CVE-2021-46984: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: kyber: fix out of bounds access when preempted __blk_mq_sched_bio_merge() gets the ctx and hctx for the current CPU and passes the hctx to ->bio_merge(). kyber_bio_merge() then gets the ctx for the current CPU again and uses that to get the corresponding Kyber context in the passed hctx. However, the thread may be preempted between the two calls to blk_mq_get_ctx(), and the ctx returned the second time may no longer correspond to the passed hctx. This "works" accidentally most of the time, but it can cause us to read garbage if the second ctx came from an hctx with more ctx's than the first one (i.e., if ctx->index_hw[hctx->type] > hctx->nr_ctx). This manifested as this UBSAN array index out of bounds error reported by Jakub: UBSAN: array-index-out-of-bounds in ../kernel/locking/qspinlock.c:130:9 index 13106 is out of range for type 'long unsigned int [128]' Call Trace: dump_stack+0xa4/0xe5 ubsan_epilogue+0x5/0x40 __ubsan_handle_out_of_bounds.cold.13+0x2a/0x34 queued_spin_lock_slowpath+0x476/0x480 do_raw_spin_lock+0x1c2/0x1d0 kyber_bio_merge+0x112/0x180 blk_mq_submit_bio+0x1f5/0x1100 submit_bio_noacct+0x7b0/0x870 submit_bio+0xc2/0x3a0 btrfs_map_bio+0x4f0/0x9d0 btrfs_submit_data_bio+0x24e/0x310 submit_one_bio+0x7f/0xb0 submit_extent_page+0xc4/0x440 __extent_writepage_io+0x2b8/0x5e0 __extent_writepage+0x28d/0x6e0 extent_write_cache_pages+0x4d7/0x7a0 extent_writepages+0xa2/0x110 do_writepages+0x8f/0x180 __writeback_single_inode+0x99/0x7f0 writeback_sb_inodes+0x34e/0x790 __writeback_inodes_wb+0x9e/0x120 wb_writeback+0x4d2/0x660 wb_workfn+0x64d/0xa10 process_one_work+0x53a/0xa80 worker_thread+0x69/0x5b0 kthread+0x20b/0x240 ret_from_fork+0x1f/0x30 Only Kyber uses the hctx, so fix it by passing the request_queue to ->bio_merge() instead. BFQ and mq-deadline just use that, and Kyber can map the queues itself to avoid the mismatch.
AI Analysis
Technical Summary
CVE-2021-46984 is a vulnerability in the Linux kernel's block I/O scheduler subsystem, specifically affecting the Kyber I/O scheduler. The issue arises from an out-of-bounds memory access caused by a race condition related to CPU preemption during context retrieval. The function __blk_mq_sched_bio_merge() obtains the context (ctx) and hardware context (hctx) for the current CPU and passes hctx to the bio_merge() callback. Kyber's bio_merge implementation (kyber_bio_merge()) then retrieves the ctx again for the current CPU to map it to the corresponding Kyber context within the passed hctx. However, if the thread is preempted between these two calls, the second ctx may no longer correspond to the original hctx, potentially leading to reading invalid or garbage data. This mismatch can cause an out-of-bounds array access, as evidenced by the UBSAN (Undefined Behavior Sanitizer) error indicating an index far exceeding the array bounds. The root cause is that Kyber uses hctx to map contexts, whereas other schedulers like BFQ and mq-deadline use the request_queue directly, avoiding this mismatch. The fix involves passing the request_queue to bio_merge() instead of hctx, allowing Kyber to map queues internally and prevent the race condition. This vulnerability is a kernel-level memory safety issue that can lead to undefined behavior, including potential kernel crashes or data corruption. It affects Linux kernel versions identified by the given commit hashes prior to the patch and does not require user interaction or authentication to be triggered, as it occurs during normal block I/O operations. No known exploits are reported in the wild as of the publication date.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running affected Linux kernel versions with the Kyber I/O scheduler enabled. Since Kyber is the default I/O scheduler in many modern Linux distributions, including those used in enterprise servers, cloud infrastructure, and embedded systems, the scope is broad. Exploitation could lead to kernel crashes (denial of service), data corruption, or potentially privilege escalation if an attacker can manipulate block I/O operations. This could disrupt critical services, especially in data centers, cloud providers, and industries relying on Linux-based storage systems. The impact on confidentiality is limited unless combined with other vulnerabilities, but integrity and availability could be significantly affected. Given the kernel-level nature, recovery may require system reboots and patching, impacting operational continuity. Organizations with high I/O workloads or those using Kyber in storage-heavy environments (e.g., databases, virtualized infrastructure) are particularly at risk. The absence of known exploits reduces immediate threat but does not eliminate the risk, especially from targeted attackers or advanced persistent threats.
Mitigation Recommendations
European organizations should: 1) Identify and inventory Linux systems running affected kernel versions with Kyber enabled. 2) Apply the official Linux kernel patches that address CVE-2021-46984 as soon as they become available from trusted sources or distribution vendors. 3) If immediate patching is not possible, consider temporarily switching the I/O scheduler to a non-Kyber scheduler (e.g., BFQ or mq-deadline) to mitigate the risk of exploitation. 4) Monitor kernel logs and system behavior for signs of out-of-bounds errors, crashes, or unusual I/O failures that could indicate exploitation attempts. 5) Employ strict access controls and limit untrusted user access to systems performing block I/O operations to reduce attack surface. 6) Incorporate this vulnerability into vulnerability management and incident response plans to ensure timely detection and remediation. 7) Engage with Linux distribution vendors to receive timely updates and security advisories. These steps go beyond generic advice by focusing on scheduler configuration and proactive monitoring specific to this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Norway, Denmark, Italy, Spain
CVE-2021-46984: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: kyber: fix out of bounds access when preempted __blk_mq_sched_bio_merge() gets the ctx and hctx for the current CPU and passes the hctx to ->bio_merge(). kyber_bio_merge() then gets the ctx for the current CPU again and uses that to get the corresponding Kyber context in the passed hctx. However, the thread may be preempted between the two calls to blk_mq_get_ctx(), and the ctx returned the second time may no longer correspond to the passed hctx. This "works" accidentally most of the time, but it can cause us to read garbage if the second ctx came from an hctx with more ctx's than the first one (i.e., if ctx->index_hw[hctx->type] > hctx->nr_ctx). This manifested as this UBSAN array index out of bounds error reported by Jakub: UBSAN: array-index-out-of-bounds in ../kernel/locking/qspinlock.c:130:9 index 13106 is out of range for type 'long unsigned int [128]' Call Trace: dump_stack+0xa4/0xe5 ubsan_epilogue+0x5/0x40 __ubsan_handle_out_of_bounds.cold.13+0x2a/0x34 queued_spin_lock_slowpath+0x476/0x480 do_raw_spin_lock+0x1c2/0x1d0 kyber_bio_merge+0x112/0x180 blk_mq_submit_bio+0x1f5/0x1100 submit_bio_noacct+0x7b0/0x870 submit_bio+0xc2/0x3a0 btrfs_map_bio+0x4f0/0x9d0 btrfs_submit_data_bio+0x24e/0x310 submit_one_bio+0x7f/0xb0 submit_extent_page+0xc4/0x440 __extent_writepage_io+0x2b8/0x5e0 __extent_writepage+0x28d/0x6e0 extent_write_cache_pages+0x4d7/0x7a0 extent_writepages+0xa2/0x110 do_writepages+0x8f/0x180 __writeback_single_inode+0x99/0x7f0 writeback_sb_inodes+0x34e/0x790 __writeback_inodes_wb+0x9e/0x120 wb_writeback+0x4d2/0x660 wb_workfn+0x64d/0xa10 process_one_work+0x53a/0xa80 worker_thread+0x69/0x5b0 kthread+0x20b/0x240 ret_from_fork+0x1f/0x30 Only Kyber uses the hctx, so fix it by passing the request_queue to ->bio_merge() instead. BFQ and mq-deadline just use that, and Kyber can map the queues itself to avoid the mismatch.
AI-Powered Analysis
Technical Analysis
CVE-2021-46984 is a vulnerability in the Linux kernel's block I/O scheduler subsystem, specifically affecting the Kyber I/O scheduler. The issue arises from an out-of-bounds memory access caused by a race condition related to CPU preemption during context retrieval. The function __blk_mq_sched_bio_merge() obtains the context (ctx) and hardware context (hctx) for the current CPU and passes hctx to the bio_merge() callback. Kyber's bio_merge implementation (kyber_bio_merge()) then retrieves the ctx again for the current CPU to map it to the corresponding Kyber context within the passed hctx. However, if the thread is preempted between these two calls, the second ctx may no longer correspond to the original hctx, potentially leading to reading invalid or garbage data. This mismatch can cause an out-of-bounds array access, as evidenced by the UBSAN (Undefined Behavior Sanitizer) error indicating an index far exceeding the array bounds. The root cause is that Kyber uses hctx to map contexts, whereas other schedulers like BFQ and mq-deadline use the request_queue directly, avoiding this mismatch. The fix involves passing the request_queue to bio_merge() instead of hctx, allowing Kyber to map queues internally and prevent the race condition. This vulnerability is a kernel-level memory safety issue that can lead to undefined behavior, including potential kernel crashes or data corruption. It affects Linux kernel versions identified by the given commit hashes prior to the patch and does not require user interaction or authentication to be triggered, as it occurs during normal block I/O operations. No known exploits are reported in the wild as of the publication date.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running affected Linux kernel versions with the Kyber I/O scheduler enabled. Since Kyber is the default I/O scheduler in many modern Linux distributions, including those used in enterprise servers, cloud infrastructure, and embedded systems, the scope is broad. Exploitation could lead to kernel crashes (denial of service), data corruption, or potentially privilege escalation if an attacker can manipulate block I/O operations. This could disrupt critical services, especially in data centers, cloud providers, and industries relying on Linux-based storage systems. The impact on confidentiality is limited unless combined with other vulnerabilities, but integrity and availability could be significantly affected. Given the kernel-level nature, recovery may require system reboots and patching, impacting operational continuity. Organizations with high I/O workloads or those using Kyber in storage-heavy environments (e.g., databases, virtualized infrastructure) are particularly at risk. The absence of known exploits reduces immediate threat but does not eliminate the risk, especially from targeted attackers or advanced persistent threats.
Mitigation Recommendations
European organizations should: 1) Identify and inventory Linux systems running affected kernel versions with Kyber enabled. 2) Apply the official Linux kernel patches that address CVE-2021-46984 as soon as they become available from trusted sources or distribution vendors. 3) If immediate patching is not possible, consider temporarily switching the I/O scheduler to a non-Kyber scheduler (e.g., BFQ or mq-deadline) to mitigate the risk of exploitation. 4) Monitor kernel logs and system behavior for signs of out-of-bounds errors, crashes, or unusual I/O failures that could indicate exploitation attempts. 5) Employ strict access controls and limit untrusted user access to systems performing block I/O operations to reduce attack surface. 6) Incorporate this vulnerability into vulnerability management and incident response plans to ensure timely detection and remediation. 7) Engage with Linux distribution vendors to receive timely updates and security advisories. These steps go beyond generic advice by focusing on scheduler configuration and proactive monitoring specific to this vulnerability.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-27T18:42:55.946Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9834c4522896dcbe99a2
Added to database: 5/21/2025, 9:09:08 AM
Last enriched: 6/30/2025, 6:41:05 PM
Last updated: 8/14/2025, 1:05:54 AM
Views: 15
Related Threats
CVE-2025-33100: CWE-798 Use of Hard-coded Credentials in IBM Concert Software
MediumCVE-2025-33090: CWE-1333 Inefficient Regular Expression Complexity in IBM Concert Software
HighCVE-2025-27909: CWE-942 Permissive Cross-domain Policy with Untrusted Domains in IBM Concert Software
MediumCVE-2025-1759: CWE-244 Improper Clearing of Heap Memory Before Release ('Heap Inspection') in IBM Concert Software
MediumCVE-2025-4962: CWE-284 Improper Access Control in lunary-ai lunary-ai/lunary
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.