CVE-2021-47425 is a vulnerability identified in the Linux kernel's ACPI I2C subsystem. The issue arises in the function acpi_i2c_find_adapter_by_handle(), which internally calls bus_find_device(). This function increments the reference count on the I2C adapter but fails to release it properly, resulting in a reference count leak. The consequence of this leak is that the adapter becomes unremovable, potentially leading to resource exhaustion or system instability over time. The vulnerability is specifically related to the handling of device reconfiguration and addition within the ACPI I2C driver. The fix involves ensuring that the adapter's reference count is decremented appropriately after creating the client, mirroring the approach used in the Open Firmware (OF) implementation. This vulnerability does not appear to have any known exploits in the wild as of the publication date. It affects Linux kernel versions identified by the commit hash 525e6fabeae286848592363bda13bc34b59bb5ac and likely other versions containing the same code pattern. The vulnerability primarily impacts system stability and resource management rather than direct confidentiality or integrity of data.

For European organizations, the impact of CVE-2021-47425 is primarily related to system reliability and availability. Systems running vulnerable Linux kernel versions with ACPI I2C support may experience resource leaks that could degrade performance or cause device removal failures. This can be particularly problematic in environments with frequent hardware reconfiguration or dynamic device management, such as data centers, cloud infrastructure, and embedded systems. While this vulnerability does not directly expose sensitive data or allow privilege escalation, prolonged exploitation could lead to denial of service conditions or increased maintenance overhead. Organizations relying on Linux-based servers, IoT devices, or industrial control systems that utilize ACPI and I2C interfaces should be aware of potential stability issues. The absence of known exploits reduces immediate risk, but the vulnerability should be addressed proactively to prevent future exploitation or operational disruptions.

To mitigate CVE-2021-47425, European organizations should: 1) Identify and inventory Linux systems running kernel versions containing the vulnerable code, focusing on those using ACPI I2C drivers. 2) Apply the official Linux kernel patches or updates that fix the reference count leak as soon as they become available from trusted sources or Linux distributions. 3) For environments where immediate patching is not feasible, monitor system logs and device states for signs of adapter removal failures or resource leaks. 4) Implement system resource monitoring to detect abnormal reference count increases or device management anomalies. 5) Engage with Linux distribution vendors to ensure timely updates and backports for long-term support kernels. 6) For embedded or specialized devices, coordinate with hardware vendors to obtain firmware or kernel updates addressing this issue. 7) Incorporate this vulnerability into vulnerability management and patching workflows to ensure ongoing compliance and risk reduction.