CVE-2021-47267: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: usb: fix various gadget panics on 10gbps cabling usb_assign_descriptors() is called with 5 parameters, the last 4 of which are the usb_descriptor_header for: full-speed (USB1.1 - 12Mbps [including USB1.0 low-speed @ 1.5Mbps), high-speed (USB2.0 - 480Mbps), super-speed (USB3.0 - 5Gbps), super-speed-plus (USB3.1 - 10Gbps). The differences between full/high/super-speed descriptors are usually substantial (due to changes in the maximum usb block size from 64 to 512 to 1024 bytes and other differences in the specs), while the difference between 5 and 10Gbps descriptors may be as little as nothing (in many cases the same tuning is simply good enough). However if a gadget driver calls usb_assign_descriptors() with a NULL descriptor for super-speed-plus and is then used on a max 10gbps configuration, the kernel will crash with a null pointer dereference, when a 10gbps capable device port + cable + host port combination shows up. (This wouldn't happen if the gadget max-speed was set to 5gbps, but it of course defaults to the maximum, and there's no real reason to artificially limit it) The fix is to simply use the 5gbps descriptor as the 10gbps descriptor, if a 10gbps descriptor wasn't provided. Obviously this won't fix the problem if the 5gbps descriptor is also NULL, but such cases can't be so trivially solved (and any such gadgets are unlikely to be used with USB3 ports any way).
AI Analysis
Technical Summary
CVE-2021-47267 is a medium severity vulnerability in the Linux kernel related to USB gadget drivers handling descriptors for USB 10Gbps (USB 3.1 SuperSpeedPlus) connections. The Linux kernel function usb_assign_descriptors() is called with five parameters representing USB descriptors for different speeds: full-speed (USB 1.1), high-speed (USB 2.0), super-speed (USB 3.0), and super-speed-plus (USB 3.1). The vulnerability arises when a gadget driver provides a NULL descriptor for the super-speed-plus (10Gbps) parameter. If the device is connected using a 10Gbps capable port, cable, and host combination, the kernel dereferences this NULL pointer, causing a kernel panic (crash). This occurs because the kernel defaults to the maximum speed and expects a valid descriptor for 10Gbps, but the driver fails to provide one. The root cause is the lack of a fallback mechanism to use the 5Gbps descriptor for 10Gbps connections if the latter is missing. The fix involves using the 5Gbps descriptor as a substitute when the 10Gbps descriptor is NULL. However, if both 5Gbps and 10Gbps descriptors are NULL, the issue cannot be trivially resolved, though such cases are rare and unlikely to be used with USB3 ports. This vulnerability can be triggered remotely by connecting a USB device with a vulnerable gadget driver to a 10Gbps USB port, leading to denial of service via kernel crash. The CVSS score is 6.3 (medium), reflecting network attack vector, low attack complexity, required privileges, no user interaction, and impact on confidentiality, integrity, and availability. No known exploits are reported in the wild yet.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels with vulnerable gadget drivers that handle USB devices, especially those using USB 3.1 (10Gbps) ports. The impact includes potential denial of service due to kernel panics, which can disrupt critical services, cause system downtime, and require reboots. Confidentiality and integrity impacts are rated low to medium but cannot be fully excluded if attackers leverage the crash to escalate privileges or bypass security controls. Organizations with Linux-based infrastructure in sectors such as telecommunications, manufacturing, research, and public services that rely on USB-connected devices for data acquisition or peripheral connectivity are particularly at risk. The vulnerability requires local privileges to exploit (PR:L), meaning an attacker must have some level of access to the system or be able to plug in a malicious USB device. This limits remote exploitation but does not eliminate risk from insider threats or compromised endpoints. Given the widespread use of Linux in European data centers, embedded systems, and IoT devices, the vulnerability could affect a broad range of environments if unpatched. The lack of known exploits reduces immediate risk but patching is critical to prevent future attacks.
Mitigation Recommendations
1. Apply the latest Linux kernel updates that include the patch for CVE-2021-47267 to ensure the fallback mechanism for USB descriptors is implemented. 2. Audit and update USB gadget drivers in use to verify they provide valid descriptors for all supported USB speeds, especially 10Gbps super-speed-plus. 3. Implement strict USB device control policies to limit physical USB port access and prevent unauthorized device connections, including use of USB device whitelisting or endpoint security solutions. 4. Monitor system logs for kernel panics or USB-related errors that could indicate attempted exploitation or misconfigured devices. 5. For critical systems, consider disabling USB 3.1 ports or limiting USB speed capabilities temporarily if patching is delayed, to reduce exposure. 6. Educate users and administrators about the risks of connecting untrusted USB devices and enforce least privilege principles to minimize local access. 7. In embedded or IoT environments, ensure firmware and kernel versions are regularly updated and tested for this vulnerability. 8. Coordinate with hardware vendors to confirm compatibility and support for patched Linux kernels and USB descriptors.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland
CVE-2021-47267: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: usb: fix various gadget panics on 10gbps cabling usb_assign_descriptors() is called with 5 parameters, the last 4 of which are the usb_descriptor_header for: full-speed (USB1.1 - 12Mbps [including USB1.0 low-speed @ 1.5Mbps), high-speed (USB2.0 - 480Mbps), super-speed (USB3.0 - 5Gbps), super-speed-plus (USB3.1 - 10Gbps). The differences between full/high/super-speed descriptors are usually substantial (due to changes in the maximum usb block size from 64 to 512 to 1024 bytes and other differences in the specs), while the difference between 5 and 10Gbps descriptors may be as little as nothing (in many cases the same tuning is simply good enough). However if a gadget driver calls usb_assign_descriptors() with a NULL descriptor for super-speed-plus and is then used on a max 10gbps configuration, the kernel will crash with a null pointer dereference, when a 10gbps capable device port + cable + host port combination shows up. (This wouldn't happen if the gadget max-speed was set to 5gbps, but it of course defaults to the maximum, and there's no real reason to artificially limit it) The fix is to simply use the 5gbps descriptor as the 10gbps descriptor, if a 10gbps descriptor wasn't provided. Obviously this won't fix the problem if the 5gbps descriptor is also NULL, but such cases can't be so trivially solved (and any such gadgets are unlikely to be used with USB3 ports any way).
AI-Powered Analysis
Technical Analysis
CVE-2021-47267 is a medium severity vulnerability in the Linux kernel related to USB gadget drivers handling descriptors for USB 10Gbps (USB 3.1 SuperSpeedPlus) connections. The Linux kernel function usb_assign_descriptors() is called with five parameters representing USB descriptors for different speeds: full-speed (USB 1.1), high-speed (USB 2.0), super-speed (USB 3.0), and super-speed-plus (USB 3.1). The vulnerability arises when a gadget driver provides a NULL descriptor for the super-speed-plus (10Gbps) parameter. If the device is connected using a 10Gbps capable port, cable, and host combination, the kernel dereferences this NULL pointer, causing a kernel panic (crash). This occurs because the kernel defaults to the maximum speed and expects a valid descriptor for 10Gbps, but the driver fails to provide one. The root cause is the lack of a fallback mechanism to use the 5Gbps descriptor for 10Gbps connections if the latter is missing. The fix involves using the 5Gbps descriptor as a substitute when the 10Gbps descriptor is NULL. However, if both 5Gbps and 10Gbps descriptors are NULL, the issue cannot be trivially resolved, though such cases are rare and unlikely to be used with USB3 ports. This vulnerability can be triggered remotely by connecting a USB device with a vulnerable gadget driver to a 10Gbps USB port, leading to denial of service via kernel crash. The CVSS score is 6.3 (medium), reflecting network attack vector, low attack complexity, required privileges, no user interaction, and impact on confidentiality, integrity, and availability. No known exploits are reported in the wild yet.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels with vulnerable gadget drivers that handle USB devices, especially those using USB 3.1 (10Gbps) ports. The impact includes potential denial of service due to kernel panics, which can disrupt critical services, cause system downtime, and require reboots. Confidentiality and integrity impacts are rated low to medium but cannot be fully excluded if attackers leverage the crash to escalate privileges or bypass security controls. Organizations with Linux-based infrastructure in sectors such as telecommunications, manufacturing, research, and public services that rely on USB-connected devices for data acquisition or peripheral connectivity are particularly at risk. The vulnerability requires local privileges to exploit (PR:L), meaning an attacker must have some level of access to the system or be able to plug in a malicious USB device. This limits remote exploitation but does not eliminate risk from insider threats or compromised endpoints. Given the widespread use of Linux in European data centers, embedded systems, and IoT devices, the vulnerability could affect a broad range of environments if unpatched. The lack of known exploits reduces immediate risk but patching is critical to prevent future attacks.
Mitigation Recommendations
1. Apply the latest Linux kernel updates that include the patch for CVE-2021-47267 to ensure the fallback mechanism for USB descriptors is implemented. 2. Audit and update USB gadget drivers in use to verify they provide valid descriptors for all supported USB speeds, especially 10Gbps super-speed-plus. 3. Implement strict USB device control policies to limit physical USB port access and prevent unauthorized device connections, including use of USB device whitelisting or endpoint security solutions. 4. Monitor system logs for kernel panics or USB-related errors that could indicate attempted exploitation or misconfigured devices. 5. For critical systems, consider disabling USB 3.1 ports or limiting USB speed capabilities temporarily if patching is delayed, to reduce exposure. 6. Educate users and administrators about the risks of connecting untrusted USB devices and enforce least privilege principles to minimize local access. 7. In embedded or IoT environments, ensure firmware and kernel versions are regularly updated and tested for this vulnerability. 8. Coordinate with hardware vendors to confirm compatibility and support for patched Linux kernels and USB descriptors.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-21T13:27:52.127Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682cd0fa1484d88663aebf3b
Added to database: 5/20/2025, 6:59:06 PM
Last enriched: 7/4/2025, 6:27:28 AM
Last updated: 8/17/2025, 9:37:16 PM
Views: 13
Related Threats
CVE-2025-57749: CWE-59: Improper Link Resolution Before File Access ('Link Following') in n8n-io n8n
MediumCVE-2025-9288: CWE-20 Improper Input Validation
CriticalCVE-2025-9252: Stack-based Buffer Overflow in Linksys RE6250
HighCVE-2025-9251: Stack-based Buffer Overflow in Linksys RE6250
HighCVE-2025-9250: Stack-based Buffer Overflow in Linksys RE6250
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.