CVE-2021-47075 is a medium-severity vulnerability identified in the Linux kernel's NVMe target (nvmet) subsystem. The issue arises in the nvmet_alloc_ctrl() function responsible for allocating and initializing NVMe controller structures. Specifically, when the minimum controller ID (cntlid_min) is larger than the maximum controller ID (cntlid_max) of the subsystem, the function jumps to an error handling label 'out_free_changed_ns_list'. However, in this error path, the allocated memory for ctrl->sqs (submission queues) is not freed, resulting in a memory leak. This leak occurs because the cleanup code does not properly release all allocated resources upon this specific error condition. The fix involves redirecting the error handling to the 'out_free_sqs' label, ensuring that the submission queues are correctly freed and preventing the memory leak. The vulnerability has a CVSS 3.1 base score of 5.3, indicating a medium severity level. The vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) shows that the vulnerability is remotely exploitable over the network without requiring privileges or user interaction, but it only impacts availability (memory leak), not confidentiality or integrity. No known exploits are currently reported in the wild. This vulnerability affects Linux kernel versions identified by the given commit hashes, and it is relevant for systems running the NVMe target subsystem, which is used for exposing NVMe devices over a network. The flaw could lead to resource exhaustion on affected systems if triggered repeatedly, potentially causing denial of service due to memory leaks in kernel space.

For European organizations, the impact of CVE-2021-47075 primarily concerns availability degradation on Linux servers that utilize the NVMe target subsystem. Organizations deploying NVMe over Fabrics (NVMe-oF) for high-performance storage networking could experience memory leaks leading to kernel memory exhaustion and potential system instability or crashes. This could disrupt critical services relying on storage access, impacting business continuity. Although the vulnerability does not compromise confidentiality or integrity, denial of service in storage infrastructure can have significant operational and financial consequences, especially in data centers, cloud providers, and enterprises with large-scale Linux-based storage deployments. The fact that exploitation requires no privileges or user interaction increases the risk surface, particularly if NVMe target services are exposed to untrusted networks. However, the absence of known exploits in the wild reduces immediate risk. European organizations with strict uptime and availability requirements, such as financial institutions, healthcare providers, and telecommunications companies, should prioritize patching to avoid potential disruptions.

To mitigate CVE-2021-47075, European organizations should: 1) Apply the official Linux kernel patches that fix the nvmet_alloc_ctrl() memory leak as soon as possible. Monitor kernel updates from trusted Linux distributions and vendors to ensure timely deployment. 2) Audit and restrict network access to NVMe target services, limiting exposure to untrusted or public networks to reduce the attack surface. 3) Implement monitoring and alerting on kernel memory usage and nvmet subsystem logs to detect abnormal memory consumption patterns indicative of exploitation attempts. 4) Consider deploying kernel live patching solutions where available to minimize downtime during patch application. 5) Review and harden NVMe target configurations to enforce strict validation of controller ID ranges and input parameters, reducing the likelihood of triggering the error condition. 6) Conduct regular security assessments and penetration testing focused on storage networking components to identify and remediate similar vulnerabilities proactively.