CVE-2021-47011: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: mm: memcontrol: slab: fix obtain a reference to a freeing memcg Patch series "Use obj_cgroup APIs to charge kmem pages", v5. Since Roman's series "The new cgroup slab memory controller" applied. All slab objects are charged with the new APIs of obj_cgroup. The new APIs introduce a struct obj_cgroup to charge slab objects. It prevents long-living objects from pinning the original memory cgroup in the memory. But there are still some corner objects (e.g. allocations larger than order-1 page on SLUB) which are not charged with the new APIs. Those objects (include the pages which are allocated from buddy allocator directly) are charged as kmem pages which still hold a reference to the memory cgroup. E.g. We know that the kernel stack is charged as kmem pages because the size of the kernel stack can be greater than 2 pages (e.g. 16KB on x86_64 or arm64). If we create a thread (suppose the thread stack is charged to memory cgroup A) and then move it from memory cgroup A to memory cgroup B. Because the kernel stack of the thread hold a reference to the memory cgroup A. The thread can pin the memory cgroup A in the memory even if we remove the cgroup A. If we want to see this scenario by using the following script. We can see that the system has added 500 dying cgroups (This is not a real world issue, just a script to show that the large kmallocs are charged as kmem pages which can pin the memory cgroup in the memory). #!/bin/bash cat /proc/cgroups | grep memory cd /sys/fs/cgroup/memory echo 1 > memory.move_charge_at_immigrate for i in range{1..500} do mkdir kmem_test echo $$ > kmem_test/cgroup.procs sleep 3600 & echo $$ > cgroup.procs echo `cat kmem_test/cgroup.procs` > cgroup.procs rmdir kmem_test done cat /proc/cgroups | grep memory This patchset aims to make those kmem pages to drop the reference to memory cgroup by using the APIs of obj_cgroup. Finally, we can see that the number of the dying cgroups will not increase if we run the above test script. This patch (of 7): The rcu_read_lock/unlock only can guarantee that the memcg will not be freed, but it cannot guarantee the success of css_get (which is in the refill_stock when cached memcg changed) to memcg. rcu_read_lock() memcg = obj_cgroup_memcg(old) __memcg_kmem_uncharge(memcg) refill_stock(memcg) if (stock->cached != memcg) // css_get can change the ref counter from 0 back to 1. css_get(&memcg->css) rcu_read_unlock() This fix is very like the commit: eefbfa7fd678 ("mm: memcg/slab: fix use after free in obj_cgroup_charge") Fix this by holding a reference to the memcg which is passed to the __memcg_kmem_uncharge() before calling __memcg_kmem_uncharge().
AI Analysis
Technical Summary
CVE-2021-47011 is a vulnerability in the Linux kernel's memory control (memcontrol) subsystem, specifically related to the slab allocator's handling of memory cgroups (memcg). The issue arises from how slab objects, particularly those allocated larger than an order-1 page on SLUB, are charged to memory cgroups. The kernel introduced new APIs (obj_cgroup) to properly charge slab objects and prevent long-living objects from pinning the original memory cgroup in memory. However, some corner cases, such as large allocations and kernel stacks, were still charged as kmem pages, which hold references to the original memory cgroup. This can cause memory cgroups to remain pinned in memory even after they are removed, leading to resource leakage and potential memory exhaustion. The vulnerability is demonstrated by a script that creates many dying cgroups, showing the system's inability to fully release memory cgroups due to these lingering references. The patch fixes this by ensuring that kmem pages drop their references to memory cgroups using the obj_cgroup APIs and by holding a reference to the memcg before uncharging kmem pages to prevent use-after-free conditions. This fix improves memory accounting accuracy and prevents memory cgroup pinning issues that could degrade system stability over time.
Potential Impact
For European organizations relying on Linux-based systems, especially servers and infrastructure running containerized workloads or cgroup-based resource management, this vulnerability can lead to memory resource leakage. Over time, the accumulation of dying memory cgroups that cannot be fully released may cause increased memory consumption, potentially leading to degraded system performance, instability, or even denial of service due to memory exhaustion. This is particularly critical for cloud providers, data centers, and enterprises running large-scale Linux deployments or container orchestration platforms like Kubernetes, which heavily utilize cgroups for resource isolation. While the vulnerability does not appear to allow direct code execution or privilege escalation, the indirect impact on availability and system reliability can disrupt business operations and service continuity. The absence of known exploits in the wild suggests limited immediate threat, but unpatched systems remain vulnerable to resource exhaustion attacks or inadvertent system degradation.
Mitigation Recommendations
European organizations should prioritize applying the official Linux kernel patches that address CVE-2021-47011 as soon as possible. Specifically, updating to kernel versions that include the fix for proper obj_cgroup API usage in kmem page charging is essential. System administrators should audit their Linux kernel versions and upgrade kernels in production environments, especially those running memory-intensive workloads or containerized applications. Additionally, monitoring memory cgroup statistics and the number of dying cgroups can help detect abnormal resource retention. Implementing automated alerts for unusual memory cgroup behavior and resource leaks can provide early warning signs. For environments where immediate patching is challenging, consider limiting the creation and deletion rate of memory cgroups or adjusting memory cgroup configurations to reduce the impact. Regularly reviewing and testing kernel updates in staging environments before deployment will ensure stability and compatibility. Finally, maintain good operational hygiene by keeping systems updated with the latest security patches and kernel releases.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Norway, Denmark, Italy, Spain
CVE-2021-47011: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: mm: memcontrol: slab: fix obtain a reference to a freeing memcg Patch series "Use obj_cgroup APIs to charge kmem pages", v5. Since Roman's series "The new cgroup slab memory controller" applied. All slab objects are charged with the new APIs of obj_cgroup. The new APIs introduce a struct obj_cgroup to charge slab objects. It prevents long-living objects from pinning the original memory cgroup in the memory. But there are still some corner objects (e.g. allocations larger than order-1 page on SLUB) which are not charged with the new APIs. Those objects (include the pages which are allocated from buddy allocator directly) are charged as kmem pages which still hold a reference to the memory cgroup. E.g. We know that the kernel stack is charged as kmem pages because the size of the kernel stack can be greater than 2 pages (e.g. 16KB on x86_64 or arm64). If we create a thread (suppose the thread stack is charged to memory cgroup A) and then move it from memory cgroup A to memory cgroup B. Because the kernel stack of the thread hold a reference to the memory cgroup A. The thread can pin the memory cgroup A in the memory even if we remove the cgroup A. If we want to see this scenario by using the following script. We can see that the system has added 500 dying cgroups (This is not a real world issue, just a script to show that the large kmallocs are charged as kmem pages which can pin the memory cgroup in the memory). #!/bin/bash cat /proc/cgroups | grep memory cd /sys/fs/cgroup/memory echo 1 > memory.move_charge_at_immigrate for i in range{1..500} do mkdir kmem_test echo $$ > kmem_test/cgroup.procs sleep 3600 & echo $$ > cgroup.procs echo `cat kmem_test/cgroup.procs` > cgroup.procs rmdir kmem_test done cat /proc/cgroups | grep memory This patchset aims to make those kmem pages to drop the reference to memory cgroup by using the APIs of obj_cgroup. Finally, we can see that the number of the dying cgroups will not increase if we run the above test script. This patch (of 7): The rcu_read_lock/unlock only can guarantee that the memcg will not be freed, but it cannot guarantee the success of css_get (which is in the refill_stock when cached memcg changed) to memcg. rcu_read_lock() memcg = obj_cgroup_memcg(old) __memcg_kmem_uncharge(memcg) refill_stock(memcg) if (stock->cached != memcg) // css_get can change the ref counter from 0 back to 1. css_get(&memcg->css) rcu_read_unlock() This fix is very like the commit: eefbfa7fd678 ("mm: memcg/slab: fix use after free in obj_cgroup_charge") Fix this by holding a reference to the memcg which is passed to the __memcg_kmem_uncharge() before calling __memcg_kmem_uncharge().
AI-Powered Analysis
Technical Analysis
CVE-2021-47011 is a vulnerability in the Linux kernel's memory control (memcontrol) subsystem, specifically related to the slab allocator's handling of memory cgroups (memcg). The issue arises from how slab objects, particularly those allocated larger than an order-1 page on SLUB, are charged to memory cgroups. The kernel introduced new APIs (obj_cgroup) to properly charge slab objects and prevent long-living objects from pinning the original memory cgroup in memory. However, some corner cases, such as large allocations and kernel stacks, were still charged as kmem pages, which hold references to the original memory cgroup. This can cause memory cgroups to remain pinned in memory even after they are removed, leading to resource leakage and potential memory exhaustion. The vulnerability is demonstrated by a script that creates many dying cgroups, showing the system's inability to fully release memory cgroups due to these lingering references. The patch fixes this by ensuring that kmem pages drop their references to memory cgroups using the obj_cgroup APIs and by holding a reference to the memcg before uncharging kmem pages to prevent use-after-free conditions. This fix improves memory accounting accuracy and prevents memory cgroup pinning issues that could degrade system stability over time.
Potential Impact
For European organizations relying on Linux-based systems, especially servers and infrastructure running containerized workloads or cgroup-based resource management, this vulnerability can lead to memory resource leakage. Over time, the accumulation of dying memory cgroups that cannot be fully released may cause increased memory consumption, potentially leading to degraded system performance, instability, or even denial of service due to memory exhaustion. This is particularly critical for cloud providers, data centers, and enterprises running large-scale Linux deployments or container orchestration platforms like Kubernetes, which heavily utilize cgroups for resource isolation. While the vulnerability does not appear to allow direct code execution or privilege escalation, the indirect impact on availability and system reliability can disrupt business operations and service continuity. The absence of known exploits in the wild suggests limited immediate threat, but unpatched systems remain vulnerable to resource exhaustion attacks or inadvertent system degradation.
Mitigation Recommendations
European organizations should prioritize applying the official Linux kernel patches that address CVE-2021-47011 as soon as possible. Specifically, updating to kernel versions that include the fix for proper obj_cgroup API usage in kmem page charging is essential. System administrators should audit their Linux kernel versions and upgrade kernels in production environments, especially those running memory-intensive workloads or containerized applications. Additionally, monitoring memory cgroup statistics and the number of dying cgroups can help detect abnormal resource retention. Implementing automated alerts for unusual memory cgroup behavior and resource leaks can provide early warning signs. For environments where immediate patching is challenging, consider limiting the creation and deletion rate of memory cgroups or adjusting memory cgroup configurations to reduce the impact. Regularly reviewing and testing kernel updates in staging environments before deployment will ensure stability and compatibility. Finally, maintain good operational hygiene by keeping systems updated with the latest security patches and kernel releases.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-27T18:42:55.953Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9834c4522896dcbe9a50
Added to database: 5/21/2025, 9:09:08 AM
Last enriched: 6/30/2025, 7:12:50 PM
Last updated: 8/2/2025, 12:24:50 PM
Views: 11
Related Threats
CVE-2025-40770: CWE-300: Channel Accessible by Non-Endpoint in Siemens SINEC Traffic Analyzer
HighCVE-2025-40769: CWE-1164: Irrelevant Code in Siemens SINEC Traffic Analyzer
HighCVE-2025-40768: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in Siemens SINEC Traffic Analyzer
HighCVE-2025-40767: CWE-250: Execution with Unnecessary Privileges in Siemens SINEC Traffic Analyzer
HighCVE-2025-40766: CWE-400: Uncontrolled Resource Consumption in Siemens SINEC Traffic Analyzer
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.