CVE-2021-47338: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: fbmem: Do not delete the mode that is still in use The execution of fb_delete_videomode() is not based on the result of the previous fbcon_mode_deleted(). As a result, the mode is directly deleted, regardless of whether it is still in use, which may cause UAF. ================================================================== BUG: KASAN: use-after-free in fb_mode_is_equal+0x36e/0x5e0 \ drivers/video/fbdev/core/modedb.c:924 Read of size 4 at addr ffff88807e0ddb1c by task syz-executor.0/18962 CPU: 2 PID: 18962 Comm: syz-executor.0 Not tainted 5.10.45-rc1+ #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ... Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x137/0x1be lib/dump_stack.c:118 print_address_description+0x6c/0x640 mm/kasan/report.c:385 __kasan_report mm/kasan/report.c:545 [inline] kasan_report+0x13d/0x1e0 mm/kasan/report.c:562 fb_mode_is_equal+0x36e/0x5e0 drivers/video/fbdev/core/modedb.c:924 fbcon_mode_deleted+0x16a/0x220 drivers/video/fbdev/core/fbcon.c:2746 fb_set_var+0x1e1/0xdb0 drivers/video/fbdev/core/fbmem.c:975 do_fb_ioctl+0x4d9/0x6e0 drivers/video/fbdev/core/fbmem.c:1108 vfs_ioctl fs/ioctl.c:48 [inline] __do_sys_ioctl fs/ioctl.c:753 [inline] __se_sys_ioctl+0xfb/0x170 fs/ioctl.c:739 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Freed by task 18960: kasan_save_stack mm/kasan/common.c:48 [inline] kasan_set_track+0x3d/0x70 mm/kasan/common.c:56 kasan_set_free_info+0x17/0x30 mm/kasan/generic.c:355 __kasan_slab_free+0x108/0x140 mm/kasan/common.c:422 slab_free_hook mm/slub.c:1541 [inline] slab_free_freelist_hook+0xd6/0x1a0 mm/slub.c:1574 slab_free mm/slub.c:3139 [inline] kfree+0xca/0x3d0 mm/slub.c:4121 fb_delete_videomode+0x56a/0x820 drivers/video/fbdev/core/modedb.c:1104 fb_set_var+0x1f3/0xdb0 drivers/video/fbdev/core/fbmem.c:978 do_fb_ioctl+0x4d9/0x6e0 drivers/video/fbdev/core/fbmem.c:1108 vfs_ioctl fs/ioctl.c:48 [inline] __do_sys_ioctl fs/ioctl.c:753 [inline] __se_sys_ioctl+0xfb/0x170 fs/ioctl.c:739 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9
AI Analysis
Technical Summary
CVE-2021-47338 is a use-after-free (UAF) vulnerability in the Linux kernel's framebuffer memory management subsystem, specifically within the fbmem driver. The vulnerability arises because the function fb_delete_videomode() deletes a video mode without verifying if it is still in use, ignoring the result of the preceding fbcon_mode_deleted() check. This improper handling leads to the deletion of a mode that may still be referenced elsewhere, causing a use-after-free condition. The kernel's Kernel Address Sanitizer (KASAN) detected this issue during execution, highlighting a read operation on freed memory within the fb_mode_is_equal() function. The vulnerability is located in the drivers/video/fbdev/core/modedb.c and fbmem.c source files. Exploitation of this flaw could allow an attacker with the ability to invoke framebuffer ioctl system calls to trigger a use-after-free, potentially leading to kernel memory corruption, system crashes (denial of service), or escalation of privileges if exploited in conjunction with other vulnerabilities. The vulnerability affects Linux kernel versions prior to the patch and is relevant to systems using the framebuffer console driver, which is common in embedded systems, virtual machines, and some desktop/server environments. No public exploits are currently known, and no CVSS score has been assigned yet. The vulnerability requires local access to the system to invoke the vulnerable ioctl calls, and no user interaction beyond that is necessary once access is obtained.
Potential Impact
For European organizations, the impact of CVE-2021-47338 can be significant, especially for those relying on Linux-based infrastructure, embedded devices, or virtualized environments that utilize the framebuffer console driver. Successful exploitation could lead to kernel crashes causing denial of service, which can disrupt critical services and operations. More severely, if chained with other vulnerabilities, it could enable privilege escalation, allowing attackers to gain root access, compromising confidentiality and integrity of sensitive data. This is particularly concerning for sectors such as finance, healthcare, telecommunications, and critical infrastructure operators in Europe, where Linux is widely deployed. The vulnerability could also affect cloud service providers and hosting companies operating Linux-based virtual machines, potentially impacting multiple tenants. While no known exploits exist yet, the presence of a use-after-free in kernel code is a high-risk condition that attackers may target once exploit development matures.
Mitigation Recommendations
European organizations should prioritize patching affected Linux kernel versions as soon as updates become available from their Linux distribution vendors. Since the vulnerability is in the framebuffer subsystem, organizations that do not require framebuffer console support should consider disabling or unloading the fbmem driver to reduce attack surface. For embedded systems or virtual machines, ensure that kernel updates are applied promptly and test them in staging environments before production deployment. Employ kernel hardening techniques such as Kernel Address Sanitizer (KASAN) in development and testing environments to detect similar issues early. Additionally, restrict local access to systems by enforcing strict access controls, limiting user privileges, and monitoring for unusual ioctl system call usage. Implementing security monitoring and intrusion detection systems that can flag anomalous kernel-level activities may help detect exploitation attempts. Finally, maintain up-to-date backups and incident response plans to mitigate potential service disruptions caused by exploitation attempts.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2021-47338: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: fbmem: Do not delete the mode that is still in use The execution of fb_delete_videomode() is not based on the result of the previous fbcon_mode_deleted(). As a result, the mode is directly deleted, regardless of whether it is still in use, which may cause UAF. ================================================================== BUG: KASAN: use-after-free in fb_mode_is_equal+0x36e/0x5e0 \ drivers/video/fbdev/core/modedb.c:924 Read of size 4 at addr ffff88807e0ddb1c by task syz-executor.0/18962 CPU: 2 PID: 18962 Comm: syz-executor.0 Not tainted 5.10.45-rc1+ #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ... Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x137/0x1be lib/dump_stack.c:118 print_address_description+0x6c/0x640 mm/kasan/report.c:385 __kasan_report mm/kasan/report.c:545 [inline] kasan_report+0x13d/0x1e0 mm/kasan/report.c:562 fb_mode_is_equal+0x36e/0x5e0 drivers/video/fbdev/core/modedb.c:924 fbcon_mode_deleted+0x16a/0x220 drivers/video/fbdev/core/fbcon.c:2746 fb_set_var+0x1e1/0xdb0 drivers/video/fbdev/core/fbmem.c:975 do_fb_ioctl+0x4d9/0x6e0 drivers/video/fbdev/core/fbmem.c:1108 vfs_ioctl fs/ioctl.c:48 [inline] __do_sys_ioctl fs/ioctl.c:753 [inline] __se_sys_ioctl+0xfb/0x170 fs/ioctl.c:739 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Freed by task 18960: kasan_save_stack mm/kasan/common.c:48 [inline] kasan_set_track+0x3d/0x70 mm/kasan/common.c:56 kasan_set_free_info+0x17/0x30 mm/kasan/generic.c:355 __kasan_slab_free+0x108/0x140 mm/kasan/common.c:422 slab_free_hook mm/slub.c:1541 [inline] slab_free_freelist_hook+0xd6/0x1a0 mm/slub.c:1574 slab_free mm/slub.c:3139 [inline] kfree+0xca/0x3d0 mm/slub.c:4121 fb_delete_videomode+0x56a/0x820 drivers/video/fbdev/core/modedb.c:1104 fb_set_var+0x1f3/0xdb0 drivers/video/fbdev/core/fbmem.c:978 do_fb_ioctl+0x4d9/0x6e0 drivers/video/fbdev/core/fbmem.c:1108 vfs_ioctl fs/ioctl.c:48 [inline] __do_sys_ioctl fs/ioctl.c:753 [inline] __se_sys_ioctl+0xfb/0x170 fs/ioctl.c:739 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9
AI-Powered Analysis
Technical Analysis
CVE-2021-47338 is a use-after-free (UAF) vulnerability in the Linux kernel's framebuffer memory management subsystem, specifically within the fbmem driver. The vulnerability arises because the function fb_delete_videomode() deletes a video mode without verifying if it is still in use, ignoring the result of the preceding fbcon_mode_deleted() check. This improper handling leads to the deletion of a mode that may still be referenced elsewhere, causing a use-after-free condition. The kernel's Kernel Address Sanitizer (KASAN) detected this issue during execution, highlighting a read operation on freed memory within the fb_mode_is_equal() function. The vulnerability is located in the drivers/video/fbdev/core/modedb.c and fbmem.c source files. Exploitation of this flaw could allow an attacker with the ability to invoke framebuffer ioctl system calls to trigger a use-after-free, potentially leading to kernel memory corruption, system crashes (denial of service), or escalation of privileges if exploited in conjunction with other vulnerabilities. The vulnerability affects Linux kernel versions prior to the patch and is relevant to systems using the framebuffer console driver, which is common in embedded systems, virtual machines, and some desktop/server environments. No public exploits are currently known, and no CVSS score has been assigned yet. The vulnerability requires local access to the system to invoke the vulnerable ioctl calls, and no user interaction beyond that is necessary once access is obtained.
Potential Impact
For European organizations, the impact of CVE-2021-47338 can be significant, especially for those relying on Linux-based infrastructure, embedded devices, or virtualized environments that utilize the framebuffer console driver. Successful exploitation could lead to kernel crashes causing denial of service, which can disrupt critical services and operations. More severely, if chained with other vulnerabilities, it could enable privilege escalation, allowing attackers to gain root access, compromising confidentiality and integrity of sensitive data. This is particularly concerning for sectors such as finance, healthcare, telecommunications, and critical infrastructure operators in Europe, where Linux is widely deployed. The vulnerability could also affect cloud service providers and hosting companies operating Linux-based virtual machines, potentially impacting multiple tenants. While no known exploits exist yet, the presence of a use-after-free in kernel code is a high-risk condition that attackers may target once exploit development matures.
Mitigation Recommendations
European organizations should prioritize patching affected Linux kernel versions as soon as updates become available from their Linux distribution vendors. Since the vulnerability is in the framebuffer subsystem, organizations that do not require framebuffer console support should consider disabling or unloading the fbmem driver to reduce attack surface. For embedded systems or virtual machines, ensure that kernel updates are applied promptly and test them in staging environments before production deployment. Employ kernel hardening techniques such as Kernel Address Sanitizer (KASAN) in development and testing environments to detect similar issues early. Additionally, restrict local access to systems by enforcing strict access controls, limiting user privileges, and monitoring for unusual ioctl system call usage. Implementing security monitoring and intrusion detection systems that can flag anomalous kernel-level activities may help detect exploitation attempts. Finally, maintain up-to-date backups and incident response plans to mitigate potential service disruptions caused by exploitation attempts.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-21T14:28:16.978Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9835c4522896dcbea4d1
Added to database: 5/21/2025, 9:09:09 AM
Last enriched: 6/26/2025, 10:38:55 AM
Last updated: 8/15/2025, 6:54:54 AM
Views: 11
Related Threats
Researcher to release exploit for full auth bypass on FortiWeb
HighCVE-2025-9091: Hard-coded Credentials in Tenda AC20
LowCVE-2025-9090: Command Injection in Tenda AC20
MediumCVE-2025-9092: CWE-400 Uncontrolled Resource Consumption in Legion of the Bouncy Castle Inc. Bouncy Castle for Java - BC-FJA 2.1.0
LowCVE-2025-9089: Stack-based Buffer Overflow in Tenda AC20
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.