CVE-2021-47119 is a vulnerability in the Linux kernel's ext4 filesystem implementation, specifically related to the ext4_fill_super function. The issue arises from improper handling of buffer head references before invoking kill_bdev(), a function responsible for releasing block device buffers. When blocksizes differ, the sb_set_blocksize() function attempts to kill current buffers and page cache by calling kill_bdev() and then rereads the superblock with the correct blocksize. However, sb_set_blocksize() fails to fully free the superblock page and buffer head, leaving them busy and causing a memory leak. This leak manifests as unreleased buffer heads and their associated pages, which accumulate over time. The vulnerability can be easily reproduced by repeatedly starting and stopping a mount unit (e.g., systemctl start <ext4_on_lvm>.mount and systemctl stop <ext4_on_lvm>.mount) in an infinite loop. The issue is exacerbated by systemd's creation of cgroups for each slice it mounts; the dying memory cgroup never gets freed, amplifying the buffer head leak and leading to noticeable memory consumption. Although no known exploits are reported in the wild, this vulnerability can lead to resource exhaustion on affected systems, potentially degrading system performance or causing denial of service due to memory exhaustion. The vulnerability affects Linux kernel versions identified by the given commit hashes and has been publicly disclosed as of March 15, 2024.

For European organizations, this vulnerability poses a risk primarily to servers and infrastructure running Linux with ext4 filesystems, which is common in enterprise environments. The memory leak can lead to gradual resource exhaustion, impacting system stability and availability. Critical systems that rely on frequent mount/unmount operations or dynamic volume management (e.g., LVM on ext4) are particularly vulnerable. Over time, the leak could cause system slowdowns, crashes, or forced reboots, disrupting business operations and potentially leading to data unavailability. In environments with high systemd usage and containerization or cgroup-based resource management, the impact may be more pronounced. While this vulnerability does not directly compromise confidentiality or integrity, the availability impact can be significant, especially for services requiring high uptime. European organizations in sectors such as finance, healthcare, telecommunications, and government, which heavily rely on Linux-based infrastructure, may face operational risks if unpatched systems are exploited or inadvertently triggered.

To mitigate this vulnerability, organizations should apply the official Linux kernel patches that address the ext4_fill_super memory leak as soon as they become available. In the interim, administrators should monitor memory usage on systems running ext4 filesystems, particularly those with frequent mount/unmount cycles or heavy systemd cgroup usage. Limiting or avoiding rapid repeated mount/unmount operations can reduce the risk of triggering the leak. Implementing resource limits on cgroups to prevent excessive memory consumption and employing automated alerts for abnormal memory growth can help detect exploitation or inadvertent triggering early. Additionally, organizations should ensure that their Linux distributions are kept up to date with security patches and consider using alternative filesystems or kernel versions if immediate patching is not feasible. Regular system reboots may temporarily alleviate memory exhaustion but are not a substitute for patching. Finally, reviewing and hardening systemd configurations to minimize unnecessary cgroup creation and mount operations can reduce exposure.