CVE-2021-47335: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid racing on fsync_entry_slab by multi filesystem instances As syzbot reported, there is an use-after-free issue during f2fs recovery: Use-after-free write at 0xffff88823bc16040 (in kfence-#10): kmem_cache_destroy+0x1f/0x120 mm/slab_common.c:486 f2fs_recover_fsync_data+0x75b0/0x8380 fs/f2fs/recovery.c:869 f2fs_fill_super+0x9393/0xa420 fs/f2fs/super.c:3945 mount_bdev+0x26c/0x3a0 fs/super.c:1367 legacy_get_tree+0xea/0x180 fs/fs_context.c:592 vfs_get_tree+0x86/0x270 fs/super.c:1497 do_new_mount fs/namespace.c:2905 [inline] path_mount+0x196f/0x2be0 fs/namespace.c:3235 do_mount fs/namespace.c:3248 [inline] __do_sys_mount fs/namespace.c:3456 [inline] __se_sys_mount+0x2f9/0x3b0 fs/namespace.c:3433 do_syscall_64+0x3f/0xb0 arch/x86/entry/common.c:47 entry_SYSCALL_64_after_hwframe+0x44/0xae The root cause is multi f2fs filesystem instances can race on accessing global fsync_entry_slab pointer, result in use-after-free issue of slab cache, fixes to init/destroy this slab cache only once during module init/destroy procedure to avoid this issue.
AI Analysis
Technical Summary
CVE-2021-47335 is a vulnerability identified in the Linux kernel's implementation of the F2FS (Flash-Friendly File System). The issue arises from a race condition involving multiple instances of the F2FS filesystem accessing a global slab cache pointer named fsync_entry_slab. Specifically, during the recovery process of F2FS, a use-after-free condition can occur when the slab cache is destroyed or re-initialized concurrently by different filesystem instances. This race leads to a use-after-free write, which is a memory corruption vulnerability where freed memory is accessed and potentially overwritten. The vulnerability was reported by syzbot, a kernel fuzzing tool, and involves functions such as kmem_cache_destroy, f2fs_recover_fsync_data, and f2fs_fill_super. The root cause is that the slab cache initialization and destruction were not properly synchronized across multiple F2FS instances, allowing concurrent access and modification. The fix involves ensuring that the slab cache is initialized and destroyed only once during the module's lifecycle, preventing concurrent races. This vulnerability affects Linux kernel versions containing the affected commit hashes and impacts systems using F2FS, which is commonly used on flash storage devices such as SSDs and eMMC, especially in embedded and mobile environments. Exploitation could lead to kernel memory corruption, potentially causing system crashes (denial of service) or enabling escalation of privileges if an attacker can manipulate the kernel memory state. No known exploits are reported in the wild as of the publication date.
Potential Impact
For European organizations, the impact of CVE-2021-47335 depends largely on the deployment of Linux systems utilizing the F2FS filesystem. Many enterprises and service providers in Europe run Linux-based servers, desktops, and embedded devices. While F2FS is not the default filesystem for most server environments (which often use ext4 or XFS), it is increasingly used in embedded systems, IoT devices, and mobile devices that may be part of enterprise infrastructure or supply chains. Successful exploitation could lead to kernel crashes, resulting in denial of service, or potentially privilege escalation, which could compromise system integrity and confidentiality. This is particularly critical for organizations relying on Linux-based infrastructure for critical services, industrial control systems, or telecommunications equipment. Additionally, the vulnerability could be leveraged in targeted attacks against devices with F2FS, especially if attackers have local access or can induce mounts of malicious filesystems. The lack of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits post-disclosure. European organizations with embedded Linux devices or those using F2FS in specialized environments should consider this vulnerability a significant risk to system stability and security.
Mitigation Recommendations
To mitigate CVE-2021-47335, European organizations should: 1) Apply the official Linux kernel patches that fix the race condition by ensuring proper initialization and destruction of the fsync_entry_slab cache. This requires updating to a kernel version that includes the fix or backporting the patch if using long-term support kernels. 2) Audit and inventory systems to identify those using the F2FS filesystem, including embedded devices, mobile devices, and servers. 3) Limit local access to systems using F2FS to trusted users only, as exploitation requires local privileges to mount or recover F2FS filesystems. 4) Implement strict access controls and monitoring for filesystem mount operations and kernel logs to detect unusual activity related to F2FS mounts or recovery processes. 5) For embedded and IoT devices, coordinate with vendors to ensure firmware updates include the patched kernel. 6) Employ kernel hardening techniques such as Kernel Address Space Layout Randomization (KASLR), Kernel Page Table Isolation (KPTI), and other memory protection features to reduce the risk of exploitation. 7) Regularly monitor security advisories for any emerging exploits targeting this vulnerability and respond promptly.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2021-47335: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid racing on fsync_entry_slab by multi filesystem instances As syzbot reported, there is an use-after-free issue during f2fs recovery: Use-after-free write at 0xffff88823bc16040 (in kfence-#10): kmem_cache_destroy+0x1f/0x120 mm/slab_common.c:486 f2fs_recover_fsync_data+0x75b0/0x8380 fs/f2fs/recovery.c:869 f2fs_fill_super+0x9393/0xa420 fs/f2fs/super.c:3945 mount_bdev+0x26c/0x3a0 fs/super.c:1367 legacy_get_tree+0xea/0x180 fs/fs_context.c:592 vfs_get_tree+0x86/0x270 fs/super.c:1497 do_new_mount fs/namespace.c:2905 [inline] path_mount+0x196f/0x2be0 fs/namespace.c:3235 do_mount fs/namespace.c:3248 [inline] __do_sys_mount fs/namespace.c:3456 [inline] __se_sys_mount+0x2f9/0x3b0 fs/namespace.c:3433 do_syscall_64+0x3f/0xb0 arch/x86/entry/common.c:47 entry_SYSCALL_64_after_hwframe+0x44/0xae The root cause is multi f2fs filesystem instances can race on accessing global fsync_entry_slab pointer, result in use-after-free issue of slab cache, fixes to init/destroy this slab cache only once during module init/destroy procedure to avoid this issue.
AI-Powered Analysis
Technical Analysis
CVE-2021-47335 is a vulnerability identified in the Linux kernel's implementation of the F2FS (Flash-Friendly File System). The issue arises from a race condition involving multiple instances of the F2FS filesystem accessing a global slab cache pointer named fsync_entry_slab. Specifically, during the recovery process of F2FS, a use-after-free condition can occur when the slab cache is destroyed or re-initialized concurrently by different filesystem instances. This race leads to a use-after-free write, which is a memory corruption vulnerability where freed memory is accessed and potentially overwritten. The vulnerability was reported by syzbot, a kernel fuzzing tool, and involves functions such as kmem_cache_destroy, f2fs_recover_fsync_data, and f2fs_fill_super. The root cause is that the slab cache initialization and destruction were not properly synchronized across multiple F2FS instances, allowing concurrent access and modification. The fix involves ensuring that the slab cache is initialized and destroyed only once during the module's lifecycle, preventing concurrent races. This vulnerability affects Linux kernel versions containing the affected commit hashes and impacts systems using F2FS, which is commonly used on flash storage devices such as SSDs and eMMC, especially in embedded and mobile environments. Exploitation could lead to kernel memory corruption, potentially causing system crashes (denial of service) or enabling escalation of privileges if an attacker can manipulate the kernel memory state. No known exploits are reported in the wild as of the publication date.
Potential Impact
For European organizations, the impact of CVE-2021-47335 depends largely on the deployment of Linux systems utilizing the F2FS filesystem. Many enterprises and service providers in Europe run Linux-based servers, desktops, and embedded devices. While F2FS is not the default filesystem for most server environments (which often use ext4 or XFS), it is increasingly used in embedded systems, IoT devices, and mobile devices that may be part of enterprise infrastructure or supply chains. Successful exploitation could lead to kernel crashes, resulting in denial of service, or potentially privilege escalation, which could compromise system integrity and confidentiality. This is particularly critical for organizations relying on Linux-based infrastructure for critical services, industrial control systems, or telecommunications equipment. Additionally, the vulnerability could be leveraged in targeted attacks against devices with F2FS, especially if attackers have local access or can induce mounts of malicious filesystems. The lack of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits post-disclosure. European organizations with embedded Linux devices or those using F2FS in specialized environments should consider this vulnerability a significant risk to system stability and security.
Mitigation Recommendations
To mitigate CVE-2021-47335, European organizations should: 1) Apply the official Linux kernel patches that fix the race condition by ensuring proper initialization and destruction of the fsync_entry_slab cache. This requires updating to a kernel version that includes the fix or backporting the patch if using long-term support kernels. 2) Audit and inventory systems to identify those using the F2FS filesystem, including embedded devices, mobile devices, and servers. 3) Limit local access to systems using F2FS to trusted users only, as exploitation requires local privileges to mount or recover F2FS filesystems. 4) Implement strict access controls and monitoring for filesystem mount operations and kernel logs to detect unusual activity related to F2FS mounts or recovery processes. 5) For embedded and IoT devices, coordinate with vendors to ensure firmware updates include the patched kernel. 6) Employ kernel hardening techniques such as Kernel Address Space Layout Randomization (KASLR), Kernel Page Table Isolation (KPTI), and other memory protection features to reduce the risk of exploitation. 7) Regularly monitor security advisories for any emerging exploits targeting this vulnerability and respond promptly.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-21T14:28:16.977Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9835c4522896dcbea4b8
Added to database: 5/21/2025, 9:09:09 AM
Last enriched: 6/26/2025, 10:50:08 AM
Last updated: 7/13/2025, 2:21:32 AM
Views: 10
Related Threats
CVE-2025-7556: SQL Injection in code-projects Voting System
MediumCVE-2025-7555: SQL Injection in code-projects Voting System
MediumCVE-2025-7554: Cross Site Scripting in Sapido RB-1802
MediumCVE-2025-7553: OS Command Injection in D-Link DIR-818LW
MediumCVE-2025-1384: CWE-272 Least Privilege Violation in OMRON Corporation Machine Automation Controller NJ-series
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.