CVE-2021-47026: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: RDMA/rtrs-clt: destroy sysfs after removing session from active list A session can be removed dynamically by sysfs interface "remove_path" that eventually calls rtrs_clt_remove_path_from_sysfs function. The current rtrs_clt_remove_path_from_sysfs first removes the sysfs interfaces and frees sess->stats object. Second it removes the session from the active list. Therefore some functions could access non-connected session and access the freed sess->stats object even-if they check the session status before accessing the session. For instance rtrs_clt_request and get_next_path_min_inflight check the session status and try to send IO to the session. The session status could be changed when they are trying to send IO but they could not catch the change and update the statistics information in sess->stats object, and generate use-after-free problem. (see: "RDMA/rtrs-clt: Check state of the rtrs_clt_sess before reading its stats") This patch changes the rtrs_clt_remove_path_from_sysfs to remove the session from the active session list and then destroy the sysfs interfaces. Each function still should check the session status because closing or error recovery paths can change the status.
AI Analysis
Technical Summary
CVE-2021-47026 is a use-after-free vulnerability identified in the Linux kernel's RDMA (Remote Direct Memory Access) subsystem, specifically within the rtrs-clt (RDMA Target Remote Client) component. The vulnerability arises from improper handling of session removal in the sysfs interface. When a session is dynamically removed via the "remove_path" sysfs interface, the function rtrs_clt_remove_path_from_sysfs first removes sysfs interfaces and frees the session's statistics object (sess->stats), and only afterward removes the session from the active session list. This sequence creates a race condition where other kernel functions, such as rtrs_clt_request and get_next_path_min_inflight, may access the freed sess->stats object after checking the session status but before the session is fully removed. This leads to a use-after-free condition, which can cause kernel memory corruption, potentially resulting in system instability, crashes, or privilege escalation if exploited. The patch corrects this by reversing the order: the session is first removed from the active list, then the sysfs interfaces are destroyed, reducing the window for unsafe access. However, functions interacting with the session must still verify session status to handle state changes during closing or error recovery paths. This vulnerability affects specific Linux kernel versions identified by commit hashes and is relevant to systems utilizing RDMA with rtrs-clt. No known exploits in the wild have been reported as of the publication date, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, the impact of CVE-2021-47026 depends largely on the deployment of Linux systems utilizing RDMA with the rtrs-clt client, which is common in high-performance computing, data centers, and enterprise storage environments. Exploitation could lead to kernel memory corruption causing system crashes or denial of service, potentially disrupting critical infrastructure or services. In worst cases, attackers with local access might leverage this vulnerability for privilege escalation, compromising system integrity and confidentiality. Given the kernel-level nature of the flaw, successful exploitation could undermine the security of sensitive data and critical applications. Organizations relying on Linux-based RDMA for storage or network acceleration should be particularly vigilant. Although no active exploits are known, the complexity of the vulnerability and its kernel-level impact warrant prompt attention to avoid future exploitation, especially in sectors like finance, healthcare, and government where uptime and data integrity are paramount.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions where this vulnerability is patched, ensuring the fix that reorders session removal is applied. Since this vulnerability involves kernel-level code, applying vendor-supplied kernel updates or backported patches is critical. For environments where immediate patching is not feasible, organizations should restrict access to systems running vulnerable kernels, especially limiting local user access to trusted personnel only, as exploitation requires local code execution. Monitoring kernel logs and system behavior for anomalies related to RDMA sessions may help detect exploitation attempts. Additionally, organizations should audit their use of RDMA and rtrs-clt features to assess exposure and consider disabling or limiting RDMA functionality if not essential. Implementing strict access controls and employing kernel integrity monitoring tools can further reduce risk. Finally, maintain awareness of vendor advisories and emerging threat intelligence regarding this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Denmark, Belgium, Italy, Spain
CVE-2021-47026: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: RDMA/rtrs-clt: destroy sysfs after removing session from active list A session can be removed dynamically by sysfs interface "remove_path" that eventually calls rtrs_clt_remove_path_from_sysfs function. The current rtrs_clt_remove_path_from_sysfs first removes the sysfs interfaces and frees sess->stats object. Second it removes the session from the active list. Therefore some functions could access non-connected session and access the freed sess->stats object even-if they check the session status before accessing the session. For instance rtrs_clt_request and get_next_path_min_inflight check the session status and try to send IO to the session. The session status could be changed when they are trying to send IO but they could not catch the change and update the statistics information in sess->stats object, and generate use-after-free problem. (see: "RDMA/rtrs-clt: Check state of the rtrs_clt_sess before reading its stats") This patch changes the rtrs_clt_remove_path_from_sysfs to remove the session from the active session list and then destroy the sysfs interfaces. Each function still should check the session status because closing or error recovery paths can change the status.
AI-Powered Analysis
Technical Analysis
CVE-2021-47026 is a use-after-free vulnerability identified in the Linux kernel's RDMA (Remote Direct Memory Access) subsystem, specifically within the rtrs-clt (RDMA Target Remote Client) component. The vulnerability arises from improper handling of session removal in the sysfs interface. When a session is dynamically removed via the "remove_path" sysfs interface, the function rtrs_clt_remove_path_from_sysfs first removes sysfs interfaces and frees the session's statistics object (sess->stats), and only afterward removes the session from the active session list. This sequence creates a race condition where other kernel functions, such as rtrs_clt_request and get_next_path_min_inflight, may access the freed sess->stats object after checking the session status but before the session is fully removed. This leads to a use-after-free condition, which can cause kernel memory corruption, potentially resulting in system instability, crashes, or privilege escalation if exploited. The patch corrects this by reversing the order: the session is first removed from the active list, then the sysfs interfaces are destroyed, reducing the window for unsafe access. However, functions interacting with the session must still verify session status to handle state changes during closing or error recovery paths. This vulnerability affects specific Linux kernel versions identified by commit hashes and is relevant to systems utilizing RDMA with rtrs-clt. No known exploits in the wild have been reported as of the publication date, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, the impact of CVE-2021-47026 depends largely on the deployment of Linux systems utilizing RDMA with the rtrs-clt client, which is common in high-performance computing, data centers, and enterprise storage environments. Exploitation could lead to kernel memory corruption causing system crashes or denial of service, potentially disrupting critical infrastructure or services. In worst cases, attackers with local access might leverage this vulnerability for privilege escalation, compromising system integrity and confidentiality. Given the kernel-level nature of the flaw, successful exploitation could undermine the security of sensitive data and critical applications. Organizations relying on Linux-based RDMA for storage or network acceleration should be particularly vigilant. Although no active exploits are known, the complexity of the vulnerability and its kernel-level impact warrant prompt attention to avoid future exploitation, especially in sectors like finance, healthcare, and government where uptime and data integrity are paramount.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions where this vulnerability is patched, ensuring the fix that reorders session removal is applied. Since this vulnerability involves kernel-level code, applying vendor-supplied kernel updates or backported patches is critical. For environments where immediate patching is not feasible, organizations should restrict access to systems running vulnerable kernels, especially limiting local user access to trusted personnel only, as exploitation requires local code execution. Monitoring kernel logs and system behavior for anomalies related to RDMA sessions may help detect exploitation attempts. Additionally, organizations should audit their use of RDMA and rtrs-clt features to assess exposure and consider disabling or limiting RDMA functionality if not essential. Implementing strict access controls and employing kernel integrity monitoring tools can further reduce risk. Finally, maintain awareness of vendor advisories and emerging threat intelligence regarding this vulnerability.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-27T18:42:55.960Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9834c4522896dcbe9aaf
Added to database: 5/21/2025, 9:09:08 AM
Last enriched: 6/30/2025, 7:39:33 PM
Last updated: 7/26/2025, 2:11:26 PM
Views: 11
Related Threats
CVE-2025-26398: CWE-798 Use of Hard-coded Credentials in SolarWinds Database Performance Analyzer
MediumCVE-2025-41686: CWE-306 Missing Authentication for Critical Function in Phoenix Contact DaUM
HighCVE-2025-8874: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in litonice13 Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations
MediumCVE-2025-8767: CWE-1236 Improper Neutralization of Formula Elements in a CSV File in anwppro AnWP Football Leagues
MediumCVE-2025-8482: CWE-862 Missing Authorization in 10up Simple Local Avatars
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.