CVE-2021-47375: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: blktrace: Fix uaf in blk_trace access after removing by sysfs There is an use-after-free problem triggered by following process: P1(sda) P2(sdb) echo 0 > /sys/block/sdb/trace/enable blk_trace_remove_queue synchronize_rcu blk_trace_free relay_close rcu_read_lock __blk_add_trace trace_note_tsk (Iterate running_trace_list) relay_close_buf relay_destroy_buf kfree(buf) trace_note(sdb's bt) relay_reserve buf->offset <- nullptr deference (use-after-free) !!! rcu_read_unlock [ 502.714379] BUG: kernel NULL pointer dereference, address: 0000000000000010 [ 502.715260] #PF: supervisor read access in kernel mode [ 502.715903] #PF: error_code(0x0000) - not-present page [ 502.716546] PGD 103984067 P4D 103984067 PUD 17592b067 PMD 0 [ 502.717252] Oops: 0000 [#1] SMP [ 502.720308] RIP: 0010:trace_note.isra.0+0x86/0x360 [ 502.732872] Call Trace: [ 502.733193] __blk_add_trace.cold+0x137/0x1a3 [ 502.733734] blk_add_trace_rq+0x7b/0xd0 [ 502.734207] blk_add_trace_rq_issue+0x54/0xa0 [ 502.734755] blk_mq_start_request+0xde/0x1b0 [ 502.735287] scsi_queue_rq+0x528/0x1140 ... [ 502.742704] sg_new_write.isra.0+0x16e/0x3e0 [ 502.747501] sg_ioctl+0x466/0x1100 Reproduce method: ioctl(/dev/sda, BLKTRACESETUP, blk_user_trace_setup[buf_size=127]) ioctl(/dev/sda, BLKTRACESTART) ioctl(/dev/sdb, BLKTRACESETUP, blk_user_trace_setup[buf_size=127]) ioctl(/dev/sdb, BLKTRACESTART) echo 0 > /sys/block/sdb/trace/enable & // Add delay(mdelay/msleep) before kernel enters blk_trace_free() ioctl$SG_IO(/dev/sda, SG_IO, ...) // Enters trace_note_tsk() after blk_trace_free() returned // Use mdelay in rcu region rather than msleep(which may schedule out) Remove blk_trace from running_list before calling blk_trace_free() by sysfs if blk_trace is at Blktrace_running state.
AI Analysis
Technical Summary
CVE-2021-47375 is a use-after-free (UAF) vulnerability identified in the Linux kernel's block tracing subsystem (blktrace). The vulnerability arises when the kernel improperly handles the removal of block trace queues via sysfs, leading to a scenario where a freed memory buffer is subsequently accessed. Specifically, the flaw occurs during the process of disabling tracing on a block device (e.g., echoing '0' to /sys/block/sdb/trace/enable), which triggers blk_trace_remove_queue. This function calls synchronize_rcu and blk_trace_free, which eventually frees a relay buffer. However, due to a race condition and improper synchronization, the kernel later attempts to dereference a pointer within this freed buffer in trace_note(), resulting in a NULL pointer dereference and kernel oops. The vulnerability is triggered by a sequence of ioctl calls to set up and start tracing on devices, followed by disabling tracing on one device while issuing SCSI commands on another, exploiting timing to cause use-after-free. The flaw is rooted in the Linux kernel's block tracing code failing to remove blk_trace from the running list before freeing resources, leading to stale references. The CVSS v3.1 score is 6.2 (medium severity), with an attack vector of local access (AV:L), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), high confidentiality impact (C:H), no integrity or availability impact (I:N/A:N). This means an unprivileged local attacker can exploit the flaw to read sensitive kernel memory, potentially leaking confidential information. The vulnerability is classified under CWE-416 (Use After Free). No known exploits in the wild have been reported yet. The issue affects Linux kernel versions identified by the commit hash c71a896154119f4ca9e89d6078f5f63ad60ef199 and likely other versions before the patch. The vulnerability was published on May 21, 2024, and is considered resolved in patched kernels. The technical root cause is a race condition in resource cleanup and RCU synchronization in the block tracing subsystem, leading to dereferencing freed memory buffers and kernel crashes or information leaks.
Potential Impact
For European organizations, the impact of CVE-2021-47375 primarily concerns systems running vulnerable Linux kernel versions with block tracing enabled or accessible. Since the attack requires local access but no privileges or user interaction, any user or process with the ability to issue ioctl calls to block devices or write to sysfs tracing controls could exploit this vulnerability. The confidentiality impact is high, meaning sensitive kernel memory could be exposed, potentially leaking cryptographic keys, passwords, or other sensitive information. While integrity and availability are not directly impacted, the kernel oops and NULL pointer dereference could cause system instability or crashes, leading to denial of service conditions. This is particularly critical for servers, cloud infrastructure, and embedded devices running Linux in European data centers or critical infrastructure. Organizations relying on Linux for storage servers, virtualization hosts, or network appliances may be at risk if they have block tracing enabled or accessible to untrusted users. The vulnerability could be leveraged by malicious insiders or attackers who have gained limited local access to escalate information disclosure or cause system disruptions. Given the widespread use of Linux in European enterprises, government agencies, and telecom infrastructure, the confidentiality breach risk is significant, especially in sectors handling sensitive personal data under GDPR or critical infrastructure under NIS Directive regulations.
Mitigation Recommendations
1. Patch Management: Immediately apply the official Linux kernel patches that fix CVE-2021-47375. Ensure all Linux systems, especially those running kernels prior to the fix, are updated to a secure version. 2. Access Control: Restrict local access to block device interfaces and sysfs tracing controls. Limit permissions so that only trusted administrators or processes can issue ioctl calls related to block tracing or write to /sys/block/*/trace/enable. 3. Disable Block Tracing: If block tracing is not required, disable or remove the feature to reduce the attack surface. 4. Monitoring and Auditing: Implement monitoring for unusual ioctl calls or sysfs writes related to block tracing. Audit user activities on systems with block devices to detect potential exploitation attempts. 5. Container and VM Isolation: For environments using containers or virtual machines, ensure strict isolation and limit device access to prevent unprivileged users from exploiting the vulnerability. 6. Incident Response Preparedness: Prepare to respond to kernel crashes or information leakage incidents by having forensic and recovery procedures in place. 7. Vendor Coordination: Coordinate with Linux distribution vendors for timely patch deployment and security advisories. 8. Harden Kernel Configurations: Review kernel configurations to disable unnecessary tracing features and enforce strict kernel security modules (e.g., SELinux, AppArmor) policies to limit access to block tracing interfaces.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland
CVE-2021-47375: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: blktrace: Fix uaf in blk_trace access after removing by sysfs There is an use-after-free problem triggered by following process: P1(sda) P2(sdb) echo 0 > /sys/block/sdb/trace/enable blk_trace_remove_queue synchronize_rcu blk_trace_free relay_close rcu_read_lock __blk_add_trace trace_note_tsk (Iterate running_trace_list) relay_close_buf relay_destroy_buf kfree(buf) trace_note(sdb's bt) relay_reserve buf->offset <- nullptr deference (use-after-free) !!! rcu_read_unlock [ 502.714379] BUG: kernel NULL pointer dereference, address: 0000000000000010 [ 502.715260] #PF: supervisor read access in kernel mode [ 502.715903] #PF: error_code(0x0000) - not-present page [ 502.716546] PGD 103984067 P4D 103984067 PUD 17592b067 PMD 0 [ 502.717252] Oops: 0000 [#1] SMP [ 502.720308] RIP: 0010:trace_note.isra.0+0x86/0x360 [ 502.732872] Call Trace: [ 502.733193] __blk_add_trace.cold+0x137/0x1a3 [ 502.733734] blk_add_trace_rq+0x7b/0xd0 [ 502.734207] blk_add_trace_rq_issue+0x54/0xa0 [ 502.734755] blk_mq_start_request+0xde/0x1b0 [ 502.735287] scsi_queue_rq+0x528/0x1140 ... [ 502.742704] sg_new_write.isra.0+0x16e/0x3e0 [ 502.747501] sg_ioctl+0x466/0x1100 Reproduce method: ioctl(/dev/sda, BLKTRACESETUP, blk_user_trace_setup[buf_size=127]) ioctl(/dev/sda, BLKTRACESTART) ioctl(/dev/sdb, BLKTRACESETUP, blk_user_trace_setup[buf_size=127]) ioctl(/dev/sdb, BLKTRACESTART) echo 0 > /sys/block/sdb/trace/enable & // Add delay(mdelay/msleep) before kernel enters blk_trace_free() ioctl$SG_IO(/dev/sda, SG_IO, ...) // Enters trace_note_tsk() after blk_trace_free() returned // Use mdelay in rcu region rather than msleep(which may schedule out) Remove blk_trace from running_list before calling blk_trace_free() by sysfs if blk_trace is at Blktrace_running state.
AI-Powered Analysis
Technical Analysis
CVE-2021-47375 is a use-after-free (UAF) vulnerability identified in the Linux kernel's block tracing subsystem (blktrace). The vulnerability arises when the kernel improperly handles the removal of block trace queues via sysfs, leading to a scenario where a freed memory buffer is subsequently accessed. Specifically, the flaw occurs during the process of disabling tracing on a block device (e.g., echoing '0' to /sys/block/sdb/trace/enable), which triggers blk_trace_remove_queue. This function calls synchronize_rcu and blk_trace_free, which eventually frees a relay buffer. However, due to a race condition and improper synchronization, the kernel later attempts to dereference a pointer within this freed buffer in trace_note(), resulting in a NULL pointer dereference and kernel oops. The vulnerability is triggered by a sequence of ioctl calls to set up and start tracing on devices, followed by disabling tracing on one device while issuing SCSI commands on another, exploiting timing to cause use-after-free. The flaw is rooted in the Linux kernel's block tracing code failing to remove blk_trace from the running list before freeing resources, leading to stale references. The CVSS v3.1 score is 6.2 (medium severity), with an attack vector of local access (AV:L), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), high confidentiality impact (C:H), no integrity or availability impact (I:N/A:N). This means an unprivileged local attacker can exploit the flaw to read sensitive kernel memory, potentially leaking confidential information. The vulnerability is classified under CWE-416 (Use After Free). No known exploits in the wild have been reported yet. The issue affects Linux kernel versions identified by the commit hash c71a896154119f4ca9e89d6078f5f63ad60ef199 and likely other versions before the patch. The vulnerability was published on May 21, 2024, and is considered resolved in patched kernels. The technical root cause is a race condition in resource cleanup and RCU synchronization in the block tracing subsystem, leading to dereferencing freed memory buffers and kernel crashes or information leaks.
Potential Impact
For European organizations, the impact of CVE-2021-47375 primarily concerns systems running vulnerable Linux kernel versions with block tracing enabled or accessible. Since the attack requires local access but no privileges or user interaction, any user or process with the ability to issue ioctl calls to block devices or write to sysfs tracing controls could exploit this vulnerability. The confidentiality impact is high, meaning sensitive kernel memory could be exposed, potentially leaking cryptographic keys, passwords, or other sensitive information. While integrity and availability are not directly impacted, the kernel oops and NULL pointer dereference could cause system instability or crashes, leading to denial of service conditions. This is particularly critical for servers, cloud infrastructure, and embedded devices running Linux in European data centers or critical infrastructure. Organizations relying on Linux for storage servers, virtualization hosts, or network appliances may be at risk if they have block tracing enabled or accessible to untrusted users. The vulnerability could be leveraged by malicious insiders or attackers who have gained limited local access to escalate information disclosure or cause system disruptions. Given the widespread use of Linux in European enterprises, government agencies, and telecom infrastructure, the confidentiality breach risk is significant, especially in sectors handling sensitive personal data under GDPR or critical infrastructure under NIS Directive regulations.
Mitigation Recommendations
1. Patch Management: Immediately apply the official Linux kernel patches that fix CVE-2021-47375. Ensure all Linux systems, especially those running kernels prior to the fix, are updated to a secure version. 2. Access Control: Restrict local access to block device interfaces and sysfs tracing controls. Limit permissions so that only trusted administrators or processes can issue ioctl calls related to block tracing or write to /sys/block/*/trace/enable. 3. Disable Block Tracing: If block tracing is not required, disable or remove the feature to reduce the attack surface. 4. Monitoring and Auditing: Implement monitoring for unusual ioctl calls or sysfs writes related to block tracing. Audit user activities on systems with block devices to detect potential exploitation attempts. 5. Container and VM Isolation: For environments using containers or virtual machines, ensure strict isolation and limit device access to prevent unprivileged users from exploiting the vulnerability. 6. Incident Response Preparedness: Prepare to respond to kernel crashes or information leakage incidents by having forensic and recovery procedures in place. 7. Vendor Coordination: Coordinate with Linux distribution vendors for timely patch deployment and security advisories. 8. Harden Kernel Configurations: Review kernel configurations to disable unnecessary tracing features and enforce strict kernel security modules (e.g., SELinux, AppArmor) policies to limit access to block tracing interfaces.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-21T14:58:30.811Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9833c4522896dcbe8f5d
Added to database: 5/21/2025, 9:09:07 AM
Last enriched: 6/30/2025, 12:11:18 PM
Last updated: 8/12/2025, 8:54:28 PM
Views: 15
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.