CVE-2021-47437 is a vulnerability identified in the Linux kernel specifically related to the Industrial I/O (IIO) subsystem driver for the ADIS16475 inertial measurement unit (IMU) sensor. The vulnerability stems from a deadlock condition introduced by a code commit (39c024b51b560) that aimed to improve synchronization and scale mode handling. Two primary issues caused the deadlock: first, the function 'adis_write_reg_16()' was not updated to its unlocked variant, which means it continued to hold a lock during its execution, potentially blocking other operations; second, the lock acquired was not released on the successful execution path of the function, causing the system to hang when the lock was expected to be freed. Deadlocks in kernel drivers can cause system hangs or freezes, impacting system availability. This vulnerability affects Linux kernel versions containing the specified commit and was resolved by correcting the locking mechanism to use the unlocked version of the register write function and ensuring the lock is properly released after successful operations. There are no known exploits in the wild at the time of publication, and no CVSS score has been assigned yet. The issue is specific to the ADIS16475 driver within the Linux kernel, which is used in systems that integrate this sensor hardware for industrial or embedded applications.

For European organizations, the primary impact of this vulnerability is on system availability and stability, particularly for those using Linux-based systems with the ADIS16475 sensor or similar embedded devices relying on this driver. Industrial control systems, manufacturing equipment, robotics, and specialized embedded devices in sectors such as automotive, aerospace, and manufacturing could be affected if they use this sensor and run vulnerable Linux kernel versions. A deadlock causing system hangs can lead to operational downtime, loss of productivity, and potential safety risks in critical environments. Although there is no evidence of exploitation in the wild, the presence of this vulnerability in kernel code means that if exploited, it could disrupt critical infrastructure or industrial processes. The confidentiality and integrity impacts are minimal since the vulnerability relates to locking and synchronization rather than data leakage or privilege escalation. However, availability degradation in industrial or embedded systems can have significant operational and financial consequences.

Organizations should prioritize updating their Linux kernel to a version that includes the fix for CVE-2021-47437. This involves applying the patch that replaces 'adis_write_reg_16()' with its unlocked version and ensures proper lock release. For embedded and industrial systems, vendors should verify that their kernel builds incorporate this fix and perform regression testing to confirm system stability. Additionally, organizations should audit their systems to identify any deployments using the ADIS16475 sensor or related drivers. Where immediate patching is not feasible, implementing monitoring for system hangs or deadlocks and establishing rapid reboot or failover procedures can help mitigate operational impact. It is also advisable to maintain strict control over kernel updates and ensure that any custom kernel builds are reviewed for this fix. Finally, organizations should engage with their hardware and software vendors to confirm timelines for patch availability and coordinate updates accordingly.