CVE-2021-47503 is a medium severity vulnerability in the Linux kernel specifically affecting the pm80xx SCSI driver, which handles certain storage controllers. The issue arises from an improper sequence of function calls in the pm8001_alloc() function, where scsi_remove_host() is called before scsi_add_host(). This sequence is incorrect because scsi_remove_host() should only be called after scsi_add_host() has successfully registered the SCSI host. Calling scsi_remove_host() prematurely leads to a NULL pointer dereference, causing a kernel crash (BUG) due to accessing an invalid memory address (0x0000000000000108). The crash occurs in the device_del() function during device_unregister(), triggered by the faulty call stack starting from pm8001_pci_probe() through pm8001_pci_alloc() and pm8001_alloc(). This vulnerability is classified under CWE-476 (NULL Pointer Dereference). Exploitation requires local access since the attack vector is local (AV:L), no privileges are required (PR:N), and no user interaction is needed (UI:N). The impact is denial of service (DoS) due to kernel crash, with no direct confidentiality or integrity compromise. The vulnerability affects specific Linux kernel versions identified by the commit hashes provided, and no known exploits are reported in the wild as of now. The fix involves correcting the call order to ensure scsi_remove_host() is not called before scsi_add_host().

For European organizations, this vulnerability primarily poses a risk of denial of service on Linux systems using the affected pm80xx SCSI driver, which is common in servers and storage appliances that utilize certain PCIe storage controllers. A kernel crash can lead to system downtime, potential data loss if unsaved data is in memory, and disruption of critical services. Organizations relying on Linux-based infrastructure for storage or server workloads could experience operational interruptions. While the vulnerability does not allow privilege escalation or data breach directly, the resulting instability could be exploited in multi-tenant environments or combined with other vulnerabilities to increase attack surface. The impact is more significant in environments with high availability requirements such as data centers, cloud providers, and enterprises with critical storage systems. Given the local attack vector, the threat is higher in environments where untrusted users have local access or where attackers can gain initial foothold on affected systems.

1. Apply the official Linux kernel patches that correct the function call sequence in the pm80xx driver to prevent premature calls to scsi_remove_host(). 2. Identify and update all Linux systems running kernels with the affected pm80xx driver versions, especially those used in storage or server roles. 3. Restrict local access to trusted users only, minimizing the risk of local exploitation. 4. Implement monitoring for kernel crashes and system reboots to detect potential exploitation attempts. 5. Use kernel live patching solutions where available to apply fixes without downtime. 6. In virtualized or containerized environments, isolate workloads to limit impact of potential crashes. 7. Maintain regular backups and disaster recovery plans to mitigate data loss from unexpected crashes. 8. Review and harden access controls and audit logs to detect suspicious local activity that could trigger the vulnerability.