CVE-2021-47350: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: powerpc/mm: Fix lockup on kernel exec fault The powerpc kernel is not prepared to handle exec faults from kernel. Especially, the function is_exec_fault() will return 'false' when an exec fault is taken by kernel, because the check is based on reading current->thread.regs->trap which contains the trap from user. For instance, when provoking a LKDTM EXEC_USERSPACE test, current->thread.regs->trap is set to SYSCALL trap (0xc00), and the fault taken by the kernel is not seen as an exec fault by set_access_flags_filter(). Commit d7df2443cd5f ("powerpc/mm: Fix spurious segfaults on radix with autonuma") made it clear and handled it properly. But later on commit d3ca587404b3 ("powerpc/mm: Fix reporting of kernel execute faults") removed that handling, introducing test based on error_code. And here is the problem, because on the 603 all upper bits of SRR1 get cleared when the TLB instruction miss handler bails out to ISI. Until commit cbd7e6ca0210 ("powerpc/fault: Avoid heavy search_exception_tables() verification"), an exec fault from kernel at a userspace address was indirectly caught by the lack of entry for that address in the exception tables. But after that commit the kernel mainly relies on KUAP or on core mm handling to catch wrong user accesses. Here the access is not wrong, so mm handles it. It is a minor fault because PAGE_EXEC is not set, set_access_flags_filter() should set PAGE_EXEC and voila. But as is_exec_fault() returns false as explained in the beginning, set_access_flags_filter() bails out without setting PAGE_EXEC flag, which leads to a forever minor exec fault. As the kernel is not prepared to handle such exec faults, the thing to do is to fire in bad_kernel_fault() for any exec fault taken by the kernel, as it was prior to commit d3ca587404b3.
AI Analysis
Technical Summary
CVE-2021-47350 is a medium-severity vulnerability affecting the Linux kernel specifically on the PowerPC architecture. The issue arises from improper handling of kernel execution faults related to memory management. The vulnerability is rooted in the function is_exec_fault(), which incorrectly returns false when an execution fault occurs within the kernel, due to its reliance on user-space trap information. This leads to the set_access_flags_filter() function failing to set the PAGE_EXEC flag on memory pages, causing a persistent minor execution fault that the kernel is not designed to handle. The root cause traces back to changes in kernel commits where handling of kernel execution faults was altered, removing previous safeguards and relying on error_code checks that do not work correctly on certain PowerPC models (notably the 603). The result is a kernel lockup or hang when an execution fault occurs, as the kernel cannot properly recover or handle the fault. This vulnerability does not affect user-space directly but can cause denial of service by kernel lockup. Exploitation requires local privileges with limited privileges (PR:L) and no user interaction, and the attack vector is local (AV:L). The CVSS score is 5.5 (medium), reflecting the moderate impact on availability without affecting confidentiality or integrity. No known exploits are reported in the wild yet. The vulnerability is specific to PowerPC Linux kernels and requires patching to restore proper kernel fault handling behavior.
Potential Impact
For European organizations running Linux on PowerPC architectures, this vulnerability could lead to denial of service conditions due to kernel lockups. While PowerPC is less common than x86 architectures in mainstream servers and desktops, it is still used in specialized embedded systems, industrial control systems, telecommunications equipment, and some legacy infrastructure. Organizations in sectors such as manufacturing, telecommunications, and critical infrastructure that rely on PowerPC-based Linux systems could experience service interruptions or system crashes, impacting operational continuity. The vulnerability does not expose data confidentiality or integrity but can disrupt availability, potentially affecting real-time systems or critical applications. Given the local attack vector and requirement for limited privileges, the threat is mainly from insider threats or compromised local accounts. The absence of known exploits reduces immediate risk but patching is essential to prevent future exploitation and maintain system stability.
Mitigation Recommendations
1. Apply the official Linux kernel patches that address CVE-2021-47350 as soon as they become available from trusted Linux distributions or kernel maintainers. 2. For systems where patching is delayed, restrict local access to trusted users only to reduce risk of exploitation. 3. Monitor kernel logs for unusual execution faults or kernel lockups that may indicate attempts to trigger this vulnerability. 4. Implement strict privilege management and auditing on PowerPC Linux systems to detect and prevent unauthorized local privilege escalation attempts. 5. For embedded or specialized devices, coordinate with hardware vendors to ensure firmware and kernel updates include this fix. 6. Consider isolating critical PowerPC Linux systems from untrusted networks and users to minimize attack surface. 7. Regularly review and update incident response plans to include scenarios involving kernel denial of service conditions.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Sweden, Finland
CVE-2021-47350: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: powerpc/mm: Fix lockup on kernel exec fault The powerpc kernel is not prepared to handle exec faults from kernel. Especially, the function is_exec_fault() will return 'false' when an exec fault is taken by kernel, because the check is based on reading current->thread.regs->trap which contains the trap from user. For instance, when provoking a LKDTM EXEC_USERSPACE test, current->thread.regs->trap is set to SYSCALL trap (0xc00), and the fault taken by the kernel is not seen as an exec fault by set_access_flags_filter(). Commit d7df2443cd5f ("powerpc/mm: Fix spurious segfaults on radix with autonuma") made it clear and handled it properly. But later on commit d3ca587404b3 ("powerpc/mm: Fix reporting of kernel execute faults") removed that handling, introducing test based on error_code. And here is the problem, because on the 603 all upper bits of SRR1 get cleared when the TLB instruction miss handler bails out to ISI. Until commit cbd7e6ca0210 ("powerpc/fault: Avoid heavy search_exception_tables() verification"), an exec fault from kernel at a userspace address was indirectly caught by the lack of entry for that address in the exception tables. But after that commit the kernel mainly relies on KUAP or on core mm handling to catch wrong user accesses. Here the access is not wrong, so mm handles it. It is a minor fault because PAGE_EXEC is not set, set_access_flags_filter() should set PAGE_EXEC and voila. But as is_exec_fault() returns false as explained in the beginning, set_access_flags_filter() bails out without setting PAGE_EXEC flag, which leads to a forever minor exec fault. As the kernel is not prepared to handle such exec faults, the thing to do is to fire in bad_kernel_fault() for any exec fault taken by the kernel, as it was prior to commit d3ca587404b3.
AI-Powered Analysis
Technical Analysis
CVE-2021-47350 is a medium-severity vulnerability affecting the Linux kernel specifically on the PowerPC architecture. The issue arises from improper handling of kernel execution faults related to memory management. The vulnerability is rooted in the function is_exec_fault(), which incorrectly returns false when an execution fault occurs within the kernel, due to its reliance on user-space trap information. This leads to the set_access_flags_filter() function failing to set the PAGE_EXEC flag on memory pages, causing a persistent minor execution fault that the kernel is not designed to handle. The root cause traces back to changes in kernel commits where handling of kernel execution faults was altered, removing previous safeguards and relying on error_code checks that do not work correctly on certain PowerPC models (notably the 603). The result is a kernel lockup or hang when an execution fault occurs, as the kernel cannot properly recover or handle the fault. This vulnerability does not affect user-space directly but can cause denial of service by kernel lockup. Exploitation requires local privileges with limited privileges (PR:L) and no user interaction, and the attack vector is local (AV:L). The CVSS score is 5.5 (medium), reflecting the moderate impact on availability without affecting confidentiality or integrity. No known exploits are reported in the wild yet. The vulnerability is specific to PowerPC Linux kernels and requires patching to restore proper kernel fault handling behavior.
Potential Impact
For European organizations running Linux on PowerPC architectures, this vulnerability could lead to denial of service conditions due to kernel lockups. While PowerPC is less common than x86 architectures in mainstream servers and desktops, it is still used in specialized embedded systems, industrial control systems, telecommunications equipment, and some legacy infrastructure. Organizations in sectors such as manufacturing, telecommunications, and critical infrastructure that rely on PowerPC-based Linux systems could experience service interruptions or system crashes, impacting operational continuity. The vulnerability does not expose data confidentiality or integrity but can disrupt availability, potentially affecting real-time systems or critical applications. Given the local attack vector and requirement for limited privileges, the threat is mainly from insider threats or compromised local accounts. The absence of known exploits reduces immediate risk but patching is essential to prevent future exploitation and maintain system stability.
Mitigation Recommendations
1. Apply the official Linux kernel patches that address CVE-2021-47350 as soon as they become available from trusted Linux distributions or kernel maintainers. 2. For systems where patching is delayed, restrict local access to trusted users only to reduce risk of exploitation. 3. Monitor kernel logs for unusual execution faults or kernel lockups that may indicate attempts to trigger this vulnerability. 4. Implement strict privilege management and auditing on PowerPC Linux systems to detect and prevent unauthorized local privilege escalation attempts. 5. For embedded or specialized devices, coordinate with hardware vendors to ensure firmware and kernel updates include this fix. 6. Consider isolating critical PowerPC Linux systems from untrusted networks and users to minimize attack surface. 7. Regularly review and update incident response plans to include scenarios involving kernel denial of service conditions.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-21T14:28:16.984Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9835c4522896dcbea536
Added to database: 5/21/2025, 9:09:09 AM
Last enriched: 6/26/2025, 10:36:12 AM
Last updated: 8/3/2025, 4:30:34 AM
Views: 12
Related Threats
CVE-2025-9091: Hard-coded Credentials in Tenda AC20
LowCVE-2025-9090: Command Injection in Tenda AC20
MediumCVE-2025-9092: CWE-400 Uncontrolled Resource Consumption in Legion of the Bouncy Castle Inc. Bouncy Castle for Java - BC-FJA 2.1.0
LowCVE-2025-9089: Stack-based Buffer Overflow in Tenda AC20
HighCVE-2025-9088: Stack-based Buffer Overflow in Tenda AC20
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.