CVE-2021-47356 is a high-severity vulnerability identified in the Linux kernel's mISDN module, specifically related to a use-after-free condition in the HFC_cleanup() function. The root cause lies in the improper handling of timer deletion during the driver's remove path. The vulnerable code calls del_timer(), which removes the timer but does not wait for the timer handler to finish executing. Consequently, the timer handler may still be running after the driver's remove function completes, leading to a use-after-free scenario where the handler accesses memory that has already been freed. This can cause undefined behavior, including kernel crashes or potential escalation of privileges. The fix involves replacing del_timer() with del_timer_sync(), which ensures that the timer handler has fully completed and cannot reschedule itself before the removal process finishes. The vulnerability is classified under CWE-416 (Use After Free) and has a CVSS v3.1 score of 7.7, indicating high severity. The attack vector is local (AV:L), requiring low attack complexity (AC:L), no privileges (PR:N), and no user interaction (UI:N). The impact affects integrity and availability but not confidentiality. No known exploits are currently reported in the wild. The affected versions correspond to specific Linux kernel commits prior to the fix. This vulnerability is relevant to systems running Linux kernels with the mISDN module enabled, which is used for ISDN communication hardware support. The issue was published on May 21, 2024, and is recognized by the Linux project and CISA as a significant kernel security flaw.

For European organizations, this vulnerability poses a significant risk primarily to systems running Linux kernels with the mISDN module enabled. While mISDN is a niche module related to ISDN hardware, some telecom providers, industrial systems, or legacy infrastructure in Europe might still rely on ISDN technology or Linux-based embedded systems using this module. Exploitation could lead to kernel crashes (denial of service) or potentially allow attackers to escalate privileges locally, compromising system integrity and availability. This could disrupt critical services, especially in sectors like telecommunications, manufacturing, or government infrastructure that utilize Linux-based systems with ISDN support. Although exploitation requires local access, the low complexity and no need for privileges or user interaction mean that attackers who gain initial footholds could leverage this vulnerability to deepen their control. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as attackers often develop exploits post-disclosure. European organizations with legacy or specialized Linux deployments should prioritize assessment and remediation to prevent potential targeted attacks or accidental system failures.

1. Immediate application of the official Linux kernel patch that replaces del_timer() with del_timer_sync() in the mISDN module to ensure safe timer deletion. 2. Audit and inventory Linux systems to identify those running kernels with the vulnerable mISDN module enabled, focusing on telecom, industrial, and embedded environments. 3. For systems where patching is not immediately feasible, consider disabling the mISDN module if it is not required, to eliminate the attack surface. 4. Implement strict local access controls and monitoring to detect unusual kernel activity or crashes that may indicate exploitation attempts. 5. Employ kernel hardening techniques such as Kernel Address Space Layout Randomization (KASLR) and Control Flow Integrity (CFI) to reduce exploitation likelihood. 6. Maintain up-to-date backups and incident response plans to quickly recover from potential denial-of-service or compromise scenarios. 7. Engage with Linux distribution vendors and update to the latest stable kernel versions that include this fix. 8. Monitor security advisories for any emerging exploit code or related vulnerabilities in the mISDN subsystem.