CVE-2021-47333: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: misc: alcor_pci: fix null-ptr-deref when there is no PCI bridge There is an issue with the ASPM(optional) capability checking function. A device might be attached to root complex directly, in this case, bus->self(bridge) will be NULL, thus priv->parent_pdev is NULL. Since alcor_pci_init_check_aspm(priv->parent_pdev) checks the PCI link's ASPM capability and populate parent_cap_off, which will be used later by alcor_pci_aspm_ctrl() to dynamically turn on/off device, what we can do here is to avoid checking the capability if we are on the root complex. This will make pdev_cap_off 0 and alcor_pci_aspm_ctrl() will simply return when bring called, effectively disable ASPM for the device. [ 1.246492] BUG: kernel NULL pointer dereference, address: 00000000000000c0 [ 1.248731] RIP: 0010:pci_read_config_byte+0x5/0x40 [ 1.253998] Call Trace: [ 1.254131] ? alcor_pci_find_cap_offset.isra.0+0x3a/0x100 [alcor_pci] [ 1.254476] alcor_pci_probe+0x169/0x2d5 [alcor_pci]
AI Analysis
Technical Summary
CVE-2021-47333 is a medium-severity vulnerability in the Linux kernel's alcor_pci driver, which handles PCI device interactions for certain hardware. The flaw arises from improper handling of the Active State Power Management (ASPM) capability check when a PCI device is attached directly to the root complex without an intervening PCI bridge. Specifically, the function alcor_pci_init_check_aspm() attempts to access the PCI bridge's capabilities via a pointer (priv->parent_pdev) that is NULL in this scenario. This leads to a NULL pointer dereference during pci_read_config_byte(), causing a kernel crash (denial of service). The vulnerability is triggered during device initialization (probe phase) and results in a BUG message and kernel panic. The root cause is that the code does not properly verify the presence of a parent PCI bridge before checking ASPM capabilities, which are optional. The fix involves skipping the ASPM capability check if the device is on the root complex, effectively disabling ASPM for that device and preventing the NULL pointer dereference. The vulnerability has a CVSS 3.1 score of 5.5 (medium), with an attack vector of local access, low complexity, requiring low privileges, no user interaction, and impacts availability only. There are no known exploits in the wild. The affected Linux kernel versions include the specified commit hashes, indicating recent or specific development snapshots. This vulnerability primarily causes denial of service through kernel crashes when the affected driver encounters a device configuration without a PCI bridge, which can impact system stability and availability.
Potential Impact
For European organizations, the primary impact of CVE-2021-47333 is potential denial of service on Linux systems using the affected alcor_pci driver. This could lead to unexpected system crashes or reboots, disrupting critical services, especially in environments relying on Linux servers or embedded systems with this hardware driver. Since the attack vector is local, exploitation requires an attacker or malicious process with local access, which limits remote exploitation risks but raises concerns for multi-user systems, shared hosting, or environments where untrusted users have local login capabilities. The impact on confidentiality and integrity is negligible, but availability degradation could affect operational continuity, particularly in industrial, telecom, or cloud infrastructure sectors prevalent in Europe. Organizations with Linux-based infrastructure that includes hardware using the alcor_pci driver should be aware of potential stability issues and plan for patching to maintain service reliability.
Mitigation Recommendations
To mitigate CVE-2021-47333, European organizations should: 1) Apply the latest Linux kernel updates or patches that include the fix for this vulnerability, ensuring the alcor_pci driver properly handles PCI devices attached directly to the root complex. 2) Audit systems to identify hardware using the alcor_pci driver and assess exposure, especially in servers and embedded devices. 3) Restrict local access to trusted users only, minimizing the risk of local exploitation by unprivileged users. 4) Implement monitoring for kernel crash logs and BUG messages related to PCI device initialization to detect potential exploitation attempts or system instability. 5) For critical systems where patching is delayed, consider disabling the alcor_pci driver if hardware compatibility allows or isolating affected devices to reduce impact. 6) Incorporate this vulnerability into vulnerability management and incident response plans to ensure timely detection and remediation.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland, Sweden, Finland, Belgium
CVE-2021-47333: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: misc: alcor_pci: fix null-ptr-deref when there is no PCI bridge There is an issue with the ASPM(optional) capability checking function. A device might be attached to root complex directly, in this case, bus->self(bridge) will be NULL, thus priv->parent_pdev is NULL. Since alcor_pci_init_check_aspm(priv->parent_pdev) checks the PCI link's ASPM capability and populate parent_cap_off, which will be used later by alcor_pci_aspm_ctrl() to dynamically turn on/off device, what we can do here is to avoid checking the capability if we are on the root complex. This will make pdev_cap_off 0 and alcor_pci_aspm_ctrl() will simply return when bring called, effectively disable ASPM for the device. [ 1.246492] BUG: kernel NULL pointer dereference, address: 00000000000000c0 [ 1.248731] RIP: 0010:pci_read_config_byte+0x5/0x40 [ 1.253998] Call Trace: [ 1.254131] ? alcor_pci_find_cap_offset.isra.0+0x3a/0x100 [alcor_pci] [ 1.254476] alcor_pci_probe+0x169/0x2d5 [alcor_pci]
AI-Powered Analysis
Technical Analysis
CVE-2021-47333 is a medium-severity vulnerability in the Linux kernel's alcor_pci driver, which handles PCI device interactions for certain hardware. The flaw arises from improper handling of the Active State Power Management (ASPM) capability check when a PCI device is attached directly to the root complex without an intervening PCI bridge. Specifically, the function alcor_pci_init_check_aspm() attempts to access the PCI bridge's capabilities via a pointer (priv->parent_pdev) that is NULL in this scenario. This leads to a NULL pointer dereference during pci_read_config_byte(), causing a kernel crash (denial of service). The vulnerability is triggered during device initialization (probe phase) and results in a BUG message and kernel panic. The root cause is that the code does not properly verify the presence of a parent PCI bridge before checking ASPM capabilities, which are optional. The fix involves skipping the ASPM capability check if the device is on the root complex, effectively disabling ASPM for that device and preventing the NULL pointer dereference. The vulnerability has a CVSS 3.1 score of 5.5 (medium), with an attack vector of local access, low complexity, requiring low privileges, no user interaction, and impacts availability only. There are no known exploits in the wild. The affected Linux kernel versions include the specified commit hashes, indicating recent or specific development snapshots. This vulnerability primarily causes denial of service through kernel crashes when the affected driver encounters a device configuration without a PCI bridge, which can impact system stability and availability.
Potential Impact
For European organizations, the primary impact of CVE-2021-47333 is potential denial of service on Linux systems using the affected alcor_pci driver. This could lead to unexpected system crashes or reboots, disrupting critical services, especially in environments relying on Linux servers or embedded systems with this hardware driver. Since the attack vector is local, exploitation requires an attacker or malicious process with local access, which limits remote exploitation risks but raises concerns for multi-user systems, shared hosting, or environments where untrusted users have local login capabilities. The impact on confidentiality and integrity is negligible, but availability degradation could affect operational continuity, particularly in industrial, telecom, or cloud infrastructure sectors prevalent in Europe. Organizations with Linux-based infrastructure that includes hardware using the alcor_pci driver should be aware of potential stability issues and plan for patching to maintain service reliability.
Mitigation Recommendations
To mitigate CVE-2021-47333, European organizations should: 1) Apply the latest Linux kernel updates or patches that include the fix for this vulnerability, ensuring the alcor_pci driver properly handles PCI devices attached directly to the root complex. 2) Audit systems to identify hardware using the alcor_pci driver and assess exposure, especially in servers and embedded devices. 3) Restrict local access to trusted users only, minimizing the risk of local exploitation by unprivileged users. 4) Implement monitoring for kernel crash logs and BUG messages related to PCI device initialization to detect potential exploitation attempts or system instability. 5) For critical systems where patching is delayed, consider disabling the alcor_pci driver if hardware compatibility allows or isolating affected devices to reduce impact. 6) Incorporate this vulnerability into vulnerability management and incident response plans to ensure timely detection and remediation.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-21T14:28:16.975Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9835c4522896dcbea4a1
Added to database: 5/21/2025, 9:09:09 AM
Last enriched: 6/26/2025, 10:50:42 AM
Last updated: 7/28/2025, 6:10:12 PM
Views: 12
Related Threats
CVE-2025-36613: CWE-266: Incorrect Privilege Assignment in Dell SupportAssist for Home PCs
LowCVE-2025-27845: n/a
UnknownCVE-2025-7972: CWE-286: Incorrect User Management in Rockwell Automation FactoryTalk® Linx
HighCVE-2025-8876: CWE-20 Improper Input Validation in N-able N-central
CriticalCVE-2025-8875: CWE-502 Deserialization of Untrusted Data in N-able N-central
CriticalActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.