CVE-2021-47274: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: tracing: Correct the length check which causes memory corruption We've suffered from severe kernel crashes due to memory corruption on our production environment, like, Call Trace: [1640542.554277] general protection fault: 0000 [#1] SMP PTI [1640542.554856] CPU: 17 PID: 26996 Comm: python Kdump: loaded Tainted:G [1640542.556629] RIP: 0010:kmem_cache_alloc+0x90/0x190 [1640542.559074] RSP: 0018:ffffb16faa597df8 EFLAGS: 00010286 [1640542.559587] RAX: 0000000000000000 RBX: 0000000000400200 RCX: 0000000006e931bf [1640542.560323] RDX: 0000000006e931be RSI: 0000000000400200 RDI: ffff9a45ff004300 [1640542.560996] RBP: 0000000000400200 R08: 0000000000023420 R09: 0000000000000000 [1640542.561670] R10: 0000000000000000 R11: 0000000000000000 R12: ffffffff9a20608d [1640542.562366] R13: ffff9a45ff004300 R14: ffff9a45ff004300 R15: 696c662f65636976 [1640542.563128] FS: 00007f45d7c6f740(0000) GS:ffff9a45ff840000(0000) knlGS:0000000000000000 [1640542.563937] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [1640542.564557] CR2: 00007f45d71311a0 CR3: 000000189d63e004 CR4: 00000000003606e0 [1640542.565279] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [1640542.566069] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [1640542.566742] Call Trace: [1640542.567009] anon_vma_clone+0x5d/0x170 [1640542.567417] __split_vma+0x91/0x1a0 [1640542.567777] do_munmap+0x2c6/0x320 [1640542.568128] vm_munmap+0x54/0x70 [1640542.569990] __x64_sys_munmap+0x22/0x30 [1640542.572005] do_syscall_64+0x5b/0x1b0 [1640542.573724] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [1640542.575642] RIP: 0033:0x7f45d6e61e27 James Wang has reproduced it stably on the latest 4.19 LTS. After some debugging, we finally proved that it's due to ftrace buffer out-of-bound access using a debug tool as follows: [ 86.775200] BUG: Out-of-bounds write at addr 0xffff88aefe8b7000 [ 86.780806] no_context+0xdf/0x3c0 [ 86.784327] __do_page_fault+0x252/0x470 [ 86.788367] do_page_fault+0x32/0x140 [ 86.792145] page_fault+0x1e/0x30 [ 86.795576] strncpy_from_unsafe+0x66/0xb0 [ 86.799789] fetch_memory_string+0x25/0x40 [ 86.804002] fetch_deref_string+0x51/0x60 [ 86.808134] kprobe_trace_func+0x32d/0x3a0 [ 86.812347] kprobe_dispatcher+0x45/0x50 [ 86.816385] kprobe_ftrace_handler+0x90/0xf0 [ 86.820779] ftrace_ops_assist_func+0xa1/0x140 [ 86.825340] 0xffffffffc00750bf [ 86.828603] do_sys_open+0x5/0x1f0 [ 86.832124] do_syscall_64+0x5b/0x1b0 [ 86.835900] entry_SYSCALL_64_after_hwframe+0x44/0xa9 commit b220c049d519 ("tracing: Check length before giving out the filter buffer") adds length check to protect trace data overflow introduced in 0fc1b09ff1ff, seems that this fix can't prevent overflow entirely, the length check should also take the sizeof entry->array[0] into account, since this array[0] is filled the length of trace data and occupy addtional space and risk overflow.
AI Analysis
Technical Summary
CVE-2021-47274 is a critical vulnerability in the Linux kernel's tracing subsystem, specifically related to the ftrace feature used for kernel function tracing and debugging. The vulnerability arises from an incorrect length check in the handling of trace buffer data, which leads to an out-of-bounds write and subsequent memory corruption. This memory corruption can cause severe kernel crashes, including general protection faults and page faults, as demonstrated by detailed kernel call traces and debugging logs. The root cause is an insufficient boundary check when allocating and managing the trace filter buffer, where the length check does not fully account for the size of the trace data array entries, allowing an overflow condition. This vulnerability affects multiple Linux kernel versions, including long-term support (LTS) releases such as 4.19, and has been reproducibly demonstrated in production environments. The issue was introduced by a prior commit (0fc1b09ff1ff) and partially mitigated by a subsequent patch (b220c049d519), but the fix was incomplete, necessitating further correction to fully prevent buffer overflow. The vulnerability is classified under CWE-125 (Out-of-bounds Read) and has a CVSS 3.1 base score of 9.8, indicating critical severity. It requires no privileges or user interaction to exploit, and it can lead to full confidentiality, integrity, and availability compromise of affected systems due to kernel-level memory corruption and crashes.
Potential Impact
For European organizations, the impact of CVE-2021-47274 is significant due to the widespread use of Linux in servers, cloud infrastructure, embedded systems, and critical industrial environments. Exploitation can result in kernel panics and system crashes, causing denial of service and potential data loss or corruption. Since the vulnerability allows memory corruption at the kernel level without requiring authentication or user interaction, attackers can remotely trigger crashes or potentially escalate privileges if combined with other exploits. This poses a threat to data centers, telecommunications infrastructure, financial institutions, healthcare providers, and government agencies across Europe that rely on Linux-based systems for critical operations. The disruption of services and potential compromise of system integrity could lead to operational downtime, regulatory non-compliance, and reputational damage. Additionally, the vulnerability could be leveraged in targeted attacks against high-value assets, especially in sectors with stringent uptime and security requirements.
Mitigation Recommendations
European organizations should implement the following specific mitigation measures: 1) Immediately apply the official Linux kernel patches that address CVE-2021-47274, ensuring that all affected kernel versions are updated to the fixed releases. 2) For systems where immediate patching is not feasible, disable or restrict the use of the ftrace subsystem and kernel tracing features, especially on production and exposed systems, to reduce the attack surface. 3) Employ kernel live patching solutions where available to minimize downtime while applying critical fixes. 4) Monitor kernel logs and system behavior for signs of memory corruption or unexpected crashes that may indicate exploitation attempts. 5) Harden system configurations by limiting access to kernel debugging interfaces and restricting unprivileged users from loading kernel modules or interacting with tracing facilities. 6) Incorporate vulnerability scanning and patch management processes that prioritize kernel vulnerabilities with critical CVSS scores. 7) Engage with Linux distribution vendors and security advisories to stay informed about backported fixes and related security updates. These targeted actions go beyond generic advice by focusing on kernel tracing controls and operational monitoring specific to this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2021-47274: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: tracing: Correct the length check which causes memory corruption We've suffered from severe kernel crashes due to memory corruption on our production environment, like, Call Trace: [1640542.554277] general protection fault: 0000 [#1] SMP PTI [1640542.554856] CPU: 17 PID: 26996 Comm: python Kdump: loaded Tainted:G [1640542.556629] RIP: 0010:kmem_cache_alloc+0x90/0x190 [1640542.559074] RSP: 0018:ffffb16faa597df8 EFLAGS: 00010286 [1640542.559587] RAX: 0000000000000000 RBX: 0000000000400200 RCX: 0000000006e931bf [1640542.560323] RDX: 0000000006e931be RSI: 0000000000400200 RDI: ffff9a45ff004300 [1640542.560996] RBP: 0000000000400200 R08: 0000000000023420 R09: 0000000000000000 [1640542.561670] R10: 0000000000000000 R11: 0000000000000000 R12: ffffffff9a20608d [1640542.562366] R13: ffff9a45ff004300 R14: ffff9a45ff004300 R15: 696c662f65636976 [1640542.563128] FS: 00007f45d7c6f740(0000) GS:ffff9a45ff840000(0000) knlGS:0000000000000000 [1640542.563937] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [1640542.564557] CR2: 00007f45d71311a0 CR3: 000000189d63e004 CR4: 00000000003606e0 [1640542.565279] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [1640542.566069] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [1640542.566742] Call Trace: [1640542.567009] anon_vma_clone+0x5d/0x170 [1640542.567417] __split_vma+0x91/0x1a0 [1640542.567777] do_munmap+0x2c6/0x320 [1640542.568128] vm_munmap+0x54/0x70 [1640542.569990] __x64_sys_munmap+0x22/0x30 [1640542.572005] do_syscall_64+0x5b/0x1b0 [1640542.573724] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [1640542.575642] RIP: 0033:0x7f45d6e61e27 James Wang has reproduced it stably on the latest 4.19 LTS. After some debugging, we finally proved that it's due to ftrace buffer out-of-bound access using a debug tool as follows: [ 86.775200] BUG: Out-of-bounds write at addr 0xffff88aefe8b7000 [ 86.780806] no_context+0xdf/0x3c0 [ 86.784327] __do_page_fault+0x252/0x470 [ 86.788367] do_page_fault+0x32/0x140 [ 86.792145] page_fault+0x1e/0x30 [ 86.795576] strncpy_from_unsafe+0x66/0xb0 [ 86.799789] fetch_memory_string+0x25/0x40 [ 86.804002] fetch_deref_string+0x51/0x60 [ 86.808134] kprobe_trace_func+0x32d/0x3a0 [ 86.812347] kprobe_dispatcher+0x45/0x50 [ 86.816385] kprobe_ftrace_handler+0x90/0xf0 [ 86.820779] ftrace_ops_assist_func+0xa1/0x140 [ 86.825340] 0xffffffffc00750bf [ 86.828603] do_sys_open+0x5/0x1f0 [ 86.832124] do_syscall_64+0x5b/0x1b0 [ 86.835900] entry_SYSCALL_64_after_hwframe+0x44/0xa9 commit b220c049d519 ("tracing: Check length before giving out the filter buffer") adds length check to protect trace data overflow introduced in 0fc1b09ff1ff, seems that this fix can't prevent overflow entirely, the length check should also take the sizeof entry->array[0] into account, since this array[0] is filled the length of trace data and occupy addtional space and risk overflow.
AI-Powered Analysis
Technical Analysis
CVE-2021-47274 is a critical vulnerability in the Linux kernel's tracing subsystem, specifically related to the ftrace feature used for kernel function tracing and debugging. The vulnerability arises from an incorrect length check in the handling of trace buffer data, which leads to an out-of-bounds write and subsequent memory corruption. This memory corruption can cause severe kernel crashes, including general protection faults and page faults, as demonstrated by detailed kernel call traces and debugging logs. The root cause is an insufficient boundary check when allocating and managing the trace filter buffer, where the length check does not fully account for the size of the trace data array entries, allowing an overflow condition. This vulnerability affects multiple Linux kernel versions, including long-term support (LTS) releases such as 4.19, and has been reproducibly demonstrated in production environments. The issue was introduced by a prior commit (0fc1b09ff1ff) and partially mitigated by a subsequent patch (b220c049d519), but the fix was incomplete, necessitating further correction to fully prevent buffer overflow. The vulnerability is classified under CWE-125 (Out-of-bounds Read) and has a CVSS 3.1 base score of 9.8, indicating critical severity. It requires no privileges or user interaction to exploit, and it can lead to full confidentiality, integrity, and availability compromise of affected systems due to kernel-level memory corruption and crashes.
Potential Impact
For European organizations, the impact of CVE-2021-47274 is significant due to the widespread use of Linux in servers, cloud infrastructure, embedded systems, and critical industrial environments. Exploitation can result in kernel panics and system crashes, causing denial of service and potential data loss or corruption. Since the vulnerability allows memory corruption at the kernel level without requiring authentication or user interaction, attackers can remotely trigger crashes or potentially escalate privileges if combined with other exploits. This poses a threat to data centers, telecommunications infrastructure, financial institutions, healthcare providers, and government agencies across Europe that rely on Linux-based systems for critical operations. The disruption of services and potential compromise of system integrity could lead to operational downtime, regulatory non-compliance, and reputational damage. Additionally, the vulnerability could be leveraged in targeted attacks against high-value assets, especially in sectors with stringent uptime and security requirements.
Mitigation Recommendations
European organizations should implement the following specific mitigation measures: 1) Immediately apply the official Linux kernel patches that address CVE-2021-47274, ensuring that all affected kernel versions are updated to the fixed releases. 2) For systems where immediate patching is not feasible, disable or restrict the use of the ftrace subsystem and kernel tracing features, especially on production and exposed systems, to reduce the attack surface. 3) Employ kernel live patching solutions where available to minimize downtime while applying critical fixes. 4) Monitor kernel logs and system behavior for signs of memory corruption or unexpected crashes that may indicate exploitation attempts. 5) Harden system configurations by limiting access to kernel debugging interfaces and restricting unprivileged users from loading kernel modules or interacting with tracing facilities. 6) Incorporate vulnerability scanning and patch management processes that prioritize kernel vulnerabilities with critical CVSS scores. 7) Engage with Linux distribution vendors and security advisories to stay informed about backported fixes and related security updates. These targeted actions go beyond generic advice by focusing on kernel tracing controls and operational monitoring specific to this vulnerability.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-21T13:27:52.127Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9835c4522896dcbea290
Added to database: 5/21/2025, 9:09:09 AM
Last enriched: 7/3/2025, 6:10:08 AM
Last updated: 8/13/2025, 3:32:31 AM
Views: 15
Related Threats
CVE-2025-8961: Memory Corruption in LibTIFF
MediumCVE-2025-8960: SQL Injection in Campcodes Online Flight Booking Management System
MediumCVE-2025-8958: Stack-based Buffer Overflow in Tenda TX3
HighCVE-2025-8957: SQL Injection in Campcodes Online Flight Booking Management System
MediumCVE-2025-54707: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in RealMag777 MDTF
CriticalActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.