [<000000025e5202a2>] blk_mq_free_tag_set+0x72/0xb8 [<000003ff801316a8>] dm_mq_cleanup_mapped_device+0x38/0x50 [dm_mod] [<000003ff80120082>] free_dev+0x52/0xd0 [dm_mod] [<000003ff801233f0>] __dm_destroy+0x150/0x1d0 [dm_mod] [<000003ff8012bb9a>] dev_remove+0x162/0x1c0 [dm_mod] [<000003ff8012a988>] ctl_ioctl+0x198/0x478 [dm_mod] [<000003ff8012ac8a>] dm_ctl_ioctl+0x22/0x38 [dm_mod] [<000000025e3b11ee>] ksys_ioctl+0xbe/0xe0 [<000000025e3b127a>] __s390x_sys_ioctl+0x2a/0x40 [<000000025e8c15ac>] system_call+0xd8/0x2c8 Last Breaking-Event-Address: [<000000025e52029c>] blk_mq_free_tag_set+0x6c/0xb8 Kernel panic - not syncing: Fatal exception: panic_on_oops When allocation/initialization of the blk_mq_tag_set fails in dm_mq_init_request_queue(), it is uninitialized/freed, but the pointer is not reset to NULL; so when dev_remove() later gets into dm_mq_cleanup_mapped_device() it sees the pointer and tries to uninitialize and free it again. Fix this by setting the pointer to NULL in dm_mq_init_request_queue() error-handling. Also set it to NULL in dm_mq_cleanup_mapped_device().
AI-Powered Analysis
Technical Analysis
CVE-2021-46938 is a vulnerability in the Linux kernel's device-mapper (dm) subsystem, specifically related to the handling of request-based mapped devices using blk_mq_tag_set structures. The flaw arises during the loading of a device-mapper table when the allocation or initialization of the blk_mq_tag_set fails. In this failure scenario, the pointer to blk_mq_tag_set is freed but not reset to NULL. Subsequently, when the device is removed, the cleanup function attempts to free the blk_mq_tag_set pointer again, resulting in a double-free condition. This double-free can lead to kernel memory corruption, which may cause a kernel panic or crash, as demonstrated by the kernel oops and panic logs included in the description. The vulnerability is rooted in improper error handling in the dm_mq_init_request_queue() function and insufficient pointer management in dm_mq_cleanup_mapped_device(). The fix involves setting the pointer to NULL after freeing it to prevent double-free attempts. This vulnerability affects Linux kernel versions containing the vulnerable device-mapper code prior to the fix, and it is relevant to systems using request-based device-mapper tables, which are common in multipath I/O configurations and other storage virtualization scenarios. Exploitation does not require user interaction but does require the ability to trigger device-mapper table loading and removal operations, which typically requires administrative privileges. No known exploits are reported in the wild at this time.
Potential Impact
For European organizations, the impact of CVE-2021-46938 can be significant in environments relying on Linux servers with device-mapper configurations, especially those using multipath I/O for storage redundancy and performance. A successful exploitation can cause kernel crashes leading to denial of service (DoS), disrupting critical services and potentially causing data unavailability. In high-availability data centers, cloud infrastructure, and enterprise storage systems, such disruptions can result in operational downtime and financial losses. While the vulnerability does not directly enable privilege escalation or arbitrary code execution, the induced kernel panic can be leveraged in targeted attacks to cause service interruptions. Organizations in sectors such as finance, healthcare, telecommunications, and government, which often deploy Linux-based storage solutions, may face increased risk. Additionally, the complexity of the device-mapper subsystem means that recovery from crashes could require manual intervention, increasing incident response times.
Mitigation Recommendations
To mitigate CVE-2021-46938, European organizations should: 1) Apply the latest Linux kernel patches that address this vulnerability as soon as they become available from their Linux distribution vendors. 2) Audit and monitor device-mapper configurations, particularly those using request-based mapped devices and multipath setups, to identify systems potentially affected. 3) Limit administrative access to systems that can load or remove device-mapper tables to trusted personnel only, reducing the risk of accidental or malicious triggering of the vulnerability. 4) Implement kernel crash monitoring and automated recovery mechanisms to minimize downtime in case of kernel panics. 5) Consider deploying kernel hardening techniques such as Kernel Address Space Layout Randomization (KASLR) and Kernel Page Table Isolation (KPTI) to reduce the impact of memory corruption vulnerabilities. 6) Maintain up-to-date backups and disaster recovery plans to ensure data integrity and availability in case of service disruption. 7) Engage in proactive vulnerability management and threat hunting to detect any anomalous activity related to device-mapper operations.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-25T13:45:52.721Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9835c4522896dcbea77f
Added to database: 5/21/2025, 9:09:09 AM
Last enriched: 6/26/2025, 9:36:54 AM
Last updated: 8/12/2025, 10:27:03 PM
Views: 13
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.