CVE-2021-47477 is a medium severity vulnerability identified in the Linux kernel's comedi driver, specifically related to the dt9812 device. The issue arises from improper handling of USB transfer buffers, which were previously allocated on the stack rather than in proper DMA-capable memory regions. USB transfers require buffers to be mapped for Direct Memory Access (DMA), and stack allocation is inappropriate because it can cause transfer failures. The vulnerability manifests in two main ways: first, USB transfers may fail due to the incorrect buffer allocation; second, there is a potential information leak where stack data could be exposed on systems that do not use DMA, as 32 bytes are always sent to the device regardless of the actual command length. The fix involves allocating proper DMA buffers in the command helper functions and returning an error on short transfers instead of processing potentially random stack data. This correction eliminates both the transfer failure and the stack information leak. The vulnerability does not require any privileges or user interaction to exploit and can be triggered remotely over the network (AV:N/AC:L/PR:N/UI:N), but it only impacts availability (A:L) without affecting confidentiality or integrity. No known exploits are currently in the wild, and the vulnerability was published on May 22, 2024. The CVSS v3.1 base score is 5.3, indicating medium severity.

For European organizations, the impact of CVE-2021-47477 primarily concerns system stability and availability. Systems running vulnerable versions of the Linux kernel with the comedi dt9812 driver enabled may experience USB transfer failures, potentially disrupting operations that rely on USB-connected data acquisition or control devices. The stack information leak, while limited in scope, could theoretically expose sensitive kernel stack data, which might aid attackers in crafting further attacks, though no direct confidentiality breach is reported. Industrial, scientific, and medical sectors using specialized hardware interfacing via the dt9812 device could be particularly affected, as device malfunctions or data acquisition errors could impact critical processes. However, since the vulnerability does not allow privilege escalation or code execution, the overall risk is moderate. Organizations with high availability requirements or those using Linux-based embedded systems with this driver should prioritize patching to avoid operational disruptions.

European organizations should implement the following specific mitigations: 1) Identify and inventory Linux systems running kernels with the comedi dt9812 driver enabled, especially in industrial control, scientific research, or embedded environments. 2) Apply the latest Linux kernel updates that include the fix for CVE-2021-47477 as soon as possible to ensure proper DMA buffer allocation and eliminate the stack info leak. 3) For systems where immediate patching is not feasible, consider disabling or unloading the comedi dt9812 driver if it is not critical to operations to mitigate the risk. 4) Monitor USB device logs and kernel messages for transfer errors that could indicate exploitation attempts or impact from this vulnerability. 5) Incorporate this vulnerability into vulnerability management and patching cycles, ensuring that embedded and specialized Linux systems are not overlooked. 6) Engage with hardware vendors for any firmware or driver updates related to the dt9812 device to ensure end-to-end mitigation.