CVE-2021-47268: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: usb: typec: tcpm: cancel vdm and state machine hrtimer when unregister tcpm port A pending hrtimer may expire after the kthread_worker of tcpm port is destroyed, see below kernel dump when do module unload, fix it by cancel the 2 hrtimers. [ 111.517018] Unable to handle kernel paging request at virtual address ffff8000118cb880 [ 111.518786] blk_update_request: I/O error, dev sda, sector 60061185 op 0x0:(READ) flags 0x0 phys_seg 1 prio class 0 [ 111.526594] Mem abort info: [ 111.526597] ESR = 0x96000047 [ 111.526600] EC = 0x25: DABT (current EL), IL = 32 bits [ 111.526604] SET = 0, FnV = 0 [ 111.526607] EA = 0, S1PTW = 0 [ 111.526610] Data abort info: [ 111.526612] ISV = 0, ISS = 0x00000047 [ 111.526615] CM = 0, WnR = 1 [ 111.526619] swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000041d75000 [ 111.526623] [ffff8000118cb880] pgd=10000001bffff003, p4d=10000001bffff003, pud=10000001bfffe003, pmd=10000001bfffa003, pte=0000000000000000 [ 111.526642] Internal error: Oops: 96000047 [#1] PREEMPT SMP [ 111.526647] Modules linked in: dwc3_imx8mp dwc3 phy_fsl_imx8mq_usb [last unloaded: tcpci] [ 111.526663] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.13.0-rc4-00927-gebbe9dbd802c-dirty #36 [ 111.526670] Hardware name: NXP i.MX8MPlus EVK board (DT) [ 111.526674] pstate: 800000c5 (Nzcv daIF -PAN -UAO -TCO BTYPE=--) [ 111.526681] pc : queued_spin_lock_slowpath+0x1a0/0x390 [ 111.526695] lr : _raw_spin_lock_irqsave+0x88/0xb4 [ 111.526703] sp : ffff800010003e20 [ 111.526706] x29: ffff800010003e20 x28: ffff00017f380180 [ 111.537156] buffer_io_error: 6 callbacks suppressed [ 111.537162] Buffer I/O error on dev sda1, logical block 60040704, async page read [ 111.539932] x27: ffff00017f3801c0 [ 111.539938] x26: ffff800010ba2490 x25: 0000000000000000 x24: 0000000000000001 [ 111.543025] blk_update_request: I/O error, dev sda, sector 60061186 op 0x0:(READ) flags 0x0 phys_seg 7 prio class 0 [ 111.548304] [ 111.548306] x23: 00000000000000c0 x22: ffff0000c2a9f184 x21: ffff00017f380180 [ 111.551374] Buffer I/O error on dev sda1, logical block 60040705, async page read [ 111.554499] [ 111.554503] x20: ffff0000c5f14210 x19: 00000000000000c0 x18: 0000000000000000 [ 111.557391] Buffer I/O error on dev sda1, logical block 60040706, async page read [ 111.561218] [ 111.561222] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 [ 111.564205] Buffer I/O error on dev sda1, logical block 60040707, async page read [ 111.570887] x14: 00000000000000f5 x13: 0000000000000001 x12: 0000000000000040 [ 111.570902] x11: ffff0000c05ac6d8 [ 111.583420] Buffer I/O error on dev sda1, logical block 60040708, async page read [ 111.588978] x10: 0000000000000000 x9 : 0000000000040000 [ 111.588988] x8 : 0000000000000000 [ 111.597173] Buffer I/O error on dev sda1, logical block 60040709, async page read [ 111.605766] x7 : ffff00017f384880 x6 : ffff8000118cb880 [ 111.605777] x5 : ffff00017f384880 [ 111.611094] Buffer I/O error on dev sda1, logical block 60040710, async page read [ 111.617086] x4 : 0000000000000000 x3 : ffff0000c2a9f184 [ 111.617096] x2 : ffff8000118cb880 [ 111.622242] Buffer I/O error on dev sda1, logical block 60040711, async page read [ 111.626927] x1 : ffff8000118cb880 x0 : ffff00017f384888 [ 111.626938] Call trace: [ 111.626942] queued_spin_lock_slowpath+0x1a0/0x390 [ 111.795809] kthread_queue_work+0x30/0xc0 [ 111.799828] state_machine_timer_handler+0x20/0x30 [ 111.804624] __hrtimer_run_queues+0x140/0x1e0 [ 111.808990] hrtimer_interrupt+0xec/0x2c0 [ 111.813004] arch_timer_handler_phys+0x38/0x50 [ 111.817456] handle_percpu_devid_irq+0x88/0x150 [ 111.821991] __handle_domain_irq+0x80/0xe0 [ 111.826093] gic_handle_irq+0xc0/0x140 [ 111.829848] el1_irq+0xbc/0x154 [ 111.832991] arch_cpu_idle+0x1c/0x2c [ 111.836572] default_idle_call+0x24/0x6c [ 111.840497] do_idle+0x238/0x2ac [ 1 ---truncated---
AI Analysis
Technical Summary
CVE-2021-47268 is a vulnerability in the Linux kernel related to the USB Type-C Port Manager (TCPM) subsystem. Specifically, the issue arises from improper handling of high-resolution timers (hrtimers) when unregistering a TCPM port. The vulnerability occurs because pending hrtimers are not cancelled before the TCPM port's kernel thread worker is destroyed. This can lead to the expiration of these timers after the associated kthread_worker has been torn down, causing use-after-free conditions and kernel memory corruption. The provided kernel logs illustrate a kernel paging fault (Oops) triggered by this race condition, resulting in memory access violations and I/O errors on block devices. The root cause is a failure to cancel two specific hrtimers during module unload, which leads to asynchronous timer callbacks referencing freed memory structures. This vulnerability can cause system instability, kernel panics, and potential denial of service (DoS) conditions. Although no public exploits are currently known, the flaw affects Linux kernel versions containing the affected TCPM code, which is widely used in devices supporting USB Type-C functionality. The vulnerability is particularly relevant for embedded systems, IoT devices, and general-purpose Linux distributions that utilize the TCPM driver. The patch involves cancelling the two hrtimers properly during the unregister process to prevent timer callbacks after resource cleanup. No CVSS score has been assigned yet, but the technical details and kernel crash evidence indicate a serious flaw in kernel memory management related to USB Type-C port handling.
Potential Impact
For European organizations, the impact of CVE-2021-47268 can be significant depending on their deployment of Linux-based systems with USB Type-C support. The vulnerability can lead to kernel crashes and system instability, resulting in denial of service conditions that disrupt business operations. This is especially critical for sectors relying on embedded Linux devices such as telecommunications infrastructure, industrial control systems, automotive systems, and IoT deployments prevalent in Europe. Data centers and cloud providers running Linux servers with affected kernels could experience service interruptions. Furthermore, the kernel panic and memory corruption could potentially be leveraged by attackers to escalate privileges or execute arbitrary code, although no such exploits are currently known. The disruption of USB Type-C port management could also affect device connectivity and peripheral operations, impacting productivity. Given the widespread use of Linux in European enterprises and critical infrastructure, the vulnerability poses a risk to confidentiality, integrity, and availability if exploited or triggered inadvertently.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions where this vulnerability is patched. Since the issue relates to the TCPM USB Type-C driver, organizations should: 1) Identify all Linux systems running kernels with affected TCPM code, especially those with USB Type-C hardware. 2) Apply vendor-provided kernel updates or patches that cancel the hrtimers properly during TCPM port unregistration. 3) For embedded or IoT devices where kernel updates are challenging, consider disabling USB Type-C support if not required or isolating affected devices from critical networks. 4) Implement monitoring for kernel Oops or panic logs indicative of this vulnerability being triggered. 5) Conduct thorough testing of kernel updates in staging environments to ensure stability. 6) Engage with hardware and Linux distribution vendors to confirm patch availability and deployment timelines. 7) Maintain robust backup and recovery procedures to minimize downtime from potential crashes. These steps go beyond generic advice by focusing on the specific TCPM subsystem and the unique challenges of embedded and USB Type-C enabled Linux systems.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2021-47268: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: usb: typec: tcpm: cancel vdm and state machine hrtimer when unregister tcpm port A pending hrtimer may expire after the kthread_worker of tcpm port is destroyed, see below kernel dump when do module unload, fix it by cancel the 2 hrtimers. [ 111.517018] Unable to handle kernel paging request at virtual address ffff8000118cb880 [ 111.518786] blk_update_request: I/O error, dev sda, sector 60061185 op 0x0:(READ) flags 0x0 phys_seg 1 prio class 0 [ 111.526594] Mem abort info: [ 111.526597] ESR = 0x96000047 [ 111.526600] EC = 0x25: DABT (current EL), IL = 32 bits [ 111.526604] SET = 0, FnV = 0 [ 111.526607] EA = 0, S1PTW = 0 [ 111.526610] Data abort info: [ 111.526612] ISV = 0, ISS = 0x00000047 [ 111.526615] CM = 0, WnR = 1 [ 111.526619] swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000041d75000 [ 111.526623] [ffff8000118cb880] pgd=10000001bffff003, p4d=10000001bffff003, pud=10000001bfffe003, pmd=10000001bfffa003, pte=0000000000000000 [ 111.526642] Internal error: Oops: 96000047 [#1] PREEMPT SMP [ 111.526647] Modules linked in: dwc3_imx8mp dwc3 phy_fsl_imx8mq_usb [last unloaded: tcpci] [ 111.526663] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.13.0-rc4-00927-gebbe9dbd802c-dirty #36 [ 111.526670] Hardware name: NXP i.MX8MPlus EVK board (DT) [ 111.526674] pstate: 800000c5 (Nzcv daIF -PAN -UAO -TCO BTYPE=--) [ 111.526681] pc : queued_spin_lock_slowpath+0x1a0/0x390 [ 111.526695] lr : _raw_spin_lock_irqsave+0x88/0xb4 [ 111.526703] sp : ffff800010003e20 [ 111.526706] x29: ffff800010003e20 x28: ffff00017f380180 [ 111.537156] buffer_io_error: 6 callbacks suppressed [ 111.537162] Buffer I/O error on dev sda1, logical block 60040704, async page read [ 111.539932] x27: ffff00017f3801c0 [ 111.539938] x26: ffff800010ba2490 x25: 0000000000000000 x24: 0000000000000001 [ 111.543025] blk_update_request: I/O error, dev sda, sector 60061186 op 0x0:(READ) flags 0x0 phys_seg 7 prio class 0 [ 111.548304] [ 111.548306] x23: 00000000000000c0 x22: ffff0000c2a9f184 x21: ffff00017f380180 [ 111.551374] Buffer I/O error on dev sda1, logical block 60040705, async page read [ 111.554499] [ 111.554503] x20: ffff0000c5f14210 x19: 00000000000000c0 x18: 0000000000000000 [ 111.557391] Buffer I/O error on dev sda1, logical block 60040706, async page read [ 111.561218] [ 111.561222] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 [ 111.564205] Buffer I/O error on dev sda1, logical block 60040707, async page read [ 111.570887] x14: 00000000000000f5 x13: 0000000000000001 x12: 0000000000000040 [ 111.570902] x11: ffff0000c05ac6d8 [ 111.583420] Buffer I/O error on dev sda1, logical block 60040708, async page read [ 111.588978] x10: 0000000000000000 x9 : 0000000000040000 [ 111.588988] x8 : 0000000000000000 [ 111.597173] Buffer I/O error on dev sda1, logical block 60040709, async page read [ 111.605766] x7 : ffff00017f384880 x6 : ffff8000118cb880 [ 111.605777] x5 : ffff00017f384880 [ 111.611094] Buffer I/O error on dev sda1, logical block 60040710, async page read [ 111.617086] x4 : 0000000000000000 x3 : ffff0000c2a9f184 [ 111.617096] x2 : ffff8000118cb880 [ 111.622242] Buffer I/O error on dev sda1, logical block 60040711, async page read [ 111.626927] x1 : ffff8000118cb880 x0 : ffff00017f384888 [ 111.626938] Call trace: [ 111.626942] queued_spin_lock_slowpath+0x1a0/0x390 [ 111.795809] kthread_queue_work+0x30/0xc0 [ 111.799828] state_machine_timer_handler+0x20/0x30 [ 111.804624] __hrtimer_run_queues+0x140/0x1e0 [ 111.808990] hrtimer_interrupt+0xec/0x2c0 [ 111.813004] arch_timer_handler_phys+0x38/0x50 [ 111.817456] handle_percpu_devid_irq+0x88/0x150 [ 111.821991] __handle_domain_irq+0x80/0xe0 [ 111.826093] gic_handle_irq+0xc0/0x140 [ 111.829848] el1_irq+0xbc/0x154 [ 111.832991] arch_cpu_idle+0x1c/0x2c [ 111.836572] default_idle_call+0x24/0x6c [ 111.840497] do_idle+0x238/0x2ac [ 1 ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2021-47268 is a vulnerability in the Linux kernel related to the USB Type-C Port Manager (TCPM) subsystem. Specifically, the issue arises from improper handling of high-resolution timers (hrtimers) when unregistering a TCPM port. The vulnerability occurs because pending hrtimers are not cancelled before the TCPM port's kernel thread worker is destroyed. This can lead to the expiration of these timers after the associated kthread_worker has been torn down, causing use-after-free conditions and kernel memory corruption. The provided kernel logs illustrate a kernel paging fault (Oops) triggered by this race condition, resulting in memory access violations and I/O errors on block devices. The root cause is a failure to cancel two specific hrtimers during module unload, which leads to asynchronous timer callbacks referencing freed memory structures. This vulnerability can cause system instability, kernel panics, and potential denial of service (DoS) conditions. Although no public exploits are currently known, the flaw affects Linux kernel versions containing the affected TCPM code, which is widely used in devices supporting USB Type-C functionality. The vulnerability is particularly relevant for embedded systems, IoT devices, and general-purpose Linux distributions that utilize the TCPM driver. The patch involves cancelling the two hrtimers properly during the unregister process to prevent timer callbacks after resource cleanup. No CVSS score has been assigned yet, but the technical details and kernel crash evidence indicate a serious flaw in kernel memory management related to USB Type-C port handling.
Potential Impact
For European organizations, the impact of CVE-2021-47268 can be significant depending on their deployment of Linux-based systems with USB Type-C support. The vulnerability can lead to kernel crashes and system instability, resulting in denial of service conditions that disrupt business operations. This is especially critical for sectors relying on embedded Linux devices such as telecommunications infrastructure, industrial control systems, automotive systems, and IoT deployments prevalent in Europe. Data centers and cloud providers running Linux servers with affected kernels could experience service interruptions. Furthermore, the kernel panic and memory corruption could potentially be leveraged by attackers to escalate privileges or execute arbitrary code, although no such exploits are currently known. The disruption of USB Type-C port management could also affect device connectivity and peripheral operations, impacting productivity. Given the widespread use of Linux in European enterprises and critical infrastructure, the vulnerability poses a risk to confidentiality, integrity, and availability if exploited or triggered inadvertently.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions where this vulnerability is patched. Since the issue relates to the TCPM USB Type-C driver, organizations should: 1) Identify all Linux systems running kernels with affected TCPM code, especially those with USB Type-C hardware. 2) Apply vendor-provided kernel updates or patches that cancel the hrtimers properly during TCPM port unregistration. 3) For embedded or IoT devices where kernel updates are challenging, consider disabling USB Type-C support if not required or isolating affected devices from critical networks. 4) Implement monitoring for kernel Oops or panic logs indicative of this vulnerability being triggered. 5) Conduct thorough testing of kernel updates in staging environments to ensure stability. 6) Engage with hardware and Linux distribution vendors to confirm patch availability and deployment timelines. 7) Maintain robust backup and recovery procedures to minimize downtime from potential crashes. These steps go beyond generic advice by focusing on the specific TCPM subsystem and the unique challenges of embedded and USB Type-C enabled Linux systems.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-21T13:27:52.127Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9835c4522896dcbea24b
Added to database: 5/21/2025, 9:09:09 AM
Last enriched: 6/26/2025, 12:22:15 PM
Last updated: 8/17/2025, 8:48:20 PM
Views: 9
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.