CVE-2021-47044: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: sched/fair: Fix shift-out-of-bounds in load_balance() Syzbot reported a handful of occurrences where an sd->nr_balance_failed can grow to much higher values than one would expect. A successful load_balance() resets it to 0; a failed one increments it. Once it gets to sd->cache_nice_tries + 3, this *should* trigger an active balance, which will either set it to sd->cache_nice_tries+1 or reset it to 0. However, in case the to-be-active-balanced task is not allowed to run on env->dst_cpu, then the increment is done without any further modification. This could then be repeated ad nauseam, and would explain the absurdly high values reported by syzbot (86, 149). VincentG noted there is value in letting sd->cache_nice_tries grow, so the shift itself should be fixed. That means preventing: """ If the value of the right operand is negative or is greater than or equal to the width of the promoted left operand, the behavior is undefined. """ Thus we need to cap the shift exponent to BITS_PER_TYPE(typeof(lefthand)) - 1. I had a look around for other similar cases via coccinelle: @expr@ position pos; expression E1; expression E2; @@ ( E1 >> E2@pos | E1 >> E2@pos ) @cst depends on expr@ position pos; expression expr.E1; constant cst; @@ ( E1 >> cst@pos | E1 << cst@pos ) @script:python depends on !cst@ pos << expr.pos; exp << expr.E2; @@ # Dirty hack to ignore constexpr if exp.upper() != exp: coccilib.report.print_report(pos[0], "Possible UB shift here") The only other match in kernel/sched is rq_clock_thermal() which employs sched_thermal_decay_shift, and that exponent is already capped to 10, so that one is fine.
AI Analysis
Technical Summary
CVE-2021-47044 is a high-severity vulnerability in the Linux kernel's scheduler subsystem, specifically within the fair scheduler's load_balance() function. The issue arises from an unchecked shift operation that can lead to a shift-out-of-bounds condition, which is undefined behavior in C. The vulnerability was identified by Syzbot, which observed unusually high values for the variable sd->nr_balance_failed, a counter that increments on failed load balancing attempts. Normally, when this counter reaches a threshold (sd->cache_nice_tries + 3), an active balancing attempt is triggered to reset or adjust the counter. However, if the task selected for balancing is not allowed to run on the target CPU (env->dst_cpu), the counter increments without the expected reset or adjustment, allowing it to grow indefinitely. This unchecked growth can cause a left shift operation to exceed the bit-width of the operand, leading to undefined behavior, potential memory corruption, or kernel instability. The root cause is that the shift exponent was not capped properly, violating safe shift operation constraints. The fix involves capping the shift exponent to BITS_PER_TYPE(typeof(lefthand)) - 1 to prevent out-of-bounds shifts. This vulnerability is classified under CWE-125 (Out-of-bounds Read) and has a CVSS 3.1 score of 7.7, indicating high severity. Exploitation requires local access (AV:L), no privileges (PR:N), and no user interaction (UI:N), but it impacts confidentiality and availability significantly. No known exploits are reported in the wild as of the publication date.
Potential Impact
For European organizations, this vulnerability poses a significant risk primarily to servers and systems running vulnerable Linux kernel versions, especially those using the fair scheduler in multi-core environments. The flaw can lead to kernel crashes or unpredictable behavior, causing denial of service (DoS) conditions that disrupt critical services. Confidentiality impact is high because kernel memory corruption could potentially be leveraged to leak sensitive information, although no direct integrity impact is noted. Systems in data centers, cloud infrastructure, and enterprise environments relying on Linux for workload scheduling are at risk. The vulnerability's local attack vector means that attackers need some form of access, such as through compromised user accounts or malicious insiders, to exploit it. Given the widespread use of Linux in European government, financial, telecommunications, and industrial sectors, the potential for service disruption and data exposure is considerable. The lack of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits over time.
Mitigation Recommendations
European organizations should prioritize patching Linux kernels to versions where this vulnerability is fixed, ensuring the load_balance() function no longer performs unsafe shift operations. Kernel updates should be tested and deployed promptly in production environments. For systems where immediate patching is not feasible, organizations should restrict local access to trusted users only, implement strict access controls, and monitor for anomalous kernel behavior or crashes indicative of exploitation attempts. Employing kernel hardening techniques such as Kernel Address Space Layout Randomization (KASLR) and enabling security modules like SELinux or AppArmor can reduce exploitation likelihood. Additionally, organizations should audit and limit the use of multi-core scheduling policies that might trigger the vulnerable code path, if possible. Continuous monitoring for unusual load balancing failures or kernel logs referencing sd->nr_balance_failed anomalies can provide early warning signs. Finally, coordinate with Linux distribution vendors for timely security advisories and patches.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Sweden, Poland, Belgium, Finland
CVE-2021-47044: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: sched/fair: Fix shift-out-of-bounds in load_balance() Syzbot reported a handful of occurrences where an sd->nr_balance_failed can grow to much higher values than one would expect. A successful load_balance() resets it to 0; a failed one increments it. Once it gets to sd->cache_nice_tries + 3, this *should* trigger an active balance, which will either set it to sd->cache_nice_tries+1 or reset it to 0. However, in case the to-be-active-balanced task is not allowed to run on env->dst_cpu, then the increment is done without any further modification. This could then be repeated ad nauseam, and would explain the absurdly high values reported by syzbot (86, 149). VincentG noted there is value in letting sd->cache_nice_tries grow, so the shift itself should be fixed. That means preventing: """ If the value of the right operand is negative or is greater than or equal to the width of the promoted left operand, the behavior is undefined. """ Thus we need to cap the shift exponent to BITS_PER_TYPE(typeof(lefthand)) - 1. I had a look around for other similar cases via coccinelle: @expr@ position pos; expression E1; expression E2; @@ ( E1 >> E2@pos | E1 >> E2@pos ) @cst depends on expr@ position pos; expression expr.E1; constant cst; @@ ( E1 >> cst@pos | E1 << cst@pos ) @script:python depends on !cst@ pos << expr.pos; exp << expr.E2; @@ # Dirty hack to ignore constexpr if exp.upper() != exp: coccilib.report.print_report(pos[0], "Possible UB shift here") The only other match in kernel/sched is rq_clock_thermal() which employs sched_thermal_decay_shift, and that exponent is already capped to 10, so that one is fine.
AI-Powered Analysis
Technical Analysis
CVE-2021-47044 is a high-severity vulnerability in the Linux kernel's scheduler subsystem, specifically within the fair scheduler's load_balance() function. The issue arises from an unchecked shift operation that can lead to a shift-out-of-bounds condition, which is undefined behavior in C. The vulnerability was identified by Syzbot, which observed unusually high values for the variable sd->nr_balance_failed, a counter that increments on failed load balancing attempts. Normally, when this counter reaches a threshold (sd->cache_nice_tries + 3), an active balancing attempt is triggered to reset or adjust the counter. However, if the task selected for balancing is not allowed to run on the target CPU (env->dst_cpu), the counter increments without the expected reset or adjustment, allowing it to grow indefinitely. This unchecked growth can cause a left shift operation to exceed the bit-width of the operand, leading to undefined behavior, potential memory corruption, or kernel instability. The root cause is that the shift exponent was not capped properly, violating safe shift operation constraints. The fix involves capping the shift exponent to BITS_PER_TYPE(typeof(lefthand)) - 1 to prevent out-of-bounds shifts. This vulnerability is classified under CWE-125 (Out-of-bounds Read) and has a CVSS 3.1 score of 7.7, indicating high severity. Exploitation requires local access (AV:L), no privileges (PR:N), and no user interaction (UI:N), but it impacts confidentiality and availability significantly. No known exploits are reported in the wild as of the publication date.
Potential Impact
For European organizations, this vulnerability poses a significant risk primarily to servers and systems running vulnerable Linux kernel versions, especially those using the fair scheduler in multi-core environments. The flaw can lead to kernel crashes or unpredictable behavior, causing denial of service (DoS) conditions that disrupt critical services. Confidentiality impact is high because kernel memory corruption could potentially be leveraged to leak sensitive information, although no direct integrity impact is noted. Systems in data centers, cloud infrastructure, and enterprise environments relying on Linux for workload scheduling are at risk. The vulnerability's local attack vector means that attackers need some form of access, such as through compromised user accounts or malicious insiders, to exploit it. Given the widespread use of Linux in European government, financial, telecommunications, and industrial sectors, the potential for service disruption and data exposure is considerable. The lack of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits over time.
Mitigation Recommendations
European organizations should prioritize patching Linux kernels to versions where this vulnerability is fixed, ensuring the load_balance() function no longer performs unsafe shift operations. Kernel updates should be tested and deployed promptly in production environments. For systems where immediate patching is not feasible, organizations should restrict local access to trusted users only, implement strict access controls, and monitor for anomalous kernel behavior or crashes indicative of exploitation attempts. Employing kernel hardening techniques such as Kernel Address Space Layout Randomization (KASLR) and enabling security modules like SELinux or AppArmor can reduce exploitation likelihood. Additionally, organizations should audit and limit the use of multi-core scheduling policies that might trigger the vulnerable code path, if possible. Continuous monitoring for unusual load balancing failures or kernel logs referencing sd->nr_balance_failed anomalies can provide early warning signs. Finally, coordinate with Linux distribution vendors for timely security advisories and patches.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-27T18:42:55.969Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9834c4522896dcbe9b73
Added to database: 5/21/2025, 9:09:08 AM
Last enriched: 7/3/2025, 5:43:33 AM
Last updated: 8/11/2025, 3:31:16 AM
Views: 16
Related Threats
CVE-2025-8719: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in reubenthiessen Translate This gTranslate Shortcode
MediumCVE-2025-8464: CWE-23 Relative Path Traversal in glenwpcoder Drag and Drop Multiple File Upload for Contact Form 7
MediumCVE-2025-7499: CWE-862 Missing Authorization in wpdevteam BetterDocs – Advanced AI-Driven Documentation, FAQ & Knowledge Base Tool for Elementor & Gutenberg with Encyclopedia, AI Support, Instant Answers
MediumCVE-2025-8898: CWE-862 Missing Authorization in magepeopleteam E-cab Taxi Booking Manager for Woocommerce
CriticalCVE-2025-8896: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in cozmoslabs User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.