CVE-2021-47292 is a vulnerability identified in the Linux kernel's io_uring subsystem, specifically related to a memory leak in the function io_init_wq_offload(). The io_uring interface is a modern asynchronous I/O interface designed to improve performance and efficiency for Linux applications by allowing them to submit and complete I/O operations without excessive system calls. The vulnerability arises when io_uring_enter() is called concurrently in parallel threads or processes. During this operation, a hash_map object allocated via kzalloc is leaked due to insufficient locking around the hash_map data structure. The root cause is the lack of synchronization protecting the hash_map, which leads to a memory leak when multiple threads invoke io_uring_enter() simultaneously. The leak was identified through fuzz testing, which reported unreferenced kernel objects indicating memory not properly freed. The backtrace shows the leak occurs in the allocation and management of task contexts within io_uring. The fix involves adding a uring_lock to protect the hash_map, ensuring proper synchronization and preventing the memory leak. This vulnerability does not appear to have any known exploits in the wild as of the publication date. No CVSS score has been assigned yet. The affected Linux kernel versions are identified by specific commit hashes, indicating this is a recent discovery and patch. The vulnerability impacts the kernel's memory management and resource handling within io_uring, potentially leading to resource exhaustion over time if exploited by repeated parallel calls to io_uring_enter().

For European organizations, the impact of this vulnerability primarily concerns systems running Linux kernels with the affected io_uring implementation, especially servers and infrastructure handling high volumes of asynchronous I/O operations. Memory leaks in kernel space can degrade system performance and stability, potentially leading to denial of service (DoS) conditions if memory exhaustion occurs. This is particularly critical for data centers, cloud providers, and enterprises relying on Linux-based infrastructure for critical applications, databases, or network services. While this vulnerability does not directly expose confidentiality or integrity risks, the availability impact can be significant in high-load environments. Organizations using containerized workloads or virtualized environments on Linux hosts may also be affected if the underlying kernel is vulnerable. Given the widespread use of Linux in European public sector, financial institutions, telecommunications, and manufacturing industries, the risk of service disruption due to this memory leak is non-trivial. However, the lack of known exploits and the requirement for parallel invocation of io_uring_enter() somewhat limits immediate exploitation risk. Still, persistent exploitation attempts could lead to system instability or crashes, impacting business continuity.

To mitigate this vulnerability, European organizations should prioritize updating their Linux kernels to versions that include the patch fixing CVE-2021-47292. Since the fix involves adding proper locking around the hash_map in io_uring, applying the official kernel update is the most effective measure. For environments where immediate patching is not feasible, organizations should monitor system memory usage closely on hosts running io_uring workloads, especially under high concurrency. Limiting or controlling the concurrency level of io_uring_enter() calls in applications can reduce the risk of triggering the leak. Additionally, organizations should audit and test applications using io_uring to identify if they perform parallel io_uring_enter() calls and consider applying application-level throttling or serialization as a temporary workaround. Employing kernel live patching solutions where available can also reduce downtime associated with patch deployment. Finally, integrating this vulnerability into vulnerability management and patching workflows will ensure timely remediation and reduce exposure duration.