CVE-2021-47196: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: RDMA/core: Set send and receive CQ before forwarding to the driver Preset both receive and send CQ pointers prior to call to the drivers and overwrite it later again till the mlx4 is going to be changed do not overwrite ibqp properties. This change is needed for mlx5, because in case of QP creation failure, it will go to the path of QP destroy which relies on proper CQ pointers. BUG: KASAN: use-after-free in create_qp.cold+0x164/0x16e [mlx5_ib] Write of size 8 at addr ffff8880064c55c0 by task a.out/246 CPU: 0 PID: 246 Comm: a.out Not tainted 5.15.0+ #291 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 Call Trace: dump_stack_lvl+0x45/0x59 print_address_description.constprop.0+0x1f/0x140 kasan_report.cold+0x83/0xdf create_qp.cold+0x164/0x16e [mlx5_ib] mlx5_ib_create_qp+0x358/0x28a0 [mlx5_ib] create_qp.part.0+0x45b/0x6a0 [ib_core] ib_create_qp_user+0x97/0x150 [ib_core] ib_uverbs_handler_UVERBS_METHOD_QP_CREATE+0x92c/0x1250 [ib_uverbs] ib_uverbs_cmd_verbs+0x1c38/0x3150 [ib_uverbs] ib_uverbs_ioctl+0x169/0x260 [ib_uverbs] __x64_sys_ioctl+0x866/0x14d0 do_syscall_64+0x3d/0x90 entry_SYSCALL_64_after_hwframe+0x44/0xae Allocated by task 246: kasan_save_stack+0x1b/0x40 __kasan_kmalloc+0xa4/0xd0 create_qp.part.0+0x92/0x6a0 [ib_core] ib_create_qp_user+0x97/0x150 [ib_core] ib_uverbs_handler_UVERBS_METHOD_QP_CREATE+0x92c/0x1250 [ib_uverbs] ib_uverbs_cmd_verbs+0x1c38/0x3150 [ib_uverbs] ib_uverbs_ioctl+0x169/0x260 [ib_uverbs] __x64_sys_ioctl+0x866/0x14d0 do_syscall_64+0x3d/0x90 entry_SYSCALL_64_after_hwframe+0x44/0xae Freed by task 246: kasan_save_stack+0x1b/0x40 kasan_set_track+0x1c/0x30 kasan_set_free_info+0x20/0x30 __kasan_slab_free+0x10c/0x150 slab_free_freelist_hook+0xb4/0x1b0 kfree+0xe7/0x2a0 create_qp.part.0+0x52b/0x6a0 [ib_core] ib_create_qp_user+0x97/0x150 [ib_core] ib_uverbs_handler_UVERBS_METHOD_QP_CREATE+0x92c/0x1250 [ib_uverbs] ib_uverbs_cmd_verbs+0x1c38/0x3150 [ib_uverbs] ib_uverbs_ioctl+0x169/0x260 [ib_uverbs] __x64_sys_ioctl+0x866/0x14d0 do_syscall_64+0x3d/0x90 entry_SYSCALL_64_after_hwframe+0x44/0xae
AI Analysis
Technical Summary
CVE-2021-47196 is a use-after-free vulnerability identified in the Linux kernel's RDMA (Remote Direct Memory Access) subsystem, specifically within the mlx5_ib driver component. The issue arises during the creation of Queue Pairs (QPs), which are fundamental constructs in RDMA communication used to establish connections between nodes. The vulnerability is caused by improper handling of Completion Queue (CQ) pointers during QP creation and destruction. In particular, the kernel fails to preset both send and receive CQ pointers before forwarding them to the driver, leading to a scenario where, if QP creation fails, the subsequent QP destruction path relies on CQ pointers that may have been freed or overwritten improperly. This results in a use-after-free condition, where the kernel attempts to access memory that has already been freed, potentially causing kernel crashes or enabling an attacker to execute arbitrary code with kernel privileges. The vulnerability was detected through Kernel Address Sanitizer (KASAN) reports indicating write operations to freed memory during the mlx5_ib_create_qp function execution. The mlx5_ib driver supports Mellanox ConnectX-5 and later network adapters, which are widely used in high-performance computing and data center environments. Although no known exploits are currently reported in the wild, the vulnerability poses a significant risk due to its kernel-level impact and the potential for privilege escalation or denial of service. The patch involves setting both send and receive CQ pointers prior to driver calls and avoiding overwriting ibqp properties until the mlx4 driver is replaced, ensuring proper memory management and preventing use-after-free conditions during QP lifecycle operations.
Potential Impact
For European organizations, especially those operating data centers, cloud infrastructure, or high-performance computing clusters utilizing RDMA-enabled Linux servers with Mellanox hardware, this vulnerability could lead to severe consequences. Exploitation may allow attackers to cause kernel panics, resulting in denial of service, or potentially escalate privileges to gain full control over affected systems. This could compromise sensitive data confidentiality and integrity, disrupt critical services, and impact business continuity. Given the widespread use of Linux in European enterprises and research institutions, particularly in sectors like finance, telecommunications, and scientific research, the vulnerability could have broad operational and reputational impacts if exploited. Additionally, organizations subject to stringent data protection regulations such as GDPR must consider the compliance risks associated with potential data breaches stemming from this vulnerability.
Mitigation Recommendations
European organizations should prioritize applying the official Linux kernel patches that address CVE-2021-47196 as soon as they become available, particularly for kernels version 5.15 and later where the mlx5_ib driver is present. System administrators should audit their environments to identify RDMA-enabled systems using Mellanox ConnectX-5 or newer adapters and verify kernel versions. Where patching is not immediately feasible, organizations should consider temporarily disabling RDMA functionality or restricting access to RDMA interfaces to trusted users and processes only. Implementing strict access controls and monitoring kernel logs for unusual activity related to ibverbs or mlx5_ib modules can help detect exploitation attempts. Additionally, integrating kernel integrity monitoring and leveraging security modules like SELinux or AppArmor can provide layered defense. Regular backups and incident response plans should be updated to include scenarios involving kernel-level compromises. Finally, organizations should maintain close communication with hardware vendors and Linux distribution maintainers to receive timely updates and guidance.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Switzerland, Italy
CVE-2021-47196: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: RDMA/core: Set send and receive CQ before forwarding to the driver Preset both receive and send CQ pointers prior to call to the drivers and overwrite it later again till the mlx4 is going to be changed do not overwrite ibqp properties. This change is needed for mlx5, because in case of QP creation failure, it will go to the path of QP destroy which relies on proper CQ pointers. BUG: KASAN: use-after-free in create_qp.cold+0x164/0x16e [mlx5_ib] Write of size 8 at addr ffff8880064c55c0 by task a.out/246 CPU: 0 PID: 246 Comm: a.out Not tainted 5.15.0+ #291 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 Call Trace: dump_stack_lvl+0x45/0x59 print_address_description.constprop.0+0x1f/0x140 kasan_report.cold+0x83/0xdf create_qp.cold+0x164/0x16e [mlx5_ib] mlx5_ib_create_qp+0x358/0x28a0 [mlx5_ib] create_qp.part.0+0x45b/0x6a0 [ib_core] ib_create_qp_user+0x97/0x150 [ib_core] ib_uverbs_handler_UVERBS_METHOD_QP_CREATE+0x92c/0x1250 [ib_uverbs] ib_uverbs_cmd_verbs+0x1c38/0x3150 [ib_uverbs] ib_uverbs_ioctl+0x169/0x260 [ib_uverbs] __x64_sys_ioctl+0x866/0x14d0 do_syscall_64+0x3d/0x90 entry_SYSCALL_64_after_hwframe+0x44/0xae Allocated by task 246: kasan_save_stack+0x1b/0x40 __kasan_kmalloc+0xa4/0xd0 create_qp.part.0+0x92/0x6a0 [ib_core] ib_create_qp_user+0x97/0x150 [ib_core] ib_uverbs_handler_UVERBS_METHOD_QP_CREATE+0x92c/0x1250 [ib_uverbs] ib_uverbs_cmd_verbs+0x1c38/0x3150 [ib_uverbs] ib_uverbs_ioctl+0x169/0x260 [ib_uverbs] __x64_sys_ioctl+0x866/0x14d0 do_syscall_64+0x3d/0x90 entry_SYSCALL_64_after_hwframe+0x44/0xae Freed by task 246: kasan_save_stack+0x1b/0x40 kasan_set_track+0x1c/0x30 kasan_set_free_info+0x20/0x30 __kasan_slab_free+0x10c/0x150 slab_free_freelist_hook+0xb4/0x1b0 kfree+0xe7/0x2a0 create_qp.part.0+0x52b/0x6a0 [ib_core] ib_create_qp_user+0x97/0x150 [ib_core] ib_uverbs_handler_UVERBS_METHOD_QP_CREATE+0x92c/0x1250 [ib_uverbs] ib_uverbs_cmd_verbs+0x1c38/0x3150 [ib_uverbs] ib_uverbs_ioctl+0x169/0x260 [ib_uverbs] __x64_sys_ioctl+0x866/0x14d0 do_syscall_64+0x3d/0x90 entry_SYSCALL_64_after_hwframe+0x44/0xae
AI-Powered Analysis
Technical Analysis
CVE-2021-47196 is a use-after-free vulnerability identified in the Linux kernel's RDMA (Remote Direct Memory Access) subsystem, specifically within the mlx5_ib driver component. The issue arises during the creation of Queue Pairs (QPs), which are fundamental constructs in RDMA communication used to establish connections between nodes. The vulnerability is caused by improper handling of Completion Queue (CQ) pointers during QP creation and destruction. In particular, the kernel fails to preset both send and receive CQ pointers before forwarding them to the driver, leading to a scenario where, if QP creation fails, the subsequent QP destruction path relies on CQ pointers that may have been freed or overwritten improperly. This results in a use-after-free condition, where the kernel attempts to access memory that has already been freed, potentially causing kernel crashes or enabling an attacker to execute arbitrary code with kernel privileges. The vulnerability was detected through Kernel Address Sanitizer (KASAN) reports indicating write operations to freed memory during the mlx5_ib_create_qp function execution. The mlx5_ib driver supports Mellanox ConnectX-5 and later network adapters, which are widely used in high-performance computing and data center environments. Although no known exploits are currently reported in the wild, the vulnerability poses a significant risk due to its kernel-level impact and the potential for privilege escalation or denial of service. The patch involves setting both send and receive CQ pointers prior to driver calls and avoiding overwriting ibqp properties until the mlx4 driver is replaced, ensuring proper memory management and preventing use-after-free conditions during QP lifecycle operations.
Potential Impact
For European organizations, especially those operating data centers, cloud infrastructure, or high-performance computing clusters utilizing RDMA-enabled Linux servers with Mellanox hardware, this vulnerability could lead to severe consequences. Exploitation may allow attackers to cause kernel panics, resulting in denial of service, or potentially escalate privileges to gain full control over affected systems. This could compromise sensitive data confidentiality and integrity, disrupt critical services, and impact business continuity. Given the widespread use of Linux in European enterprises and research institutions, particularly in sectors like finance, telecommunications, and scientific research, the vulnerability could have broad operational and reputational impacts if exploited. Additionally, organizations subject to stringent data protection regulations such as GDPR must consider the compliance risks associated with potential data breaches stemming from this vulnerability.
Mitigation Recommendations
European organizations should prioritize applying the official Linux kernel patches that address CVE-2021-47196 as soon as they become available, particularly for kernels version 5.15 and later where the mlx5_ib driver is present. System administrators should audit their environments to identify RDMA-enabled systems using Mellanox ConnectX-5 or newer adapters and verify kernel versions. Where patching is not immediately feasible, organizations should consider temporarily disabling RDMA functionality or restricting access to RDMA interfaces to trusted users and processes only. Implementing strict access controls and monitoring kernel logs for unusual activity related to ibverbs or mlx5_ib modules can help detect exploitation attempts. Additionally, integrating kernel integrity monitoring and leveraging security modules like SELinux or AppArmor can provide layered defense. Regular backups and incident response plans should be updated to include scenarios involving kernel-level compromises. Finally, organizations should maintain close communication with hardware vendors and Linux distribution maintainers to receive timely updates and guidance.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-03-25T09:12:14.115Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9835c4522896dcbea020
Added to database: 5/21/2025, 9:09:09 AM
Last enriched: 6/26/2025, 5:35:35 PM
Last updated: 7/27/2025, 12:10:42 AM
Views: 8
Related Threats
CVE-2025-22834: CWE-665 Improper Initialization in AMI AptioV
MediumCVE-2025-22830: CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') in AMI AptioV
HighCVE-2025-43735: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Liferay Portal
MediumCVE-2025-40770: CWE-300: Channel Accessible by Non-Endpoint in Siemens SINEC Traffic Analyzer
HighCVE-2025-40769: CWE-1164: Irrelevant Code in Siemens SINEC Traffic Analyzer
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.