CVE-2021-47337: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: scsi: core: Fix bad pointer dereference when ehandler kthread is invalid Commit 66a834d09293 ("scsi: core: Fix error handling of scsi_host_alloc()") changed the allocation logic to call put_device() to perform host cleanup with the assumption that IDA removal and stopping the kthread would properly be performed in scsi_host_dev_release(). However, in the unlikely case that the error handler thread fails to spawn, shost->ehandler is set to ERR_PTR(-ENOMEM). The error handler cleanup code in scsi_host_dev_release() will call kthread_stop() if shost->ehandler != NULL which will always be the case whether the kthread was successfully spawned or not. In the case that it failed to spawn this has the nasty side effect of trying to dereference an invalid pointer when kthread_stop() is called. The following splat provides an example of this behavior in the wild: scsi host11: error handler thread failed to spawn, error = -4 Kernel attempted to read user page (10c) - exploit attempt? (uid: 0) BUG: Kernel NULL pointer dereference on read at 0x0000010c Faulting instruction address: 0xc00000000818e9a8 Oops: Kernel access of bad area, sig: 11 [#1] LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries Modules linked in: ibmvscsi(+) scsi_transport_srp dm_multipath dm_mirror dm_region hash dm_log dm_mod fuse overlay squashfs loop CPU: 12 PID: 274 Comm: systemd-udevd Not tainted 5.13.0-rc7 #1 NIP: c00000000818e9a8 LR: c0000000089846e8 CTR: 0000000000007ee8 REGS: c000000037d12ea0 TRAP: 0300 Not tainted (5.13.0-rc7) MSR: 800000000280b033 <SF,VEC,VSX,EE,FP,ME,IR,DR,RI,LE> CR: 28228228 XER: 20040001 CFAR: c0000000089846e4 DAR: 000000000000010c DSISR: 40000000 IRQMASK: 0 GPR00: c0000000089846e8 c000000037d13140 c000000009cc1100 fffffffffffffffc GPR04: 0000000000000001 0000000000000000 0000000000000000 c000000037dc0000 GPR08: 0000000000000000 c000000037dc0000 0000000000000001 00000000fffff7ff GPR12: 0000000000008000 c00000000a049000 c000000037d13d00 000000011134d5a0 GPR16: 0000000000001740 c0080000190d0000 c0080000190d1740 c000000009129288 GPR20: c000000037d13bc0 0000000000000001 c000000037d13bc0 c0080000190b7898 GPR24: c0080000190b7708 0000000000000000 c000000033bb2c48 0000000000000000 GPR28: c000000046b28280 0000000000000000 000000000000010c fffffffffffffffc NIP [c00000000818e9a8] kthread_stop+0x38/0x230 LR [c0000000089846e8] scsi_host_dev_release+0x98/0x160 Call Trace: [c000000033bb2c48] 0xc000000033bb2c48 (unreliable) [c0000000089846e8] scsi_host_dev_release+0x98/0x160 [c00000000891e960] device_release+0x60/0x100 [c0000000087e55c4] kobject_release+0x84/0x210 [c00000000891ec78] put_device+0x28/0x40 [c000000008984ea4] scsi_host_alloc+0x314/0x430 [c0080000190b38bc] ibmvscsi_probe+0x54/0xad0 [ibmvscsi] [c000000008110104] vio_bus_probe+0xa4/0x4b0 [c00000000892a860] really_probe+0x140/0x680 [c00000000892aefc] driver_probe_device+0x15c/0x200 [c00000000892b63c] device_driver_attach+0xcc/0xe0 [c00000000892b740] __driver_attach+0xf0/0x200 [c000000008926f28] bus_for_each_dev+0xa8/0x130 [c000000008929ce4] driver_attach+0x34/0x50 [c000000008928fc0] bus_add_driver+0x1b0/0x300 [c00000000892c798] driver_register+0x98/0x1a0 [c00000000810eb60] __vio_register_driver+0x80/0xe0 [c0080000190b4a30] ibmvscsi_module_init+0x9c/0xdc [ibmvscsi] [c0000000080121d0] do_one_initcall+0x60/0x2d0 [c000000008261abc] do_init_module+0x7c/0x320 [c000000008265700] load_module+0x2350/0x25b0 [c000000008265cb4] __do_sys_finit_module+0xd4/0x160 [c000000008031110] system_call_exception+0x150/0x2d0 [c00000000800d35c] system_call_common+0xec/0x278 Fix this be nulling shost->ehandler when the kthread fails to spawn.
AI Analysis
Technical Summary
CVE-2021-47337 is a vulnerability identified in the Linux kernel's SCSI (Small Computer System Interface) core subsystem. The flaw arises from improper error handling in the function scsi_host_alloc(), specifically related to the management of the error handler kernel thread (ehandler) associated with SCSI hosts. When the kernel attempts to allocate a SCSI host, it spawns an error handler kthread to manage error conditions. However, if this kthread fails to spawn (e.g., due to memory allocation failure), the pointer shost->ehandler is set to an error pointer ERR_PTR(-ENOMEM) rather than NULL. Later, during cleanup in scsi_host_dev_release(), the code checks if shost->ehandler is non-NULL and calls kthread_stop() unconditionally. Since shost->ehandler is an invalid error pointer and not a valid thread pointer, this leads to a kernel NULL pointer dereference and a consequent kernel panic or crash. The vulnerability is triggered when the error handler thread fails to spawn, which is an unlikely but possible scenario. The kernel oops logs show a NULL pointer dereference at a low memory address during kthread_stop(), confirming the dereference of an invalid pointer. The root cause is a missing nullification of shost->ehandler when the kthread creation fails. The fix involves explicitly setting shost->ehandler to NULL if the error handler thread fails to spawn, preventing the invalid dereference. This vulnerability affects multiple versions of the Linux kernel as indicated by the affected commit hashes. It is a stability and availability issue that can cause denial of service (DoS) by crashing the kernel. There is no indication of privilege escalation or direct code execution, but the kernel crash can disrupt system operations. No known exploits in the wild have been reported to date. The vulnerability does not have a CVSS score assigned yet.
Potential Impact
For European organizations, the primary impact of CVE-2021-47337 is a potential denial of service condition on Linux systems utilizing the affected kernel versions, particularly those using SCSI devices or subsystems such as IBM Virtual SCSI (ibmvscsi). Organizations relying on Linux servers for critical infrastructure, cloud services, or enterprise applications could experience unexpected kernel panics leading to system downtime, data unavailability, and operational disruption. This is especially critical for data centers, hosting providers, and industries with high availability requirements such as finance, healthcare, and manufacturing. Although exploitation requires the error handler thread to fail spawning, which is uncommon, the vulnerability could be triggered by resource exhaustion or malicious attempts to destabilize the system. The vulnerability does not appear to allow privilege escalation or arbitrary code execution, so confidentiality and integrity impacts are limited. However, availability impacts could be significant if exploited or triggered inadvertently. Systems running older or unpatched Linux kernels are at risk until updated. Given the widespread use of Linux in European IT environments, including public sector and private enterprises, the risk of disruption is non-negligible. The lack of known exploits reduces immediate threat but patching is recommended to prevent potential future abuse or accidental crashes.
Mitigation Recommendations
1. Apply the official Linux kernel patches that fix CVE-2021-47337 as soon as possible. This involves updating to a kernel version that includes the fix where shost->ehandler is properly nullified upon kthread spawn failure. 2. For organizations using custom or long-term support kernels, backport the patch to ensure the fix is included. 3. Monitor kernel logs for error handler thread spawn failures or related kernel oops messages to detect attempts to trigger this vulnerability. 4. Implement resource management and limits to prevent conditions that could cause kthread spawn failures, such as memory exhaustion or excessive kernel thread creation. 5. Use kernel hardening and security modules that can help detect and mitigate kernel crashes or abnormal behavior. 6. Test kernel updates in staging environments before deployment to critical systems to avoid unexpected regressions. 7. Maintain an inventory of Linux kernel versions in use across the organization to prioritize patching efforts. 8. Consider isolating critical workloads or using containerization to limit the impact of kernel crashes on overall infrastructure. 9. Engage with Linux distribution vendors for timely security updates and advisories related to this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland, Sweden, Belgium, Finland
CVE-2021-47337: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: scsi: core: Fix bad pointer dereference when ehandler kthread is invalid Commit 66a834d09293 ("scsi: core: Fix error handling of scsi_host_alloc()") changed the allocation logic to call put_device() to perform host cleanup with the assumption that IDA removal and stopping the kthread would properly be performed in scsi_host_dev_release(). However, in the unlikely case that the error handler thread fails to spawn, shost->ehandler is set to ERR_PTR(-ENOMEM). The error handler cleanup code in scsi_host_dev_release() will call kthread_stop() if shost->ehandler != NULL which will always be the case whether the kthread was successfully spawned or not. In the case that it failed to spawn this has the nasty side effect of trying to dereference an invalid pointer when kthread_stop() is called. The following splat provides an example of this behavior in the wild: scsi host11: error handler thread failed to spawn, error = -4 Kernel attempted to read user page (10c) - exploit attempt? (uid: 0) BUG: Kernel NULL pointer dereference on read at 0x0000010c Faulting instruction address: 0xc00000000818e9a8 Oops: Kernel access of bad area, sig: 11 [#1] LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries Modules linked in: ibmvscsi(+) scsi_transport_srp dm_multipath dm_mirror dm_region hash dm_log dm_mod fuse overlay squashfs loop CPU: 12 PID: 274 Comm: systemd-udevd Not tainted 5.13.0-rc7 #1 NIP: c00000000818e9a8 LR: c0000000089846e8 CTR: 0000000000007ee8 REGS: c000000037d12ea0 TRAP: 0300 Not tainted (5.13.0-rc7) MSR: 800000000280b033 <SF,VEC,VSX,EE,FP,ME,IR,DR,RI,LE> CR: 28228228 XER: 20040001 CFAR: c0000000089846e4 DAR: 000000000000010c DSISR: 40000000 IRQMASK: 0 GPR00: c0000000089846e8 c000000037d13140 c000000009cc1100 fffffffffffffffc GPR04: 0000000000000001 0000000000000000 0000000000000000 c000000037dc0000 GPR08: 0000000000000000 c000000037dc0000 0000000000000001 00000000fffff7ff GPR12: 0000000000008000 c00000000a049000 c000000037d13d00 000000011134d5a0 GPR16: 0000000000001740 c0080000190d0000 c0080000190d1740 c000000009129288 GPR20: c000000037d13bc0 0000000000000001 c000000037d13bc0 c0080000190b7898 GPR24: c0080000190b7708 0000000000000000 c000000033bb2c48 0000000000000000 GPR28: c000000046b28280 0000000000000000 000000000000010c fffffffffffffffc NIP [c00000000818e9a8] kthread_stop+0x38/0x230 LR [c0000000089846e8] scsi_host_dev_release+0x98/0x160 Call Trace: [c000000033bb2c48] 0xc000000033bb2c48 (unreliable) [c0000000089846e8] scsi_host_dev_release+0x98/0x160 [c00000000891e960] device_release+0x60/0x100 [c0000000087e55c4] kobject_release+0x84/0x210 [c00000000891ec78] put_device+0x28/0x40 [c000000008984ea4] scsi_host_alloc+0x314/0x430 [c0080000190b38bc] ibmvscsi_probe+0x54/0xad0 [ibmvscsi] [c000000008110104] vio_bus_probe+0xa4/0x4b0 [c00000000892a860] really_probe+0x140/0x680 [c00000000892aefc] driver_probe_device+0x15c/0x200 [c00000000892b63c] device_driver_attach+0xcc/0xe0 [c00000000892b740] __driver_attach+0xf0/0x200 [c000000008926f28] bus_for_each_dev+0xa8/0x130 [c000000008929ce4] driver_attach+0x34/0x50 [c000000008928fc0] bus_add_driver+0x1b0/0x300 [c00000000892c798] driver_register+0x98/0x1a0 [c00000000810eb60] __vio_register_driver+0x80/0xe0 [c0080000190b4a30] ibmvscsi_module_init+0x9c/0xdc [ibmvscsi] [c0000000080121d0] do_one_initcall+0x60/0x2d0 [c000000008261abc] do_init_module+0x7c/0x320 [c000000008265700] load_module+0x2350/0x25b0 [c000000008265cb4] __do_sys_finit_module+0xd4/0x160 [c000000008031110] system_call_exception+0x150/0x2d0 [c00000000800d35c] system_call_common+0xec/0x278 Fix this be nulling shost->ehandler when the kthread fails to spawn.
AI-Powered Analysis
Technical Analysis
CVE-2021-47337 is a vulnerability identified in the Linux kernel's SCSI (Small Computer System Interface) core subsystem. The flaw arises from improper error handling in the function scsi_host_alloc(), specifically related to the management of the error handler kernel thread (ehandler) associated with SCSI hosts. When the kernel attempts to allocate a SCSI host, it spawns an error handler kthread to manage error conditions. However, if this kthread fails to spawn (e.g., due to memory allocation failure), the pointer shost->ehandler is set to an error pointer ERR_PTR(-ENOMEM) rather than NULL. Later, during cleanup in scsi_host_dev_release(), the code checks if shost->ehandler is non-NULL and calls kthread_stop() unconditionally. Since shost->ehandler is an invalid error pointer and not a valid thread pointer, this leads to a kernel NULL pointer dereference and a consequent kernel panic or crash. The vulnerability is triggered when the error handler thread fails to spawn, which is an unlikely but possible scenario. The kernel oops logs show a NULL pointer dereference at a low memory address during kthread_stop(), confirming the dereference of an invalid pointer. The root cause is a missing nullification of shost->ehandler when the kthread creation fails. The fix involves explicitly setting shost->ehandler to NULL if the error handler thread fails to spawn, preventing the invalid dereference. This vulnerability affects multiple versions of the Linux kernel as indicated by the affected commit hashes. It is a stability and availability issue that can cause denial of service (DoS) by crashing the kernel. There is no indication of privilege escalation or direct code execution, but the kernel crash can disrupt system operations. No known exploits in the wild have been reported to date. The vulnerability does not have a CVSS score assigned yet.
Potential Impact
For European organizations, the primary impact of CVE-2021-47337 is a potential denial of service condition on Linux systems utilizing the affected kernel versions, particularly those using SCSI devices or subsystems such as IBM Virtual SCSI (ibmvscsi). Organizations relying on Linux servers for critical infrastructure, cloud services, or enterprise applications could experience unexpected kernel panics leading to system downtime, data unavailability, and operational disruption. This is especially critical for data centers, hosting providers, and industries with high availability requirements such as finance, healthcare, and manufacturing. Although exploitation requires the error handler thread to fail spawning, which is uncommon, the vulnerability could be triggered by resource exhaustion or malicious attempts to destabilize the system. The vulnerability does not appear to allow privilege escalation or arbitrary code execution, so confidentiality and integrity impacts are limited. However, availability impacts could be significant if exploited or triggered inadvertently. Systems running older or unpatched Linux kernels are at risk until updated. Given the widespread use of Linux in European IT environments, including public sector and private enterprises, the risk of disruption is non-negligible. The lack of known exploits reduces immediate threat but patching is recommended to prevent potential future abuse or accidental crashes.
Mitigation Recommendations
1. Apply the official Linux kernel patches that fix CVE-2021-47337 as soon as possible. This involves updating to a kernel version that includes the fix where shost->ehandler is properly nullified upon kthread spawn failure. 2. For organizations using custom or long-term support kernels, backport the patch to ensure the fix is included. 3. Monitor kernel logs for error handler thread spawn failures or related kernel oops messages to detect attempts to trigger this vulnerability. 4. Implement resource management and limits to prevent conditions that could cause kthread spawn failures, such as memory exhaustion or excessive kernel thread creation. 5. Use kernel hardening and security modules that can help detect and mitigate kernel crashes or abnormal behavior. 6. Test kernel updates in staging environments before deployment to critical systems to avoid unexpected regressions. 7. Maintain an inventory of Linux kernel versions in use across the organization to prioritize patching efforts. 8. Consider isolating critical workloads or using containerization to limit the impact of kernel crashes on overall infrastructure. 9. Engage with Linux distribution vendors for timely security updates and advisories related to this vulnerability.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-21T14:28:16.978Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9835c4522896dcbea4c0
Added to database: 5/21/2025, 9:09:09 AM
Last enriched: 6/26/2025, 10:39:14 AM
Last updated: 8/14/2025, 6:45:28 AM
Views: 14
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.