CVE-2021-47379: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: blk-cgroup: fix UAF by grabbing blkcg lock before destroying blkg pd KASAN reports a use-after-free report when doing fuzz test: [693354.104835] ================================================================== [693354.105094] BUG: KASAN: use-after-free in bfq_io_set_weight_legacy+0xd3/0x160 [693354.105336] Read of size 4 at addr ffff888be0a35664 by task sh/1453338 [693354.105607] CPU: 41 PID: 1453338 Comm: sh Kdump: loaded Not tainted 4.18.0-147 [693354.105610] Hardware name: Huawei 2288H V5/BC11SPSCB0, BIOS 0.81 07/02/2018 [693354.105612] Call Trace: [693354.105621] dump_stack+0xf1/0x19b [693354.105626] ? show_regs_print_info+0x5/0x5 [693354.105634] ? printk+0x9c/0xc3 [693354.105638] ? cpumask_weight+0x1f/0x1f [693354.105648] print_address_description+0x70/0x360 [693354.105654] kasan_report+0x1b2/0x330 [693354.105659] ? bfq_io_set_weight_legacy+0xd3/0x160 [693354.105665] ? bfq_io_set_weight_legacy+0xd3/0x160 [693354.105670] bfq_io_set_weight_legacy+0xd3/0x160 [693354.105675] ? bfq_cpd_init+0x20/0x20 [693354.105683] cgroup_file_write+0x3aa/0x510 [693354.105693] ? ___slab_alloc+0x507/0x540 [693354.105698] ? cgroup_file_poll+0x60/0x60 [693354.105702] ? 0xffffffff89600000 [693354.105708] ? usercopy_abort+0x90/0x90 [693354.105716] ? mutex_lock+0xef/0x180 [693354.105726] kernfs_fop_write+0x1ab/0x280 [693354.105732] ? cgroup_file_poll+0x60/0x60 [693354.105738] vfs_write+0xe7/0x230 [693354.105744] ksys_write+0xb0/0x140 [693354.105749] ? __ia32_sys_read+0x50/0x50 [693354.105760] do_syscall_64+0x112/0x370 [693354.105766] ? syscall_return_slowpath+0x260/0x260 [693354.105772] ? do_page_fault+0x9b/0x270 [693354.105779] ? prepare_exit_to_usermode+0xf9/0x1a0 [693354.105784] ? enter_from_user_mode+0x30/0x30 [693354.105793] entry_SYSCALL_64_after_hwframe+0x65/0xca [693354.105875] Allocated by task 1453337: [693354.106001] kasan_kmalloc+0xa0/0xd0 [693354.106006] kmem_cache_alloc_node_trace+0x108/0x220 [693354.106010] bfq_pd_alloc+0x96/0x120 [693354.106015] blkcg_activate_policy+0x1b7/0x2b0 [693354.106020] bfq_create_group_hierarchy+0x1e/0x80 [693354.106026] bfq_init_queue+0x678/0x8c0 [693354.106031] blk_mq_init_sched+0x1f8/0x460 [693354.106037] elevator_switch_mq+0xe1/0x240 [693354.106041] elevator_switch+0x25/0x40 [693354.106045] elv_iosched_store+0x1a1/0x230 [693354.106049] queue_attr_store+0x78/0xb0 [693354.106053] kernfs_fop_write+0x1ab/0x280 [693354.106056] vfs_write+0xe7/0x230 [693354.106060] ksys_write+0xb0/0x140 [693354.106064] do_syscall_64+0x112/0x370 [693354.106069] entry_SYSCALL_64_after_hwframe+0x65/0xca [693354.106114] Freed by task 1453336: [693354.106225] __kasan_slab_free+0x130/0x180 [693354.106229] kfree+0x90/0x1b0 [693354.106233] blkcg_deactivate_policy+0x12c/0x220 [693354.106238] bfq_exit_queue+0xf5/0x110 [693354.106241] blk_mq_exit_sched+0x104/0x130 [693354.106245] __elevator_exit+0x45/0x60 [693354.106249] elevator_switch_mq+0xd6/0x240 [693354.106253] elevator_switch+0x25/0x40 [693354.106257] elv_iosched_store+0x1a1/0x230 [693354.106261] queue_attr_store+0x78/0xb0 [693354.106264] kernfs_fop_write+0x1ab/0x280 [693354.106268] vfs_write+0xe7/0x230 [693354.106271] ksys_write+0xb0/0x140 [693354.106275] do_syscall_64+0x112/0x370 [693354.106280] entry_SYSCALL_64_after_hwframe+0x65/0xca [693354.106329] The buggy address belongs to the object at ffff888be0a35580 which belongs to the cache kmalloc-1k of size 1024 [693354.106736] The buggy address is located 228 bytes inside of 1024-byte region [ffff888be0a35580, ffff888be0a35980) [693354.107114] The buggy address belongs to the page: [693354.107273] page:ffffea002f828c00 count:1 mapcount:0 mapping:ffff888107c17080 index:0x0 compound_mapcount: 0 [693354.107606] flags: 0x17ffffc0008100(slab|head) [693354.107760] raw: 0017ffffc0008100 ffffea002fcbc808 ffffea0030bd3a08 ffff888107c17080 [693354.108020] r ---truncated---
AI Analysis
Technical Summary
CVE-2021-47379 is a use-after-free (UAF) vulnerability identified in the Linux kernel's block control group (blk-cgroup) subsystem, specifically related to the BFQ (Budget Fair Queueing) I/O scheduler implementation. The vulnerability arises due to improper locking and memory management when destroying block group (blkg) policy data structures. The kernel address sanitizer (KASAN) detected this issue during fuzz testing, reporting a use-after-free condition in the function bfq_io_set_weight_legacy, which is responsible for setting I/O weights for legacy BFQ policies. The root cause is that the blkcg lock is not properly acquired before destroying the blkg policy data, leading to a race condition where memory is freed while still being accessed. This can cause kernel memory corruption, crashes, or potentially allow an attacker to execute arbitrary code with kernel privileges. The detailed kernel stack trace shows the sequence of kernel functions involved, including memory allocation and deallocation paths, confirming the UAF scenario. The affected Linux kernel versions include several commits identified by their hashes, indicating that multiple versions prior to the patch are vulnerable. No public exploits are known in the wild as of the publication date. The vulnerability affects the Linux kernel's block I/O subsystem, which is critical for managing disk I/O scheduling and control groups, widely used in containerized and virtualized environments. Since the vulnerability requires kernel-level interaction and involves internal kernel locking mechanisms, exploitation would likely require local access or privileged code execution to trigger the flaw. However, successful exploitation could lead to privilege escalation or denial of service by crashing the kernel or corrupting memory.
Potential Impact
For European organizations, the impact of CVE-2021-47379 can be significant, especially for those relying heavily on Linux-based infrastructure, including servers, cloud platforms, and container orchestration environments. The vulnerability affects the kernel's I/O scheduling, which is fundamental for performance and stability. Exploitation could lead to system crashes, data corruption, or privilege escalation, undermining confidentiality, integrity, and availability of critical systems. Organizations running containerized workloads with blk-cgroup enabled or using BFQ scheduler are particularly at risk. This could affect cloud service providers, financial institutions, telecommunications, and critical infrastructure sectors in Europe that depend on Linux for their backend systems. Additionally, the vulnerability could be leveraged as part of a multi-stage attack chain to gain kernel-level control, facilitating further lateral movement or data exfiltration. The lack of known exploits reduces immediate risk but does not eliminate the threat, as attackers may develop exploits given the detailed technical information available. The impact is heightened in environments where kernel updates are slow or where legacy kernels remain in use, common in some industrial or embedded systems across Europe.
Mitigation Recommendations
To mitigate CVE-2021-47379, European organizations should: 1) Apply the latest Linux kernel patches that address this vulnerability as soon as they become available. Monitor kernel mailing lists and vendor advisories for updates. 2) If immediate patching is not possible, consider disabling the BFQ I/O scheduler or blk-cgroup features if they are not essential to operations, to reduce the attack surface. 3) Employ kernel hardening techniques such as Kernel Address Space Layout Randomization (KASLR), Kernel Page Table Isolation (KPTI), and enable kernel lockdown modes where applicable to limit exploitation potential. 4) Restrict local access to trusted users only, as exploitation requires local code execution or privileged access. 5) Monitor system logs and kernel crash reports for signs of use-after-free or memory corruption anomalies. 6) For containerized environments, ensure container runtimes and orchestration platforms are updated and configured to minimize kernel exposure. 7) Conduct regular security audits and vulnerability scans focusing on kernel versions and configurations. 8) Implement strict patch management policies to reduce the window of exposure.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Sweden, Poland, Belgium, Finland
CVE-2021-47379: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: blk-cgroup: fix UAF by grabbing blkcg lock before destroying blkg pd KASAN reports a use-after-free report when doing fuzz test: [693354.104835] ================================================================== [693354.105094] BUG: KASAN: use-after-free in bfq_io_set_weight_legacy+0xd3/0x160 [693354.105336] Read of size 4 at addr ffff888be0a35664 by task sh/1453338 [693354.105607] CPU: 41 PID: 1453338 Comm: sh Kdump: loaded Not tainted 4.18.0-147 [693354.105610] Hardware name: Huawei 2288H V5/BC11SPSCB0, BIOS 0.81 07/02/2018 [693354.105612] Call Trace: [693354.105621] dump_stack+0xf1/0x19b [693354.105626] ? show_regs_print_info+0x5/0x5 [693354.105634] ? printk+0x9c/0xc3 [693354.105638] ? cpumask_weight+0x1f/0x1f [693354.105648] print_address_description+0x70/0x360 [693354.105654] kasan_report+0x1b2/0x330 [693354.105659] ? bfq_io_set_weight_legacy+0xd3/0x160 [693354.105665] ? bfq_io_set_weight_legacy+0xd3/0x160 [693354.105670] bfq_io_set_weight_legacy+0xd3/0x160 [693354.105675] ? bfq_cpd_init+0x20/0x20 [693354.105683] cgroup_file_write+0x3aa/0x510 [693354.105693] ? ___slab_alloc+0x507/0x540 [693354.105698] ? cgroup_file_poll+0x60/0x60 [693354.105702] ? 0xffffffff89600000 [693354.105708] ? usercopy_abort+0x90/0x90 [693354.105716] ? mutex_lock+0xef/0x180 [693354.105726] kernfs_fop_write+0x1ab/0x280 [693354.105732] ? cgroup_file_poll+0x60/0x60 [693354.105738] vfs_write+0xe7/0x230 [693354.105744] ksys_write+0xb0/0x140 [693354.105749] ? __ia32_sys_read+0x50/0x50 [693354.105760] do_syscall_64+0x112/0x370 [693354.105766] ? syscall_return_slowpath+0x260/0x260 [693354.105772] ? do_page_fault+0x9b/0x270 [693354.105779] ? prepare_exit_to_usermode+0xf9/0x1a0 [693354.105784] ? enter_from_user_mode+0x30/0x30 [693354.105793] entry_SYSCALL_64_after_hwframe+0x65/0xca [693354.105875] Allocated by task 1453337: [693354.106001] kasan_kmalloc+0xa0/0xd0 [693354.106006] kmem_cache_alloc_node_trace+0x108/0x220 [693354.106010] bfq_pd_alloc+0x96/0x120 [693354.106015] blkcg_activate_policy+0x1b7/0x2b0 [693354.106020] bfq_create_group_hierarchy+0x1e/0x80 [693354.106026] bfq_init_queue+0x678/0x8c0 [693354.106031] blk_mq_init_sched+0x1f8/0x460 [693354.106037] elevator_switch_mq+0xe1/0x240 [693354.106041] elevator_switch+0x25/0x40 [693354.106045] elv_iosched_store+0x1a1/0x230 [693354.106049] queue_attr_store+0x78/0xb0 [693354.106053] kernfs_fop_write+0x1ab/0x280 [693354.106056] vfs_write+0xe7/0x230 [693354.106060] ksys_write+0xb0/0x140 [693354.106064] do_syscall_64+0x112/0x370 [693354.106069] entry_SYSCALL_64_after_hwframe+0x65/0xca [693354.106114] Freed by task 1453336: [693354.106225] __kasan_slab_free+0x130/0x180 [693354.106229] kfree+0x90/0x1b0 [693354.106233] blkcg_deactivate_policy+0x12c/0x220 [693354.106238] bfq_exit_queue+0xf5/0x110 [693354.106241] blk_mq_exit_sched+0x104/0x130 [693354.106245] __elevator_exit+0x45/0x60 [693354.106249] elevator_switch_mq+0xd6/0x240 [693354.106253] elevator_switch+0x25/0x40 [693354.106257] elv_iosched_store+0x1a1/0x230 [693354.106261] queue_attr_store+0x78/0xb0 [693354.106264] kernfs_fop_write+0x1ab/0x280 [693354.106268] vfs_write+0xe7/0x230 [693354.106271] ksys_write+0xb0/0x140 [693354.106275] do_syscall_64+0x112/0x370 [693354.106280] entry_SYSCALL_64_after_hwframe+0x65/0xca [693354.106329] The buggy address belongs to the object at ffff888be0a35580 which belongs to the cache kmalloc-1k of size 1024 [693354.106736] The buggy address is located 228 bytes inside of 1024-byte region [ffff888be0a35580, ffff888be0a35980) [693354.107114] The buggy address belongs to the page: [693354.107273] page:ffffea002f828c00 count:1 mapcount:0 mapping:ffff888107c17080 index:0x0 compound_mapcount: 0 [693354.107606] flags: 0x17ffffc0008100(slab|head) [693354.107760] raw: 0017ffffc0008100 ffffea002fcbc808 ffffea0030bd3a08 ffff888107c17080 [693354.108020] r ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2021-47379 is a use-after-free (UAF) vulnerability identified in the Linux kernel's block control group (blk-cgroup) subsystem, specifically related to the BFQ (Budget Fair Queueing) I/O scheduler implementation. The vulnerability arises due to improper locking and memory management when destroying block group (blkg) policy data structures. The kernel address sanitizer (KASAN) detected this issue during fuzz testing, reporting a use-after-free condition in the function bfq_io_set_weight_legacy, which is responsible for setting I/O weights for legacy BFQ policies. The root cause is that the blkcg lock is not properly acquired before destroying the blkg policy data, leading to a race condition where memory is freed while still being accessed. This can cause kernel memory corruption, crashes, or potentially allow an attacker to execute arbitrary code with kernel privileges. The detailed kernel stack trace shows the sequence of kernel functions involved, including memory allocation and deallocation paths, confirming the UAF scenario. The affected Linux kernel versions include several commits identified by their hashes, indicating that multiple versions prior to the patch are vulnerable. No public exploits are known in the wild as of the publication date. The vulnerability affects the Linux kernel's block I/O subsystem, which is critical for managing disk I/O scheduling and control groups, widely used in containerized and virtualized environments. Since the vulnerability requires kernel-level interaction and involves internal kernel locking mechanisms, exploitation would likely require local access or privileged code execution to trigger the flaw. However, successful exploitation could lead to privilege escalation or denial of service by crashing the kernel or corrupting memory.
Potential Impact
For European organizations, the impact of CVE-2021-47379 can be significant, especially for those relying heavily on Linux-based infrastructure, including servers, cloud platforms, and container orchestration environments. The vulnerability affects the kernel's I/O scheduling, which is fundamental for performance and stability. Exploitation could lead to system crashes, data corruption, or privilege escalation, undermining confidentiality, integrity, and availability of critical systems. Organizations running containerized workloads with blk-cgroup enabled or using BFQ scheduler are particularly at risk. This could affect cloud service providers, financial institutions, telecommunications, and critical infrastructure sectors in Europe that depend on Linux for their backend systems. Additionally, the vulnerability could be leveraged as part of a multi-stage attack chain to gain kernel-level control, facilitating further lateral movement or data exfiltration. The lack of known exploits reduces immediate risk but does not eliminate the threat, as attackers may develop exploits given the detailed technical information available. The impact is heightened in environments where kernel updates are slow or where legacy kernels remain in use, common in some industrial or embedded systems across Europe.
Mitigation Recommendations
To mitigate CVE-2021-47379, European organizations should: 1) Apply the latest Linux kernel patches that address this vulnerability as soon as they become available. Monitor kernel mailing lists and vendor advisories for updates. 2) If immediate patching is not possible, consider disabling the BFQ I/O scheduler or blk-cgroup features if they are not essential to operations, to reduce the attack surface. 3) Employ kernel hardening techniques such as Kernel Address Space Layout Randomization (KASLR), Kernel Page Table Isolation (KPTI), and enable kernel lockdown modes where applicable to limit exploitation potential. 4) Restrict local access to trusted users only, as exploitation requires local code execution or privileged access. 5) Monitor system logs and kernel crash reports for signs of use-after-free or memory corruption anomalies. 6) For containerized environments, ensure container runtimes and orchestration platforms are updated and configured to minimize kernel exposure. 7) Conduct regular security audits and vulnerability scans focusing on kernel versions and configurations. 8) Implement strict patch management policies to reduce the window of exposure.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-21T14:58:30.811Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682cd0fa1484d88663aebf4e
Added to database: 5/20/2025, 6:59:06 PM
Last enriched: 7/4/2025, 6:40:08 AM
Last updated: 8/14/2025, 8:56:16 AM
Views: 28
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.