CVE-2021-46942: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: io_uring: fix shared sqpoll cancellation hangs [ 736.982891] INFO: task iou-sqp-4294:4295 blocked for more than 122 seconds. [ 736.982897] Call Trace: [ 736.982901] schedule+0x68/0xe0 [ 736.982903] io_uring_cancel_sqpoll+0xdb/0x110 [ 736.982908] io_sqpoll_cancel_cb+0x24/0x30 [ 736.982911] io_run_task_work_head+0x28/0x50 [ 736.982913] io_sq_thread+0x4e3/0x720 We call io_uring_cancel_sqpoll() one by one for each ctx either in sq_thread() itself or via task works, and it's intended to cancel all requests of a specified context. However the function uses per-task counters to track the number of inflight requests, so it counts more requests than available via currect io_uring ctx and goes to sleep for them to appear (e.g. from IRQ), that will never happen. Cancel a bit more than before, i.e. all ctxs that share sqpoll and continue to use shared counters. Don't forget that we should not remove ctx from the list before running that task_work sqpoll-cancel, otherwise the function wouldn't be able to find the context and will hang.
AI Analysis
Technical Summary
CVE-2021-46942 is a vulnerability identified in the Linux kernel's io_uring subsystem, specifically related to the shared submission queue polling (sqpoll) cancellation mechanism. The io_uring interface is designed to improve asynchronous I/O performance by allowing applications to submit and complete I/O operations efficiently. The vulnerability arises from the way the kernel handles cancellation of inflight requests when multiple io_uring contexts share the sqpoll thread. The function io_uring_cancel_sqpoll() is responsible for canceling all requests associated with a given context. However, it incorrectly uses per-task counters that track the number of inflight requests, which leads to an overcounting problem. This causes the cancellation routine to wait indefinitely for requests that do not exist, resulting in the sqpoll thread hanging. The root cause is that the cancellation logic counts requests from all contexts sharing the sqpoll thread rather than isolating counts per context, and it waits for completion events that will never occur. Additionally, the vulnerability involves improper management of the context list during cancellation, where removing a context prematurely prevents the cancellation function from locating it, further contributing to the hang. This bug manifests as a kernel task being blocked for an extended period (e.g., over 122 seconds), which can degrade system responsiveness or lead to denial of service conditions. The issue has been addressed by adjusting the cancellation logic to account for all contexts sharing the sqpoll thread and ensuring proper ordering of context removal and cancellation task execution. No known exploits are reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running affected Linux kernel versions that utilize io_uring with shared sqpoll threads, which are common in modern server environments and cloud infrastructures. The impact includes potential denial of service (DoS) scenarios where kernel threads hang indefinitely, leading to degraded system performance, stalled I/O operations, and possible service outages. This can affect critical infrastructure, web servers, database servers, and other enterprise applications relying on Linux for high-performance asynchronous I/O. Given the widespread use of Linux in European data centers, cloud providers, and enterprise environments, the vulnerability could disrupt business operations if exploited or triggered inadvertently. Although no active exploitation is known, the presence of this bug in kernel versions used in production environments means that attackers or faulty applications could induce hangs, impacting availability. Confidentiality and integrity impacts are minimal as the vulnerability does not directly allow unauthorized data access or modification. However, availability degradation can have cascading effects on business continuity and service level agreements (SLAs).
Mitigation Recommendations
European organizations should prioritize updating their Linux kernel to versions where this vulnerability is patched. Since the issue relates to kernel internals, applying vendor-supplied kernel updates or backported patches is the most effective mitigation. System administrators should audit their environments to identify usage of io_uring with shared sqpoll threads, especially in high-load or latency-sensitive applications. Where immediate patching is not feasible, organizations can consider disabling sqpoll or limiting the use of shared sqpoll contexts as a temporary workaround, though this may impact performance. Monitoring kernel logs for signs of blocked io_uring tasks or long-running kernel threads can help detect attempts to trigger the vulnerability. Additionally, testing application workloads for stability under heavy asynchronous I/O can reveal potential hangs. Coordination with Linux distribution vendors for timely patch deployment and validation in staging environments is recommended. Finally, maintaining robust incident response procedures to handle potential DoS conditions will reduce operational impact.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2021-46942: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: io_uring: fix shared sqpoll cancellation hangs [ 736.982891] INFO: task iou-sqp-4294:4295 blocked for more than 122 seconds. [ 736.982897] Call Trace: [ 736.982901] schedule+0x68/0xe0 [ 736.982903] io_uring_cancel_sqpoll+0xdb/0x110 [ 736.982908] io_sqpoll_cancel_cb+0x24/0x30 [ 736.982911] io_run_task_work_head+0x28/0x50 [ 736.982913] io_sq_thread+0x4e3/0x720 We call io_uring_cancel_sqpoll() one by one for each ctx either in sq_thread() itself or via task works, and it's intended to cancel all requests of a specified context. However the function uses per-task counters to track the number of inflight requests, so it counts more requests than available via currect io_uring ctx and goes to sleep for them to appear (e.g. from IRQ), that will never happen. Cancel a bit more than before, i.e. all ctxs that share sqpoll and continue to use shared counters. Don't forget that we should not remove ctx from the list before running that task_work sqpoll-cancel, otherwise the function wouldn't be able to find the context and will hang.
AI-Powered Analysis
Technical Analysis
CVE-2021-46942 is a vulnerability identified in the Linux kernel's io_uring subsystem, specifically related to the shared submission queue polling (sqpoll) cancellation mechanism. The io_uring interface is designed to improve asynchronous I/O performance by allowing applications to submit and complete I/O operations efficiently. The vulnerability arises from the way the kernel handles cancellation of inflight requests when multiple io_uring contexts share the sqpoll thread. The function io_uring_cancel_sqpoll() is responsible for canceling all requests associated with a given context. However, it incorrectly uses per-task counters that track the number of inflight requests, which leads to an overcounting problem. This causes the cancellation routine to wait indefinitely for requests that do not exist, resulting in the sqpoll thread hanging. The root cause is that the cancellation logic counts requests from all contexts sharing the sqpoll thread rather than isolating counts per context, and it waits for completion events that will never occur. Additionally, the vulnerability involves improper management of the context list during cancellation, where removing a context prematurely prevents the cancellation function from locating it, further contributing to the hang. This bug manifests as a kernel task being blocked for an extended period (e.g., over 122 seconds), which can degrade system responsiveness or lead to denial of service conditions. The issue has been addressed by adjusting the cancellation logic to account for all contexts sharing the sqpoll thread and ensuring proper ordering of context removal and cancellation task execution. No known exploits are reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running affected Linux kernel versions that utilize io_uring with shared sqpoll threads, which are common in modern server environments and cloud infrastructures. The impact includes potential denial of service (DoS) scenarios where kernel threads hang indefinitely, leading to degraded system performance, stalled I/O operations, and possible service outages. This can affect critical infrastructure, web servers, database servers, and other enterprise applications relying on Linux for high-performance asynchronous I/O. Given the widespread use of Linux in European data centers, cloud providers, and enterprise environments, the vulnerability could disrupt business operations if exploited or triggered inadvertently. Although no active exploitation is known, the presence of this bug in kernel versions used in production environments means that attackers or faulty applications could induce hangs, impacting availability. Confidentiality and integrity impacts are minimal as the vulnerability does not directly allow unauthorized data access or modification. However, availability degradation can have cascading effects on business continuity and service level agreements (SLAs).
Mitigation Recommendations
European organizations should prioritize updating their Linux kernel to versions where this vulnerability is patched. Since the issue relates to kernel internals, applying vendor-supplied kernel updates or backported patches is the most effective mitigation. System administrators should audit their environments to identify usage of io_uring with shared sqpoll threads, especially in high-load or latency-sensitive applications. Where immediate patching is not feasible, organizations can consider disabling sqpoll or limiting the use of shared sqpoll contexts as a temporary workaround, though this may impact performance. Monitoring kernel logs for signs of blocked io_uring tasks or long-running kernel threads can help detect attempts to trigger the vulnerability. Additionally, testing application workloads for stability under heavy asynchronous I/O can reveal potential hangs. Coordination with Linux distribution vendors for timely patch deployment and validation in staging environments is recommended. Finally, maintaining robust incident response procedures to handle potential DoS conditions will reduce operational impact.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-25T13:45:52.721Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9835c4522896dcbea797
Added to database: 5/21/2025, 9:09:09 AM
Last enriched: 6/26/2025, 9:35:43 AM
Last updated: 8/16/2025, 12:45:05 AM
Views: 15
Related Threats
CVE-2025-9091: Hard-coded Credentials in Tenda AC20
LowCVE-2025-9090: Command Injection in Tenda AC20
MediumCVE-2025-9092: CWE-400 Uncontrolled Resource Consumption in Legion of the Bouncy Castle Inc. Bouncy Castle for Java - BC-FJA 2.1.0
LowCVE-2025-9089: Stack-based Buffer Overflow in Tenda AC20
HighCVE-2025-9088: Stack-based Buffer Overflow in Tenda AC20
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.