CVE-2021-46972: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: ovl: fix leaked dentry Since commit 6815f479ca90 ("ovl: use only uppermetacopy state in ovl_lookup()"), overlayfs doesn't put temporary dentry when there is a metacopy error, which leads to dentry leaks when shutting down the related superblock: overlayfs: refusing to follow metacopy origin for (/file0) ... BUG: Dentry (____ptrval____){i=3f33,n=file3} still in use (1) [unmount of overlay overlay] ... WARNING: CPU: 1 PID: 432 at umount_check.cold+0x107/0x14d CPU: 1 PID: 432 Comm: unmount-overlay Not tainted 5.12.0-rc5 #1 ... RIP: 0010:umount_check.cold+0x107/0x14d ... Call Trace: d_walk+0x28c/0x950 ? dentry_lru_isolate+0x2b0/0x2b0 ? __kasan_slab_free+0x12/0x20 do_one_tree+0x33/0x60 shrink_dcache_for_umount+0x78/0x1d0 generic_shutdown_super+0x70/0x440 kill_anon_super+0x3e/0x70 deactivate_locked_super+0xc4/0x160 deactivate_super+0xfa/0x140 cleanup_mnt+0x22e/0x370 __cleanup_mnt+0x1a/0x30 task_work_run+0x139/0x210 do_exit+0xb0c/0x2820 ? __kasan_check_read+0x1d/0x30 ? find_held_lock+0x35/0x160 ? lock_release+0x1b6/0x660 ? mm_update_next_owner+0xa20/0xa20 ? reacquire_held_locks+0x3f0/0x3f0 ? __sanitizer_cov_trace_const_cmp4+0x22/0x30 do_group_exit+0x135/0x380 __do_sys_exit_group.isra.0+0x20/0x20 __x64_sys_exit_group+0x3c/0x50 do_syscall_64+0x45/0x70 entry_SYSCALL_64_after_hwframe+0x44/0xae ... VFS: Busy inodes after unmount of overlay. Self-destruct in 5 seconds. Have a nice day... This fix has been tested with a syzkaller reproducer.
AI Analysis
Technical Summary
CVE-2021-46972 is a vulnerability in the Linux kernel's overlay filesystem (overlayfs) implementation. The issue stems from a regression introduced by commit 6815f479ca90, which changed how overlayfs handles metacopy states during lookups. Specifically, overlayfs stopped placing a temporary dentry (directory entry) when a metacopy error occurs. This leads to leaked dentries when the related superblock is shut down, causing inodes to remain busy after unmount operations. The vulnerability manifests as a use-after-free or resource leak condition during the unmounting of overlayfs mounts, which can trigger kernel warnings and ultimately cause the kernel to self-destruct (panic) after a delay. The problem is demonstrated by kernel logs showing "BUG: Dentry still in use" and warnings in umount_check.c, indicating that the filesystem's internal state is inconsistent due to leaked dentries. This can lead to system instability or denial of service (DoS) conditions. The fix involves ensuring that overlayfs correctly manages dentries even when metacopy errors occur, preventing leaks and ensuring clean unmounts. The vulnerability was tested with syzkaller, a kernel fuzzer, confirming its reproducibility and fix effectiveness. No known exploits are reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability primarily poses a risk of denial of service on Linux systems using overlayfs, which is commonly employed in container environments (e.g., Docker, Kubernetes) and other layered filesystem scenarios. A successful exploitation could cause kernel panics or system crashes during unmount operations, potentially disrupting critical services, especially in cloud infrastructure, containerized applications, and development environments. While it does not directly lead to privilege escalation or data leakage, the resulting instability can cause downtime and impact availability of services. Organizations relying heavily on container orchestration or overlayfs-based storage should be particularly cautious. The impact is more pronounced in environments with frequent mount/unmount operations or where overlayfs is used extensively for ephemeral storage. Given the widespread use of Linux in European data centers, cloud providers, and enterprises, the vulnerability could affect a broad range of sectors including finance, telecommunications, and government services.
Mitigation Recommendations
1. Apply the official Linux kernel patches that address this vulnerability as soon as they become available for your distribution. Monitor vendor advisories for updated kernel packages. 2. If patching immediately is not feasible, consider minimizing overlayfs usage or avoid unmounting overlayfs mounts frequently until patched. 3. Implement monitoring for kernel warnings related to overlayfs and dentry leaks to detect potential exploitation or system instability early. 4. In containerized environments, ensure container runtimes and orchestration platforms are updated to versions that include patched kernels or mitigations. 5. Conduct thorough testing of overlayfs unmount operations in staging environments after patching to confirm stability. 6. Limit access to systems running overlayfs to trusted users to reduce risk of triggering the vulnerability. 7. Maintain robust backup and recovery procedures to mitigate impact of potential system crashes or downtime caused by this issue.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Poland, Italy, Spain
CVE-2021-46972: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: ovl: fix leaked dentry Since commit 6815f479ca90 ("ovl: use only uppermetacopy state in ovl_lookup()"), overlayfs doesn't put temporary dentry when there is a metacopy error, which leads to dentry leaks when shutting down the related superblock: overlayfs: refusing to follow metacopy origin for (/file0) ... BUG: Dentry (____ptrval____){i=3f33,n=file3} still in use (1) [unmount of overlay overlay] ... WARNING: CPU: 1 PID: 432 at umount_check.cold+0x107/0x14d CPU: 1 PID: 432 Comm: unmount-overlay Not tainted 5.12.0-rc5 #1 ... RIP: 0010:umount_check.cold+0x107/0x14d ... Call Trace: d_walk+0x28c/0x950 ? dentry_lru_isolate+0x2b0/0x2b0 ? __kasan_slab_free+0x12/0x20 do_one_tree+0x33/0x60 shrink_dcache_for_umount+0x78/0x1d0 generic_shutdown_super+0x70/0x440 kill_anon_super+0x3e/0x70 deactivate_locked_super+0xc4/0x160 deactivate_super+0xfa/0x140 cleanup_mnt+0x22e/0x370 __cleanup_mnt+0x1a/0x30 task_work_run+0x139/0x210 do_exit+0xb0c/0x2820 ? __kasan_check_read+0x1d/0x30 ? find_held_lock+0x35/0x160 ? lock_release+0x1b6/0x660 ? mm_update_next_owner+0xa20/0xa20 ? reacquire_held_locks+0x3f0/0x3f0 ? __sanitizer_cov_trace_const_cmp4+0x22/0x30 do_group_exit+0x135/0x380 __do_sys_exit_group.isra.0+0x20/0x20 __x64_sys_exit_group+0x3c/0x50 do_syscall_64+0x45/0x70 entry_SYSCALL_64_after_hwframe+0x44/0xae ... VFS: Busy inodes after unmount of overlay. Self-destruct in 5 seconds. Have a nice day... This fix has been tested with a syzkaller reproducer.
AI-Powered Analysis
Technical Analysis
CVE-2021-46972 is a vulnerability in the Linux kernel's overlay filesystem (overlayfs) implementation. The issue stems from a regression introduced by commit 6815f479ca90, which changed how overlayfs handles metacopy states during lookups. Specifically, overlayfs stopped placing a temporary dentry (directory entry) when a metacopy error occurs. This leads to leaked dentries when the related superblock is shut down, causing inodes to remain busy after unmount operations. The vulnerability manifests as a use-after-free or resource leak condition during the unmounting of overlayfs mounts, which can trigger kernel warnings and ultimately cause the kernel to self-destruct (panic) after a delay. The problem is demonstrated by kernel logs showing "BUG: Dentry still in use" and warnings in umount_check.c, indicating that the filesystem's internal state is inconsistent due to leaked dentries. This can lead to system instability or denial of service (DoS) conditions. The fix involves ensuring that overlayfs correctly manages dentries even when metacopy errors occur, preventing leaks and ensuring clean unmounts. The vulnerability was tested with syzkaller, a kernel fuzzer, confirming its reproducibility and fix effectiveness. No known exploits are reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability primarily poses a risk of denial of service on Linux systems using overlayfs, which is commonly employed in container environments (e.g., Docker, Kubernetes) and other layered filesystem scenarios. A successful exploitation could cause kernel panics or system crashes during unmount operations, potentially disrupting critical services, especially in cloud infrastructure, containerized applications, and development environments. While it does not directly lead to privilege escalation or data leakage, the resulting instability can cause downtime and impact availability of services. Organizations relying heavily on container orchestration or overlayfs-based storage should be particularly cautious. The impact is more pronounced in environments with frequent mount/unmount operations or where overlayfs is used extensively for ephemeral storage. Given the widespread use of Linux in European data centers, cloud providers, and enterprises, the vulnerability could affect a broad range of sectors including finance, telecommunications, and government services.
Mitigation Recommendations
1. Apply the official Linux kernel patches that address this vulnerability as soon as they become available for your distribution. Monitor vendor advisories for updated kernel packages. 2. If patching immediately is not feasible, consider minimizing overlayfs usage or avoid unmounting overlayfs mounts frequently until patched. 3. Implement monitoring for kernel warnings related to overlayfs and dentry leaks to detect potential exploitation or system instability early. 4. In containerized environments, ensure container runtimes and orchestration platforms are updated to versions that include patched kernels or mitigations. 5. Conduct thorough testing of overlayfs unmount operations in staging environments after patching to confirm stability. 6. Limit access to systems running overlayfs to trusted users to reduce risk of triggering the vulnerability. 7. Maintain robust backup and recovery procedures to mitigate impact of potential system crashes or downtime caused by this issue.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-27T18:42:55.943Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9834c4522896dcbe9964
Added to database: 5/21/2025, 9:09:08 AM
Last enriched: 6/30/2025, 6:26:37 PM
Last updated: 8/14/2025, 11:15:58 PM
Views: 10
Related Threats
CVE-2025-9091: Hard-coded Credentials in Tenda AC20
LowCVE-2025-9090: Command Injection in Tenda AC20
MediumCVE-2025-9092: CWE-400 Uncontrolled Resource Consumption in Legion of the Bouncy Castle Inc. Bouncy Castle for Java - BC-FJA 2.1.0
LowCVE-2025-9089: Stack-based Buffer Overflow in Tenda AC20
HighCVE-2025-9088: Stack-based Buffer Overflow in Tenda AC20
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.