CVE-2021-47505: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: aio: fix use-after-free due to missing POLLFREE handling signalfd_poll() and binder_poll() are special in that they use a waitqueue whose lifetime is the current task, rather than the struct file as is normally the case. This is okay for blocking polls, since a blocking poll occurs within one task; however, non-blocking polls require another solution. This solution is for the queue to be cleared before it is freed, by sending a POLLFREE notification to all waiters. Unfortunately, only eventpoll handles POLLFREE. A second type of non-blocking poll, aio poll, was added in kernel v4.18, and it doesn't handle POLLFREE. This allows a use-after-free to occur if a signalfd or binder fd is polled with aio poll, and the waitqueue gets freed. Fix this by making aio poll handle POLLFREE. A patch by Ramji Jiyani <ramjiyani@google.com> (https://lore.kernel.org/r/20211027011834.2497484-1-ramjiyani@google.com) tried to do this by making aio_poll_wake() always complete the request inline if POLLFREE is seen. However, that solution had two bugs. First, it introduced a deadlock, as it unconditionally locked the aio context while holding the waitqueue lock, which inverts the normal locking order. Second, it didn't consider that POLLFREE notifications are missed while the request has been temporarily de-queued. The second problem was solved by my previous patch. This patch then properly fixes the use-after-free by handling POLLFREE in a deadlock-free way. It does this by taking advantage of the fact that freeing of the waitqueue is RCU-delayed, similar to what eventpoll does.
AI Analysis
Technical Summary
CVE-2021-47505 is a use-after-free vulnerability in the Linux kernel related to the asynchronous I/O (aio) polling mechanism. Specifically, the issue arises from improper handling of the POLLFREE notification in aio poll operations. In Linux, signalfd_poll() and binder_poll() use a waitqueue tied to the current task's lifetime rather than the struct file, which is atypical. For blocking polls, this design is safe because the poll occurs within a single task context. However, non-blocking polls require the waitqueue to be cleared before it is freed by sending a POLLFREE notification to all waiters to avoid use-after-free conditions. While the eventpoll mechanism correctly handles POLLFREE, aio poll, introduced in kernel version 4.18, did not implement this handling, leading to a use-after-free vulnerability when signalfd or binder file descriptors are polled with aio poll and the waitqueue is freed prematurely. Attempts to fix this by completing requests inline upon POLLFREE detection introduced deadlocks and missed notifications due to locking order inversion and temporary dequeuing of requests. The final fix involves handling POLLFREE in aio poll in a deadlock-free manner by leveraging RCU-delayed freeing of waitqueues, similar to eventpoll's approach. This patch prevents the use-after-free condition by ensuring proper synchronization and notification handling during aio poll operations.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running vulnerable Linux kernel versions, especially servers and infrastructure components relying on asynchronous I/O operations with signalfd or binder file descriptors. Exploitation could lead to kernel memory corruption, potentially allowing local attackers to execute arbitrary code with kernel privileges, cause system crashes, or escalate privileges. This can compromise confidentiality, integrity, and availability of critical systems. Given Linux's widespread use in European data centers, cloud infrastructure, and embedded systems, exploitation could disrupt services, lead to data breaches, or facilitate lateral movement within networks. Although no known exploits are reported in the wild, the complexity of the vulnerability means that skilled attackers could develop exploits, particularly targeting high-value assets such as financial institutions, government infrastructure, and telecommunications providers in Europe.
Mitigation Recommendations
European organizations should prioritize updating Linux kernels to versions that include the fix for CVE-2021-47505. Since the vulnerability involves kernel-level asynchronous I/O polling, patching the kernel is the most effective mitigation. Organizations should: 1) Identify all systems running affected Linux kernel versions, especially those using aio poll with signalfd or binder file descriptors. 2) Apply vendor-provided kernel updates or backported patches promptly. 3) For systems where immediate patching is not feasible, restrict access to local user accounts to trusted personnel only, as exploitation requires local access. 4) Monitor kernel logs and system behavior for anomalies indicative of use-after-free exploitation attempts, such as unexpected crashes or suspicious aio poll activity. 5) Employ kernel hardening techniques such as Kernel Address Space Layout Randomization (KASLR) and Kernel Page Table Isolation (KPTI) to reduce exploitation likelihood. 6) Review and limit the use of signalfd and binder interfaces where possible to reduce attack surface. 7) Incorporate this vulnerability into vulnerability management and incident response plans to ensure rapid detection and remediation.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland
CVE-2021-47505: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: aio: fix use-after-free due to missing POLLFREE handling signalfd_poll() and binder_poll() are special in that they use a waitqueue whose lifetime is the current task, rather than the struct file as is normally the case. This is okay for blocking polls, since a blocking poll occurs within one task; however, non-blocking polls require another solution. This solution is for the queue to be cleared before it is freed, by sending a POLLFREE notification to all waiters. Unfortunately, only eventpoll handles POLLFREE. A second type of non-blocking poll, aio poll, was added in kernel v4.18, and it doesn't handle POLLFREE. This allows a use-after-free to occur if a signalfd or binder fd is polled with aio poll, and the waitqueue gets freed. Fix this by making aio poll handle POLLFREE. A patch by Ramji Jiyani <ramjiyani@google.com> (https://lore.kernel.org/r/20211027011834.2497484-1-ramjiyani@google.com) tried to do this by making aio_poll_wake() always complete the request inline if POLLFREE is seen. However, that solution had two bugs. First, it introduced a deadlock, as it unconditionally locked the aio context while holding the waitqueue lock, which inverts the normal locking order. Second, it didn't consider that POLLFREE notifications are missed while the request has been temporarily de-queued. The second problem was solved by my previous patch. This patch then properly fixes the use-after-free by handling POLLFREE in a deadlock-free way. It does this by taking advantage of the fact that freeing of the waitqueue is RCU-delayed, similar to what eventpoll does.
AI-Powered Analysis
Technical Analysis
CVE-2021-47505 is a use-after-free vulnerability in the Linux kernel related to the asynchronous I/O (aio) polling mechanism. Specifically, the issue arises from improper handling of the POLLFREE notification in aio poll operations. In Linux, signalfd_poll() and binder_poll() use a waitqueue tied to the current task's lifetime rather than the struct file, which is atypical. For blocking polls, this design is safe because the poll occurs within a single task context. However, non-blocking polls require the waitqueue to be cleared before it is freed by sending a POLLFREE notification to all waiters to avoid use-after-free conditions. While the eventpoll mechanism correctly handles POLLFREE, aio poll, introduced in kernel version 4.18, did not implement this handling, leading to a use-after-free vulnerability when signalfd or binder file descriptors are polled with aio poll and the waitqueue is freed prematurely. Attempts to fix this by completing requests inline upon POLLFREE detection introduced deadlocks and missed notifications due to locking order inversion and temporary dequeuing of requests. The final fix involves handling POLLFREE in aio poll in a deadlock-free manner by leveraging RCU-delayed freeing of waitqueues, similar to eventpoll's approach. This patch prevents the use-after-free condition by ensuring proper synchronization and notification handling during aio poll operations.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running vulnerable Linux kernel versions, especially servers and infrastructure components relying on asynchronous I/O operations with signalfd or binder file descriptors. Exploitation could lead to kernel memory corruption, potentially allowing local attackers to execute arbitrary code with kernel privileges, cause system crashes, or escalate privileges. This can compromise confidentiality, integrity, and availability of critical systems. Given Linux's widespread use in European data centers, cloud infrastructure, and embedded systems, exploitation could disrupt services, lead to data breaches, or facilitate lateral movement within networks. Although no known exploits are reported in the wild, the complexity of the vulnerability means that skilled attackers could develop exploits, particularly targeting high-value assets such as financial institutions, government infrastructure, and telecommunications providers in Europe.
Mitigation Recommendations
European organizations should prioritize updating Linux kernels to versions that include the fix for CVE-2021-47505. Since the vulnerability involves kernel-level asynchronous I/O polling, patching the kernel is the most effective mitigation. Organizations should: 1) Identify all systems running affected Linux kernel versions, especially those using aio poll with signalfd or binder file descriptors. 2) Apply vendor-provided kernel updates or backported patches promptly. 3) For systems where immediate patching is not feasible, restrict access to local user accounts to trusted personnel only, as exploitation requires local access. 4) Monitor kernel logs and system behavior for anomalies indicative of use-after-free exploitation attempts, such as unexpected crashes or suspicious aio poll activity. 5) Employ kernel hardening techniques such as Kernel Address Space Layout Randomization (KASLR) and Kernel Page Table Isolation (KPTI) to reduce exploitation likelihood. 6) Review and limit the use of signalfd and binder interfaces where possible to reduce attack surface. 7) Incorporate this vulnerability into vulnerability management and incident response plans to ensure rapid detection and remediation.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-22T06:20:56.205Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9833c4522896dcbe92f1
Added to database: 5/21/2025, 9:09:07 AM
Last enriched: 6/30/2025, 1:55:59 PM
Last updated: 8/19/2025, 11:55:41 PM
Views: 15
Related Threats
CVE-2025-9341: CWE-400 Uncontrolled Resource Consumption in Legion of the Bouncy Castle Inc. Bouncy Castle for Java FIPS
MediumCVE-2025-8678: CWE-918 Server-Side Request Forgery (SSRF) in johnbillion WP Crontrol
MediumCVE-2025-57699: Unquoted search path or element in Western Digital Corporation Western Digital Kitfox for Windows
MediumCVE-2025-8281: CWE-79 Cross-Site Scripting (XSS) in WP Talroo
HighCVE-2025-41452: CWE-15: External Control of System or Configuration Setting in Danfoss AK-SM8xxA Series
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.