CVE-2021-47391: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: RDMA/cma: Ensure rdma_addr_cancel() happens before issuing more requests The FSM can run in a circle allowing rdma_resolve_ip() to be called twice on the same id_priv. While this cannot happen without going through the work, it violates the invariant that the same address resolution background request cannot be active twice. CPU 1 CPU 2 rdma_resolve_addr(): RDMA_CM_IDLE -> RDMA_CM_ADDR_QUERY rdma_resolve_ip(addr_handler) #1 process_one_req(): for #1 addr_handler(): RDMA_CM_ADDR_QUERY -> RDMA_CM_ADDR_BOUND mutex_unlock(&id_priv->handler_mutex); [.. handler still running ..] rdma_resolve_addr(): RDMA_CM_ADDR_BOUND -> RDMA_CM_ADDR_QUERY rdma_resolve_ip(addr_handler) !! two requests are now on the req_list rdma_destroy_id(): destroy_id_handler_unlock(): _destroy_id(): cma_cancel_operation(): rdma_addr_cancel() // process_one_req() self removes it spin_lock_bh(&lock); cancel_delayed_work(&req->work); if (!list_empty(&req->list)) == true ! rdma_addr_cancel() returns after process_on_req #1 is done kfree(id_priv) process_one_req(): for #2 addr_handler(): mutex_lock(&id_priv->handler_mutex); !! Use after free on id_priv rdma_addr_cancel() expects there to be one req on the list and only cancels the first one. The self-removal behavior of the work only happens after the handler has returned. This yields a situations where the req_list can have two reqs for the same "handle" but rdma_addr_cancel() only cancels the first one. The second req remains active beyond rdma_destroy_id() and will use-after-free id_priv once it inevitably triggers. Fix this by remembering if the id_priv has called rdma_resolve_ip() and always cancel before calling it again. This ensures the req_list never gets more than one item in it and doesn't cost anything in the normal flow that never uses this strange error path.
AI Analysis
Technical Summary
CVE-2021-47391 is a use-after-free vulnerability in the Linux kernel's RDMA (Remote Direct Memory Access) connection manager (cma) subsystem. The flaw arises from improper handling of address resolution requests in the RDMA connection manager finite state machine (FSM). Specifically, the vulnerability occurs because the function rdma_resolve_ip() can be called twice on the same id_priv structure without properly canceling the previous request. This leads to two requests being queued simultaneously in the req_list for the same handle. The rdma_addr_cancel() function, which is responsible for canceling outstanding requests, only cancels the first request on the list, leaving the second request active. When the id_priv structure is freed during rdma_destroy_id(), the second request still references this freed memory. Subsequent processing of this second request results in a use-after-free condition, which can cause kernel crashes or potentially allow an attacker to execute arbitrary code in kernel space. The root cause is a violation of the invariant that only one address resolution request should be active per id_priv at any time. The fix involves tracking whether rdma_resolve_ip() has been called and ensuring that any existing request is canceled before issuing a new one, preventing multiple concurrent requests and eliminating the use-after-free scenario. This vulnerability affects Linux kernel versions containing the specified commit e51060f08a61965c4dd91516d82fe90617152590 and likely other versions with similar RDMA CMA implementations. No known exploits are reported in the wild as of the publication date.
Potential Impact
For European organizations, this vulnerability poses a significant risk primarily to systems that utilize RDMA technology, which is common in high-performance computing, data centers, and enterprise storage networks. Exploitation could lead to kernel crashes (denial of service) or potentially privilege escalation if an attacker can trigger the use-after-free condition to execute arbitrary code in kernel space. This could compromise the confidentiality, integrity, and availability of critical systems. Given that Linux is widely used across European industries, including finance, telecommunications, research institutions, and government infrastructure, the impact could be broad if vulnerable kernels are deployed in environments where RDMA is enabled. The vulnerability is particularly concerning in environments where RDMA is used for low-latency, high-throughput networking, such as in HPC clusters or cloud providers offering RDMA-enabled services. Disruption or compromise of these systems could affect data processing, storage integrity, and service availability, with cascading effects on business operations and critical infrastructure.
Mitigation Recommendations
European organizations should take the following specific actions: 1) Identify all Linux systems running kernels with RDMA CMA support and verify if they include the vulnerable commit or similar code paths. 2) Apply the official Linux kernel patches that address CVE-2021-47391 as soon as they become available from trusted sources or Linux distributions. 3) If immediate patching is not possible, consider disabling RDMA functionality temporarily on affected systems to mitigate risk, especially on systems exposed to untrusted users or networks. 4) Implement strict access controls and monitoring on systems using RDMA to detect anomalous behavior that could indicate exploitation attempts. 5) Conduct thorough testing of patched kernels in staging environments to ensure stability and compatibility with existing RDMA workloads before deployment. 6) Maintain up-to-date inventory and configuration management to track RDMA usage and kernel versions across the enterprise. 7) Engage with Linux distribution vendors and security advisories to receive timely updates and guidance. 8) Educate system administrators and security teams about the specific nature of this vulnerability to improve detection and response capabilities.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2021-47391: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: RDMA/cma: Ensure rdma_addr_cancel() happens before issuing more requests The FSM can run in a circle allowing rdma_resolve_ip() to be called twice on the same id_priv. While this cannot happen without going through the work, it violates the invariant that the same address resolution background request cannot be active twice. CPU 1 CPU 2 rdma_resolve_addr(): RDMA_CM_IDLE -> RDMA_CM_ADDR_QUERY rdma_resolve_ip(addr_handler) #1 process_one_req(): for #1 addr_handler(): RDMA_CM_ADDR_QUERY -> RDMA_CM_ADDR_BOUND mutex_unlock(&id_priv->handler_mutex); [.. handler still running ..] rdma_resolve_addr(): RDMA_CM_ADDR_BOUND -> RDMA_CM_ADDR_QUERY rdma_resolve_ip(addr_handler) !! two requests are now on the req_list rdma_destroy_id(): destroy_id_handler_unlock(): _destroy_id(): cma_cancel_operation(): rdma_addr_cancel() // process_one_req() self removes it spin_lock_bh(&lock); cancel_delayed_work(&req->work); if (!list_empty(&req->list)) == true ! rdma_addr_cancel() returns after process_on_req #1 is done kfree(id_priv) process_one_req(): for #2 addr_handler(): mutex_lock(&id_priv->handler_mutex); !! Use after free on id_priv rdma_addr_cancel() expects there to be one req on the list and only cancels the first one. The self-removal behavior of the work only happens after the handler has returned. This yields a situations where the req_list can have two reqs for the same "handle" but rdma_addr_cancel() only cancels the first one. The second req remains active beyond rdma_destroy_id() and will use-after-free id_priv once it inevitably triggers. Fix this by remembering if the id_priv has called rdma_resolve_ip() and always cancel before calling it again. This ensures the req_list never gets more than one item in it and doesn't cost anything in the normal flow that never uses this strange error path.
AI-Powered Analysis
Technical Analysis
CVE-2021-47391 is a use-after-free vulnerability in the Linux kernel's RDMA (Remote Direct Memory Access) connection manager (cma) subsystem. The flaw arises from improper handling of address resolution requests in the RDMA connection manager finite state machine (FSM). Specifically, the vulnerability occurs because the function rdma_resolve_ip() can be called twice on the same id_priv structure without properly canceling the previous request. This leads to two requests being queued simultaneously in the req_list for the same handle. The rdma_addr_cancel() function, which is responsible for canceling outstanding requests, only cancels the first request on the list, leaving the second request active. When the id_priv structure is freed during rdma_destroy_id(), the second request still references this freed memory. Subsequent processing of this second request results in a use-after-free condition, which can cause kernel crashes or potentially allow an attacker to execute arbitrary code in kernel space. The root cause is a violation of the invariant that only one address resolution request should be active per id_priv at any time. The fix involves tracking whether rdma_resolve_ip() has been called and ensuring that any existing request is canceled before issuing a new one, preventing multiple concurrent requests and eliminating the use-after-free scenario. This vulnerability affects Linux kernel versions containing the specified commit e51060f08a61965c4dd91516d82fe90617152590 and likely other versions with similar RDMA CMA implementations. No known exploits are reported in the wild as of the publication date.
Potential Impact
For European organizations, this vulnerability poses a significant risk primarily to systems that utilize RDMA technology, which is common in high-performance computing, data centers, and enterprise storage networks. Exploitation could lead to kernel crashes (denial of service) or potentially privilege escalation if an attacker can trigger the use-after-free condition to execute arbitrary code in kernel space. This could compromise the confidentiality, integrity, and availability of critical systems. Given that Linux is widely used across European industries, including finance, telecommunications, research institutions, and government infrastructure, the impact could be broad if vulnerable kernels are deployed in environments where RDMA is enabled. The vulnerability is particularly concerning in environments where RDMA is used for low-latency, high-throughput networking, such as in HPC clusters or cloud providers offering RDMA-enabled services. Disruption or compromise of these systems could affect data processing, storage integrity, and service availability, with cascading effects on business operations and critical infrastructure.
Mitigation Recommendations
European organizations should take the following specific actions: 1) Identify all Linux systems running kernels with RDMA CMA support and verify if they include the vulnerable commit or similar code paths. 2) Apply the official Linux kernel patches that address CVE-2021-47391 as soon as they become available from trusted sources or Linux distributions. 3) If immediate patching is not possible, consider disabling RDMA functionality temporarily on affected systems to mitigate risk, especially on systems exposed to untrusted users or networks. 4) Implement strict access controls and monitoring on systems using RDMA to detect anomalous behavior that could indicate exploitation attempts. 5) Conduct thorough testing of patched kernels in staging environments to ensure stability and compatibility with existing RDMA workloads before deployment. 6) Maintain up-to-date inventory and configuration management to track RDMA usage and kernel versions across the enterprise. 7) Engage with Linux distribution vendors and security advisories to receive timely updates and guidance. 8) Educate system administrators and security teams about the specific nature of this vulnerability to improve detection and response capabilities.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-21T14:58:30.813Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9833c4522896dcbe8fb0
Added to database: 5/21/2025, 9:09:07 AM
Last enriched: 6/30/2025, 12:24:31 PM
Last updated: 8/13/2025, 3:08:24 PM
Views: 14
Related Threats
CVE-2025-8293: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Theerawat Patthawee Intl DateTime Calendar
MediumCVE-2025-7686: CWE-352 Cross-Site Request Forgery (CSRF) in lmyoaoa weichuncai(WP伪春菜)
MediumCVE-2025-7684: CWE-352 Cross-Site Request Forgery (CSRF) in remysharp Last.fm Recent Album Artwork
MediumCVE-2025-7683: CWE-352 Cross-Site Request Forgery (CSRF) in janyksteenbeek LatestCheckins
MediumCVE-2025-7668: CWE-352 Cross-Site Request Forgery (CSRF) in timothyja Linux Promotional Plugin
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.