CVE-2021-47393: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: hwmon: (mlxreg-fan) Return non-zero value when fan current state is enforced from sysfs Fan speed minimum can be enforced from sysfs. For example, setting current fan speed to 20 is used to enforce fan speed to be at 100% speed, 19 - to be not below 90% speed, etcetera. This feature provides ability to limit fan speed according to some system wise considerations, like absence of some replaceable units or high system ambient temperature. Request for changing fan minimum speed is configuration request and can be set only through 'sysfs' write procedure. In this situation value of argument 'state' is above nominal fan speed maximum. Return non-zero code in this case to avoid thermal_cooling_device_stats_update() call, because in this case statistics update violates thermal statistics table range. The issues is observed in case kernel is configured with option CONFIG_THERMAL_STATISTICS. Here is the trace from KASAN: [ 159.506659] BUG: KASAN: slab-out-of-bounds in thermal_cooling_device_stats_update+0x7d/0xb0 [ 159.516016] Read of size 4 at addr ffff888116163840 by task hw-management.s/7444 [ 159.545625] Call Trace: [ 159.548366] dump_stack+0x92/0xc1 [ 159.552084] ? thermal_cooling_device_stats_update+0x7d/0xb0 [ 159.635869] thermal_zone_device_update+0x345/0x780 [ 159.688711] thermal_zone_device_set_mode+0x7d/0xc0 [ 159.694174] mlxsw_thermal_modules_init+0x48f/0x590 [mlxsw_core] [ 159.700972] ? mlxsw_thermal_set_cur_state+0x5a0/0x5a0 [mlxsw_core] [ 159.731827] mlxsw_thermal_init+0x763/0x880 [mlxsw_core] [ 160.070233] RIP: 0033:0x7fd995909970 [ 160.074239] Code: 73 01 c3 48 8b 0d 28 d5 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 99 2d 2c 00 00 75 10 b8 01 00 00 00 0f 05 <48> 3d 01 f0 ff .. [ 160.095242] RSP: 002b:00007fff54f5d938 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 160.103722] RAX: ffffffffffffffda RBX: 0000000000000013 RCX: 00007fd995909970 [ 160.111710] RDX: 0000000000000013 RSI: 0000000001906008 RDI: 0000000000000001 [ 160.119699] RBP: 0000000001906008 R08: 00007fd995bc9760 R09: 00007fd996210700 [ 160.127687] R10: 0000000000000073 R11: 0000000000000246 R12: 0000000000000013 [ 160.135673] R13: 0000000000000001 R14: 00007fd995bc8600 R15: 0000000000000013 [ 160.143671] [ 160.145338] Allocated by task 2924: [ 160.149242] kasan_save_stack+0x19/0x40 [ 160.153541] __kasan_kmalloc+0x7f/0xa0 [ 160.157743] __kmalloc+0x1a2/0x2b0 [ 160.161552] thermal_cooling_device_setup_sysfs+0xf9/0x1a0 [ 160.167687] __thermal_cooling_device_register+0x1b5/0x500 [ 160.173833] devm_thermal_of_cooling_device_register+0x60/0xa0 [ 160.180356] mlxreg_fan_probe+0x474/0x5e0 [mlxreg_fan] [ 160.248140] [ 160.249807] The buggy address belongs to the object at ffff888116163400 [ 160.249807] which belongs to the cache kmalloc-1k of size 1024 [ 160.263814] The buggy address is located 64 bytes to the right of [ 160.263814] 1024-byte region [ffff888116163400, ffff888116163800) [ 160.277536] The buggy address belongs to the page: [ 160.282898] page:0000000012275840 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888116167000 pfn:0x116160 [ 160.294872] head:0000000012275840 order:3 compound_mapcount:0 compound_pincount:0 [ 160.303251] flags: 0x200000000010200(slab|head|node=0|zone=2) [ 160.309694] raw: 0200000000010200 ffffea00046f7208 ffffea0004928208 ffff88810004dbc0 [ 160.318367] raw: ffff888116167000 00000000000a0006 00000001ffffffff 0000000000000000 [ 160.327033] page dumped because: kasan: bad access detected [ 160.333270] [ 160.334937] Memory state around the buggy address: [ 160.356469] >ffff888116163800: fc ..
AI Analysis
Technical Summary
CVE-2021-47393 is a vulnerability identified in the Linux kernel's hardware monitoring subsystem, specifically within the mlxreg-fan driver module. The issue arises from improper handling of fan speed enforcement via sysfs interface, where the minimum fan speed can be set to values that exceed the nominal maximum speed. This configuration request is intended to allow system administrators or automated processes to enforce fan speeds based on system conditions such as the absence of replaceable units or elevated ambient temperatures. However, when the kernel is compiled with the CONFIG_THERMAL_STATISTICS option enabled, attempts to set the fan speed above the nominal maximum lead to an out-of-bounds memory access during the update of thermal cooling device statistics. The kernel's thermal_cooling_device_stats_update() function does not properly validate the state argument, resulting in a slab-out-of-bounds error detected by Kernel Address Sanitizer (KASAN). This memory corruption can cause kernel crashes (BUG reports) and potentially lead to denial of service or other unpredictable kernel behavior. The vulnerability is triggered by writing to the sysfs interface, which requires appropriate permissions, thus limiting exploitation to local users or processes with elevated privileges. The issue is rooted in the mlxreg-fan driver's failure to return a non-zero error code when the requested fan speed state exceeds the maximum, which would otherwise prevent the invalid statistics update. The detailed kernel stack trace and memory dump confirm the out-of-bounds access and the specific conditions under which the bug manifests. No known exploits are reported in the wild, and no CVSS score has been assigned yet. The vulnerability affects Linux kernel versions identified by the commit hash 65afb4c8e7e4e7e74b28efa1df62da503ca3e7a6 and potentially other versions with similar configurations.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels with the mlxreg-fan driver and CONFIG_THERMAL_STATISTICS enabled, which are common in enterprise-grade servers, network equipment, and industrial control systems. Exploitation could lead to kernel crashes, causing denial of service conditions that disrupt critical services and operations. In environments where uptime and reliability are paramount, such as financial institutions, healthcare providers, and manufacturing plants, unexpected system reboots or failures could have significant operational and financial consequences. Although remote exploitation is unlikely due to the need for local write access to sysfs, insider threats or compromised local accounts could leverage this vulnerability to destabilize systems. Additionally, the vulnerability could be used as part of a multi-stage attack to escalate privileges or bypass security controls if combined with other kernel vulnerabilities. The lack of known exploits reduces immediate risk, but the presence of detailed technical information and kernel traces increases the likelihood of future exploit development. Organizations relying on Linux-based infrastructure should assess their exposure, especially those using hardware monitored by mlxreg-fan and thermal statistics features.
Mitigation Recommendations
To mitigate this vulnerability, European organizations should: 1) Apply the latest Linux kernel patches that address CVE-2021-47393 as soon as they become available from their distribution vendors or kernel maintainers. 2) Temporarily disable the CONFIG_THERMAL_STATISTICS kernel option if feasible, to prevent the vulnerable code path from being executed. 3) Restrict access to the sysfs interface controlling fan speeds (typically under /sys/class/hwmon or /sys/devices) to trusted administrators only, enforcing strict permission controls and auditing access attempts. 4) Monitor system logs for kernel BUG messages or KASAN reports indicating attempts to exploit this vulnerability. 5) Implement host-based intrusion detection systems (HIDS) to detect anomalous writes to thermal control sysfs entries. 6) For critical systems, consider isolating or sandboxing processes that require fan speed adjustments to minimize risk. 7) Engage with hardware vendors to confirm if their devices use mlxreg-fan and request firmware or driver updates if necessary. 8) Maintain a robust patch management and vulnerability scanning program to quickly identify and remediate affected systems.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2021-47393: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: hwmon: (mlxreg-fan) Return non-zero value when fan current state is enforced from sysfs Fan speed minimum can be enforced from sysfs. For example, setting current fan speed to 20 is used to enforce fan speed to be at 100% speed, 19 - to be not below 90% speed, etcetera. This feature provides ability to limit fan speed according to some system wise considerations, like absence of some replaceable units or high system ambient temperature. Request for changing fan minimum speed is configuration request and can be set only through 'sysfs' write procedure. In this situation value of argument 'state' is above nominal fan speed maximum. Return non-zero code in this case to avoid thermal_cooling_device_stats_update() call, because in this case statistics update violates thermal statistics table range. The issues is observed in case kernel is configured with option CONFIG_THERMAL_STATISTICS. Here is the trace from KASAN: [ 159.506659] BUG: KASAN: slab-out-of-bounds in thermal_cooling_device_stats_update+0x7d/0xb0 [ 159.516016] Read of size 4 at addr ffff888116163840 by task hw-management.s/7444 [ 159.545625] Call Trace: [ 159.548366] dump_stack+0x92/0xc1 [ 159.552084] ? thermal_cooling_device_stats_update+0x7d/0xb0 [ 159.635869] thermal_zone_device_update+0x345/0x780 [ 159.688711] thermal_zone_device_set_mode+0x7d/0xc0 [ 159.694174] mlxsw_thermal_modules_init+0x48f/0x590 [mlxsw_core] [ 159.700972] ? mlxsw_thermal_set_cur_state+0x5a0/0x5a0 [mlxsw_core] [ 159.731827] mlxsw_thermal_init+0x763/0x880 [mlxsw_core] [ 160.070233] RIP: 0033:0x7fd995909970 [ 160.074239] Code: 73 01 c3 48 8b 0d 28 d5 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 99 2d 2c 00 00 75 10 b8 01 00 00 00 0f 05 <48> 3d 01 f0 ff .. [ 160.095242] RSP: 002b:00007fff54f5d938 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 160.103722] RAX: ffffffffffffffda RBX: 0000000000000013 RCX: 00007fd995909970 [ 160.111710] RDX: 0000000000000013 RSI: 0000000001906008 RDI: 0000000000000001 [ 160.119699] RBP: 0000000001906008 R08: 00007fd995bc9760 R09: 00007fd996210700 [ 160.127687] R10: 0000000000000073 R11: 0000000000000246 R12: 0000000000000013 [ 160.135673] R13: 0000000000000001 R14: 00007fd995bc8600 R15: 0000000000000013 [ 160.143671] [ 160.145338] Allocated by task 2924: [ 160.149242] kasan_save_stack+0x19/0x40 [ 160.153541] __kasan_kmalloc+0x7f/0xa0 [ 160.157743] __kmalloc+0x1a2/0x2b0 [ 160.161552] thermal_cooling_device_setup_sysfs+0xf9/0x1a0 [ 160.167687] __thermal_cooling_device_register+0x1b5/0x500 [ 160.173833] devm_thermal_of_cooling_device_register+0x60/0xa0 [ 160.180356] mlxreg_fan_probe+0x474/0x5e0 [mlxreg_fan] [ 160.248140] [ 160.249807] The buggy address belongs to the object at ffff888116163400 [ 160.249807] which belongs to the cache kmalloc-1k of size 1024 [ 160.263814] The buggy address is located 64 bytes to the right of [ 160.263814] 1024-byte region [ffff888116163400, ffff888116163800) [ 160.277536] The buggy address belongs to the page: [ 160.282898] page:0000000012275840 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888116167000 pfn:0x116160 [ 160.294872] head:0000000012275840 order:3 compound_mapcount:0 compound_pincount:0 [ 160.303251] flags: 0x200000000010200(slab|head|node=0|zone=2) [ 160.309694] raw: 0200000000010200 ffffea00046f7208 ffffea0004928208 ffff88810004dbc0 [ 160.318367] raw: ffff888116167000 00000000000a0006 00000001ffffffff 0000000000000000 [ 160.327033] page dumped because: kasan: bad access detected [ 160.333270] [ 160.334937] Memory state around the buggy address: [ 160.356469] >ffff888116163800: fc ..
AI-Powered Analysis
Technical Analysis
CVE-2021-47393 is a vulnerability identified in the Linux kernel's hardware monitoring subsystem, specifically within the mlxreg-fan driver module. The issue arises from improper handling of fan speed enforcement via sysfs interface, where the minimum fan speed can be set to values that exceed the nominal maximum speed. This configuration request is intended to allow system administrators or automated processes to enforce fan speeds based on system conditions such as the absence of replaceable units or elevated ambient temperatures. However, when the kernel is compiled with the CONFIG_THERMAL_STATISTICS option enabled, attempts to set the fan speed above the nominal maximum lead to an out-of-bounds memory access during the update of thermal cooling device statistics. The kernel's thermal_cooling_device_stats_update() function does not properly validate the state argument, resulting in a slab-out-of-bounds error detected by Kernel Address Sanitizer (KASAN). This memory corruption can cause kernel crashes (BUG reports) and potentially lead to denial of service or other unpredictable kernel behavior. The vulnerability is triggered by writing to the sysfs interface, which requires appropriate permissions, thus limiting exploitation to local users or processes with elevated privileges. The issue is rooted in the mlxreg-fan driver's failure to return a non-zero error code when the requested fan speed state exceeds the maximum, which would otherwise prevent the invalid statistics update. The detailed kernel stack trace and memory dump confirm the out-of-bounds access and the specific conditions under which the bug manifests. No known exploits are reported in the wild, and no CVSS score has been assigned yet. The vulnerability affects Linux kernel versions identified by the commit hash 65afb4c8e7e4e7e74b28efa1df62da503ca3e7a6 and potentially other versions with similar configurations.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels with the mlxreg-fan driver and CONFIG_THERMAL_STATISTICS enabled, which are common in enterprise-grade servers, network equipment, and industrial control systems. Exploitation could lead to kernel crashes, causing denial of service conditions that disrupt critical services and operations. In environments where uptime and reliability are paramount, such as financial institutions, healthcare providers, and manufacturing plants, unexpected system reboots or failures could have significant operational and financial consequences. Although remote exploitation is unlikely due to the need for local write access to sysfs, insider threats or compromised local accounts could leverage this vulnerability to destabilize systems. Additionally, the vulnerability could be used as part of a multi-stage attack to escalate privileges or bypass security controls if combined with other kernel vulnerabilities. The lack of known exploits reduces immediate risk, but the presence of detailed technical information and kernel traces increases the likelihood of future exploit development. Organizations relying on Linux-based infrastructure should assess their exposure, especially those using hardware monitored by mlxreg-fan and thermal statistics features.
Mitigation Recommendations
To mitigate this vulnerability, European organizations should: 1) Apply the latest Linux kernel patches that address CVE-2021-47393 as soon as they become available from their distribution vendors or kernel maintainers. 2) Temporarily disable the CONFIG_THERMAL_STATISTICS kernel option if feasible, to prevent the vulnerable code path from being executed. 3) Restrict access to the sysfs interface controlling fan speeds (typically under /sys/class/hwmon or /sys/devices) to trusted administrators only, enforcing strict permission controls and auditing access attempts. 4) Monitor system logs for kernel BUG messages or KASAN reports indicating attempts to exploit this vulnerability. 5) Implement host-based intrusion detection systems (HIDS) to detect anomalous writes to thermal control sysfs entries. 6) For critical systems, consider isolating or sandboxing processes that require fan speed adjustments to minimize risk. 7) Engage with hardware vendors to confirm if their devices use mlxreg-fan and request firmware or driver updates if necessary. 8) Maintain a robust patch management and vulnerability scanning program to quickly identify and remediate affected systems.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-21T14:58:30.814Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9833c4522896dcbe8fb8
Added to database: 5/21/2025, 9:09:07 AM
Last enriched: 6/30/2025, 12:24:54 PM
Last updated: 8/8/2025, 4:16:36 AM
Views: 9
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.