CVE-2021-47118: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: pid: take a reference when initializing `cad_pid` During boot, kernel_init_freeable() initializes `cad_pid` to the init task's struct pid. Later on, we may change `cad_pid` via a sysctl, and when this happens proc_do_cad_pid() will increment the refcount on the new pid via get_pid(), and will decrement the refcount on the old pid via put_pid(). As we never called get_pid() when we initialized `cad_pid`, we decrement a reference we never incremented, can therefore free the init task's struct pid early. As there can be dangling references to the struct pid, we can later encounter a use-after-free (e.g. when delivering signals). This was spotted when fuzzing v5.13-rc3 with Syzkaller, but seems to have been around since the conversion of `cad_pid` to struct pid in commit 9ec52099e4b8 ("[PATCH] replace cad_pid by a struct pid") from the pre-KASAN stone age of v2.6.19. Fix this by getting a reference to the init task's struct pid when we assign it to `cad_pid`. Full KASAN splat below. ================================================================== BUG: KASAN: use-after-free in ns_of_pid include/linux/pid.h:153 [inline] BUG: KASAN: use-after-free in task_active_pid_ns+0xc0/0xc8 kernel/pid.c:509 Read of size 4 at addr ffff23794dda0004 by task syz-executor.0/273 CPU: 1 PID: 273 Comm: syz-executor.0 Not tainted 5.12.0-00001-g9aef892b2d15 #1 Hardware name: linux,dummy-virt (DT) Call trace: ns_of_pid include/linux/pid.h:153 [inline] task_active_pid_ns+0xc0/0xc8 kernel/pid.c:509 do_notify_parent+0x308/0xe60 kernel/signal.c:1950 exit_notify kernel/exit.c:682 [inline] do_exit+0x2334/0x2bd0 kernel/exit.c:845 do_group_exit+0x108/0x2c8 kernel/exit.c:922 get_signal+0x4e4/0x2a88 kernel/signal.c:2781 do_signal arch/arm64/kernel/signal.c:882 [inline] do_notify_resume+0x300/0x970 arch/arm64/kernel/signal.c:936 work_pending+0xc/0x2dc Allocated by task 0: slab_post_alloc_hook+0x50/0x5c0 mm/slab.h:516 slab_alloc_node mm/slub.c:2907 [inline] slab_alloc mm/slub.c:2915 [inline] kmem_cache_alloc+0x1f4/0x4c0 mm/slub.c:2920 alloc_pid+0xdc/0xc00 kernel/pid.c:180 copy_process+0x2794/0x5e18 kernel/fork.c:2129 kernel_clone+0x194/0x13c8 kernel/fork.c:2500 kernel_thread+0xd4/0x110 kernel/fork.c:2552 rest_init+0x44/0x4a0 init/main.c:687 arch_call_rest_init+0x1c/0x28 start_kernel+0x520/0x554 init/main.c:1064 0x0 Freed by task 270: slab_free_hook mm/slub.c:1562 [inline] slab_free_freelist_hook+0x98/0x260 mm/slub.c:1600 slab_free mm/slub.c:3161 [inline] kmem_cache_free+0x224/0x8e0 mm/slub.c:3177 put_pid.part.4+0xe0/0x1a8 kernel/pid.c:114 put_pid+0x30/0x48 kernel/pid.c:109 proc_do_cad_pid+0x190/0x1b0 kernel/sysctl.c:1401 proc_sys_call_handler+0x338/0x4b0 fs/proc/proc_sysctl.c:591 proc_sys_write+0x34/0x48 fs/proc/proc_sysctl.c:617 call_write_iter include/linux/fs.h:1977 [inline] new_sync_write+0x3ac/0x510 fs/read_write.c:518 vfs_write fs/read_write.c:605 [inline] vfs_write+0x9c4/0x1018 fs/read_write.c:585 ksys_write+0x124/0x240 fs/read_write.c:658 __do_sys_write fs/read_write.c:670 [inline] __se_sys_write fs/read_write.c:667 [inline] __arm64_sys_write+0x78/0xb0 fs/read_write.c:667 __invoke_syscall arch/arm64/kernel/syscall.c:37 [inline] invoke_syscall arch/arm64/kernel/syscall.c:49 [inline] el0_svc_common.constprop.1+0x16c/0x388 arch/arm64/kernel/syscall.c:129 do_el0_svc+0xf8/0x150 arch/arm64/kernel/syscall.c:168 el0_svc+0x28/0x38 arch/arm64/kernel/entry-common.c:416 el0_sync_handler+0x134/0x180 arch/arm64/kernel/entry-common.c:432 el0_sync+0x154/0x180 arch/arm64/kernel/entry.S:701 The buggy address belongs to the object at ffff23794dda0000 which belongs to the cache pid of size 224 The buggy address is located 4 bytes inside of 224-byte region [ff ---truncated---
AI Analysis
Technical Summary
CVE-2021-47118 is a use-after-free vulnerability in the Linux kernel related to the handling of the `cad_pid` variable, which is a struct pid reference used during system boot and later modifiable via sysctl. The issue arises because during the initialization of `cad_pid` in the kernel_init_freeable() function, a reference count increment (get_pid()) is not performed on the init task's struct pid. Later, when `cad_pid` is changed through proc_do_cad_pid(), the kernel decrements the reference count on the old pid via put_pid(), which leads to freeing the init task's struct pid prematurely. This results in dangling pointers and a use-after-free condition, which can cause kernel memory corruption and potentially lead to system instability or privilege escalation. The vulnerability was discovered through fuzz testing with Syzkaller on Linux kernel version 5.13-rc3 but has existed since the conversion of `cad_pid` to struct pid in kernel version 2.6.19. The root cause is a missing reference count increment on the initial assignment of `cad_pid`. The bug manifests during signal delivery and process exit handling, as indicated by the KASAN (Kernel Address Sanitizer) error logs. The fix involves properly incrementing the reference count on the init task's struct pid when assigning it to `cad_pid`. This vulnerability affects all Linux kernel versions from 2.6.19 up to the patched versions after 5.13-rc3, impacting any system using affected kernels. No known exploits are currently reported in the wild, but the nature of the bug could allow local attackers to cause denial of service or potentially escalate privileges by exploiting kernel memory corruption.
Potential Impact
For European organizations, this vulnerability poses a significant risk primarily to servers, embedded devices, and infrastructure running affected Linux kernel versions. Since Linux is widely deployed across European enterprises, cloud providers, telecommunications, and critical infrastructure, exploitation could lead to system crashes, denial of service, or privilege escalation attacks. This could disrupt business operations, impact service availability, and compromise sensitive data. Particularly at risk are organizations running custom or outdated Linux kernels without timely patching, including industrial control systems and IoT devices that may not receive regular updates. The vulnerability's exploitation requires local access or the ability to execute code on the system, which means attackers would need some foothold or insider access. However, once exploited, the attacker could gain elevated privileges or destabilize critical systems. The lack of known exploits suggests limited immediate threat, but the long existence of the bug means it could be targeted in the future. European organizations with stringent security and compliance requirements must prioritize patching to mitigate potential operational and reputational damage.
Mitigation Recommendations
1. Immediate application of the official Linux kernel patches that fix the reference counting issue with `cad_pid`. Organizations should track vendor advisories and update kernels to versions released after the fix (post 5.13-rc3). 2. For systems where kernel upgrades are not immediately feasible, implement strict access controls to limit local user privileges and prevent untrusted users from modifying sysctl parameters or executing arbitrary code. 3. Employ kernel hardening techniques such as Kernel Address Sanitizer (KASAN) and other memory safety tools during development and testing phases to detect similar issues early. 4. Monitor system logs and kernel messages for anomalies related to process exit and signal handling that could indicate exploitation attempts. 5. For embedded and IoT devices, coordinate with vendors to ensure timely firmware updates or consider network segmentation to isolate vulnerable devices. 6. Conduct regular vulnerability assessments and penetration testing focusing on kernel-level vulnerabilities to identify potential exploitation paths. 7. Educate system administrators about the risks of running outdated kernels and the importance of timely patch management, especially in critical infrastructure environments.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2021-47118: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: pid: take a reference when initializing `cad_pid` During boot, kernel_init_freeable() initializes `cad_pid` to the init task's struct pid. Later on, we may change `cad_pid` via a sysctl, and when this happens proc_do_cad_pid() will increment the refcount on the new pid via get_pid(), and will decrement the refcount on the old pid via put_pid(). As we never called get_pid() when we initialized `cad_pid`, we decrement a reference we never incremented, can therefore free the init task's struct pid early. As there can be dangling references to the struct pid, we can later encounter a use-after-free (e.g. when delivering signals). This was spotted when fuzzing v5.13-rc3 with Syzkaller, but seems to have been around since the conversion of `cad_pid` to struct pid in commit 9ec52099e4b8 ("[PATCH] replace cad_pid by a struct pid") from the pre-KASAN stone age of v2.6.19. Fix this by getting a reference to the init task's struct pid when we assign it to `cad_pid`. Full KASAN splat below. ================================================================== BUG: KASAN: use-after-free in ns_of_pid include/linux/pid.h:153 [inline] BUG: KASAN: use-after-free in task_active_pid_ns+0xc0/0xc8 kernel/pid.c:509 Read of size 4 at addr ffff23794dda0004 by task syz-executor.0/273 CPU: 1 PID: 273 Comm: syz-executor.0 Not tainted 5.12.0-00001-g9aef892b2d15 #1 Hardware name: linux,dummy-virt (DT) Call trace: ns_of_pid include/linux/pid.h:153 [inline] task_active_pid_ns+0xc0/0xc8 kernel/pid.c:509 do_notify_parent+0x308/0xe60 kernel/signal.c:1950 exit_notify kernel/exit.c:682 [inline] do_exit+0x2334/0x2bd0 kernel/exit.c:845 do_group_exit+0x108/0x2c8 kernel/exit.c:922 get_signal+0x4e4/0x2a88 kernel/signal.c:2781 do_signal arch/arm64/kernel/signal.c:882 [inline] do_notify_resume+0x300/0x970 arch/arm64/kernel/signal.c:936 work_pending+0xc/0x2dc Allocated by task 0: slab_post_alloc_hook+0x50/0x5c0 mm/slab.h:516 slab_alloc_node mm/slub.c:2907 [inline] slab_alloc mm/slub.c:2915 [inline] kmem_cache_alloc+0x1f4/0x4c0 mm/slub.c:2920 alloc_pid+0xdc/0xc00 kernel/pid.c:180 copy_process+0x2794/0x5e18 kernel/fork.c:2129 kernel_clone+0x194/0x13c8 kernel/fork.c:2500 kernel_thread+0xd4/0x110 kernel/fork.c:2552 rest_init+0x44/0x4a0 init/main.c:687 arch_call_rest_init+0x1c/0x28 start_kernel+0x520/0x554 init/main.c:1064 0x0 Freed by task 270: slab_free_hook mm/slub.c:1562 [inline] slab_free_freelist_hook+0x98/0x260 mm/slub.c:1600 slab_free mm/slub.c:3161 [inline] kmem_cache_free+0x224/0x8e0 mm/slub.c:3177 put_pid.part.4+0xe0/0x1a8 kernel/pid.c:114 put_pid+0x30/0x48 kernel/pid.c:109 proc_do_cad_pid+0x190/0x1b0 kernel/sysctl.c:1401 proc_sys_call_handler+0x338/0x4b0 fs/proc/proc_sysctl.c:591 proc_sys_write+0x34/0x48 fs/proc/proc_sysctl.c:617 call_write_iter include/linux/fs.h:1977 [inline] new_sync_write+0x3ac/0x510 fs/read_write.c:518 vfs_write fs/read_write.c:605 [inline] vfs_write+0x9c4/0x1018 fs/read_write.c:585 ksys_write+0x124/0x240 fs/read_write.c:658 __do_sys_write fs/read_write.c:670 [inline] __se_sys_write fs/read_write.c:667 [inline] __arm64_sys_write+0x78/0xb0 fs/read_write.c:667 __invoke_syscall arch/arm64/kernel/syscall.c:37 [inline] invoke_syscall arch/arm64/kernel/syscall.c:49 [inline] el0_svc_common.constprop.1+0x16c/0x388 arch/arm64/kernel/syscall.c:129 do_el0_svc+0xf8/0x150 arch/arm64/kernel/syscall.c:168 el0_svc+0x28/0x38 arch/arm64/kernel/entry-common.c:416 el0_sync_handler+0x134/0x180 arch/arm64/kernel/entry-common.c:432 el0_sync+0x154/0x180 arch/arm64/kernel/entry.S:701 The buggy address belongs to the object at ffff23794dda0000 which belongs to the cache pid of size 224 The buggy address is located 4 bytes inside of 224-byte region [ff ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2021-47118 is a use-after-free vulnerability in the Linux kernel related to the handling of the `cad_pid` variable, which is a struct pid reference used during system boot and later modifiable via sysctl. The issue arises because during the initialization of `cad_pid` in the kernel_init_freeable() function, a reference count increment (get_pid()) is not performed on the init task's struct pid. Later, when `cad_pid` is changed through proc_do_cad_pid(), the kernel decrements the reference count on the old pid via put_pid(), which leads to freeing the init task's struct pid prematurely. This results in dangling pointers and a use-after-free condition, which can cause kernel memory corruption and potentially lead to system instability or privilege escalation. The vulnerability was discovered through fuzz testing with Syzkaller on Linux kernel version 5.13-rc3 but has existed since the conversion of `cad_pid` to struct pid in kernel version 2.6.19. The root cause is a missing reference count increment on the initial assignment of `cad_pid`. The bug manifests during signal delivery and process exit handling, as indicated by the KASAN (Kernel Address Sanitizer) error logs. The fix involves properly incrementing the reference count on the init task's struct pid when assigning it to `cad_pid`. This vulnerability affects all Linux kernel versions from 2.6.19 up to the patched versions after 5.13-rc3, impacting any system using affected kernels. No known exploits are currently reported in the wild, but the nature of the bug could allow local attackers to cause denial of service or potentially escalate privileges by exploiting kernel memory corruption.
Potential Impact
For European organizations, this vulnerability poses a significant risk primarily to servers, embedded devices, and infrastructure running affected Linux kernel versions. Since Linux is widely deployed across European enterprises, cloud providers, telecommunications, and critical infrastructure, exploitation could lead to system crashes, denial of service, or privilege escalation attacks. This could disrupt business operations, impact service availability, and compromise sensitive data. Particularly at risk are organizations running custom or outdated Linux kernels without timely patching, including industrial control systems and IoT devices that may not receive regular updates. The vulnerability's exploitation requires local access or the ability to execute code on the system, which means attackers would need some foothold or insider access. However, once exploited, the attacker could gain elevated privileges or destabilize critical systems. The lack of known exploits suggests limited immediate threat, but the long existence of the bug means it could be targeted in the future. European organizations with stringent security and compliance requirements must prioritize patching to mitigate potential operational and reputational damage.
Mitigation Recommendations
1. Immediate application of the official Linux kernel patches that fix the reference counting issue with `cad_pid`. Organizations should track vendor advisories and update kernels to versions released after the fix (post 5.13-rc3). 2. For systems where kernel upgrades are not immediately feasible, implement strict access controls to limit local user privileges and prevent untrusted users from modifying sysctl parameters or executing arbitrary code. 3. Employ kernel hardening techniques such as Kernel Address Sanitizer (KASAN) and other memory safety tools during development and testing phases to detect similar issues early. 4. Monitor system logs and kernel messages for anomalies related to process exit and signal handling that could indicate exploitation attempts. 5. For embedded and IoT devices, coordinate with vendors to ensure timely firmware updates or consider network segmentation to isolate vulnerable devices. 6. Conduct regular vulnerability assessments and penetration testing focusing on kernel-level vulnerabilities to identify potential exploitation paths. 7. Educate system administrators about the risks of running outdated kernels and the importance of timely patch management, especially in critical infrastructure environments.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-03-04T18:12:48.838Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9834c4522896dcbe9da6
Added to database: 5/21/2025, 9:09:08 AM
Last enriched: 6/30/2025, 9:57:32 PM
Last updated: 8/1/2025, 12:33:18 AM
Views: 11
Related Threats
CVE-2025-9093: Improper Export of Android Application Components in BuzzFeed App
MediumResearcher to release exploit for full auth bypass on FortiWeb
HighCVE-2025-9091: Hard-coded Credentials in Tenda AC20
LowCVE-2025-9090: Command Injection in Tenda AC20
MediumCVE-2025-9092: CWE-400 Uncontrolled Resource Consumption in Legion of the Bouncy Castle Inc. Bouncy Castle for Java - BC-FJA 2.1.0
LowActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.