CVE-2021-47375 is a use-after-free (UAF) vulnerability identified in the Linux kernel's block tracing subsystem (blktrace). The vulnerability arises when the kernel improperly handles the removal of block trace queues via sysfs, leading to a scenario where a freed memory buffer is subsequently accessed. Specifically, the flaw occurs during the process of disabling tracing on a block device (e.g., echoing '0' to /sys/block/sdb/trace/enable), which triggers blk_trace_remove_queue. This function calls synchronize_rcu and blk_trace_free, which eventually frees a relay buffer. However, due to a race condition and improper synchronization, the kernel later attempts to dereference a pointer within this freed buffer in trace_note(), resulting in a NULL pointer dereference and kernel oops. The vulnerability is triggered by a sequence of ioctl calls to set up and start tracing on devices, followed by disabling tracing on one device while issuing SCSI commands on another, exploiting timing to cause use-after-free. The flaw is rooted in the Linux kernel's block tracing code failing to remove blk_trace from the running list before freeing resources, leading to stale references. The CVSS v3.1 score is 6.2 (medium severity), with an attack vector of local access (AV:L), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), high confidentiality impact (C:H), no integrity or availability impact (I:N/A:N). This means an unprivileged local attacker can exploit the flaw to read sensitive kernel memory, potentially leaking confidential information. The vulnerability is classified under CWE-416 (Use After Free). No known exploits in the wild have been reported yet. The issue affects Linux kernel versions identified by the commit hash c71a896154119f4ca9e89d6078f5f63ad60ef199 and likely other versions before the patch. The vulnerability was published on May 21, 2024, and is considered resolved in patched kernels. The technical root cause is a race condition in resource cleanup and RCU synchronization in the block tracing subsystem, leading to dereferencing freed memory buffers and kernel crashes or information leaks.

For European organizations, the impact of CVE-2021-47375 primarily concerns systems running vulnerable Linux kernel versions with block tracing enabled or accessible. Since the attack requires local access but no privileges or user interaction, any user or process with the ability to issue ioctl calls to block devices or write to sysfs tracing controls could exploit this vulnerability. The confidentiality impact is high, meaning sensitive kernel memory could be exposed, potentially leaking cryptographic keys, passwords, or other sensitive information. While integrity and availability are not directly impacted, the kernel oops and NULL pointer dereference could cause system instability or crashes, leading to denial of service conditions. This is particularly critical for servers, cloud infrastructure, and embedded devices running Linux in European data centers or critical infrastructure. Organizations relying on Linux for storage servers, virtualization hosts, or network appliances may be at risk if they have block tracing enabled or accessible to untrusted users. The vulnerability could be leveraged by malicious insiders or attackers who have gained limited local access to escalate information disclosure or cause system disruptions. Given the widespread use of Linux in European enterprises, government agencies, and telecom infrastructure, the confidentiality breach risk is significant, especially in sectors handling sensitive personal data under GDPR or critical infrastructure under NIS Directive regulations.

1. Patch Management: Immediately apply the official Linux kernel patches that fix CVE-2021-47375. Ensure all Linux systems, especially those running kernels prior to the fix, are updated to a secure version. 2. Access Control: Restrict local access to block device interfaces and sysfs tracing controls. Limit permissions so that only trusted administrators or processes can issue ioctl calls related to block tracing or write to /sys/block/*/trace/enable. 3. Disable Block Tracing: If block tracing is not required, disable or remove the feature to reduce the attack surface. 4. Monitoring and Auditing: Implement monitoring for unusual ioctl calls or sysfs writes related to block tracing. Audit user activities on systems with block devices to detect potential exploitation attempts. 5. Container and VM Isolation: For environments using containers or virtual machines, ensure strict isolation and limit device access to prevent unprivileged users from exploiting the vulnerability. 6. Incident Response Preparedness: Prepare to respond to kernel crashes or information leakage incidents by having forensic and recovery procedures in place. 7. Vendor Coordination: Coordinate with Linux distribution vendors for timely patch deployment and security advisories. 8. Harden Kernel Configurations: Review kernel configurations to disable unnecessary tracing features and enforce strict kernel security modules (e.g., SELinux, AppArmor) policies to limit access to block tracing interfaces.