CVE-2021-47576: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: scsi: scsi_debug: Sanity check block descriptor length in resp_mode_select() In resp_mode_select() sanity check the block descriptor len to avoid UAF. BUG: KASAN: use-after-free in resp_mode_select+0xa4c/0xb40 drivers/scsi/scsi_debug.c:2509 Read of size 1 at addr ffff888026670f50 by task scsicmd/15032 CPU: 1 PID: 15032 Comm: scsicmd Not tainted 5.15.0-01d0625 #15 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Call Trace: <TASK> dump_stack_lvl+0x89/0xb5 lib/dump_stack.c:107 print_address_description.constprop.9+0x28/0x160 mm/kasan/report.c:257 kasan_report.cold.14+0x7d/0x117 mm/kasan/report.c:443 __asan_report_load1_noabort+0x14/0x20 mm/kasan/report_generic.c:306 resp_mode_select+0xa4c/0xb40 drivers/scsi/scsi_debug.c:2509 schedule_resp+0x4af/0x1a10 drivers/scsi/scsi_debug.c:5483 scsi_debug_queuecommand+0x8c9/0x1e70 drivers/scsi/scsi_debug.c:7537 scsi_queue_rq+0x16b4/0x2d10 drivers/scsi/scsi_lib.c:1521 blk_mq_dispatch_rq_list+0xb9b/0x2700 block/blk-mq.c:1640 __blk_mq_sched_dispatch_requests+0x28f/0x590 block/blk-mq-sched.c:325 blk_mq_sched_dispatch_requests+0x105/0x190 block/blk-mq-sched.c:358 __blk_mq_run_hw_queue+0xe5/0x150 block/blk-mq.c:1762 __blk_mq_delay_run_hw_queue+0x4f8/0x5c0 block/blk-mq.c:1839 blk_mq_run_hw_queue+0x18d/0x350 block/blk-mq.c:1891 blk_mq_sched_insert_request+0x3db/0x4e0 block/blk-mq-sched.c:474 blk_execute_rq_nowait+0x16b/0x1c0 block/blk-exec.c:63 sg_common_write.isra.18+0xeb3/0x2000 drivers/scsi/sg.c:837 sg_new_write.isra.19+0x570/0x8c0 drivers/scsi/sg.c:775 sg_ioctl_common+0x14d6/0x2710 drivers/scsi/sg.c:941 sg_ioctl+0xa2/0x180 drivers/scsi/sg.c:1166 __x64_sys_ioctl+0x19d/0x220 fs/ioctl.c:52 do_syscall_64+0x3a/0x80 arch/x86/entry/common.c:50 entry_SYSCALL_64_after_hwframe+0x44/0xae arch/x86/entry/entry_64.S:113
AI Analysis
Technical Summary
CVE-2021-47576 is a use-after-free (UAF) vulnerability identified in the Linux kernel's SCSI debug driver, specifically within the resp_mode_select() function. The vulnerability arises due to insufficient sanity checks on the block descriptor length in the resp_mode_select() routine, which can lead to a use-after-free condition. This flaw was detected by Kernel Address Sanitizer (KASAN), which reported an invalid memory read of size 1 at a freed address during the execution of the scsicmd task. The vulnerability exists in the scsi_debug driver, a kernel module primarily used for testing and debugging SCSI subsystems by emulating SCSI devices. The issue occurs when the driver processes mode select commands and fails to properly validate the length of the block descriptor, leading to potential dereferencing of freed memory. This can cause kernel crashes (denial of service) or potentially allow an attacker to execute arbitrary code with kernel privileges if exploited successfully. The vulnerability affects specific Linux kernel versions prior to the patch that introduced proper sanity checks in resp_mode_select(). Although no known exploits are currently reported in the wild, the vulnerability is critical due to its kernel-level impact and the potential for privilege escalation or system instability. The scsi_debug driver is not typically enabled by default on production systems but may be present in environments that use it for testing or virtualization scenarios, such as QEMU-based virtual machines, as indicated by the hardware name in the report. The detailed call trace shows the vulnerability's triggering path through various SCSI and block layer functions, emphasizing the kernel's internal handling of SCSI commands and block requests.
Potential Impact
For European organizations, the impact of CVE-2021-47576 primarily depends on the deployment of affected Linux kernel versions and the usage of the scsi_debug driver. Organizations running Linux-based servers, especially those using virtualization platforms like QEMU or environments where scsi_debug is enabled for testing or debugging, could face risks of kernel crashes leading to denial of service or potential privilege escalation attacks. This could disrupt critical services, data processing, or cloud infrastructure operations. Given the kernel-level nature of the vulnerability, successful exploitation could compromise system integrity and confidentiality, allowing attackers to gain elevated privileges or execute arbitrary code. This is particularly concerning for sectors with high reliance on Linux infrastructure, such as finance, telecommunications, and government agencies across Europe. Additionally, the vulnerability could affect development and testing environments, potentially delaying software delivery or exposing sensitive data if exploited. However, since scsi_debug is not commonly enabled on production systems, the overall exposure might be limited but should not be disregarded, especially in virtualized or containerized environments prevalent in European data centers.
Mitigation Recommendations
1. Immediate patching: Apply the latest Linux kernel updates that include the fix for CVE-2021-47576 to ensure the resp_mode_select() function performs proper sanity checks on block descriptor lengths. 2. Disable scsi_debug driver: If the scsi_debug module is not required, disable or blacklist it to eliminate the attack surface. 3. Harden virtualization environments: For organizations using QEMU or similar virtualization platforms, verify that guest kernels are updated and that debugging drivers like scsi_debug are disabled unless explicitly needed. 4. Monitor kernel logs: Implement monitoring for kernel warnings or KASAN reports that may indicate attempts to exploit this vulnerability. 5. Restrict access: Limit user privileges and access to systems running vulnerable kernels to reduce the risk of exploitation, especially restricting access to users who can issue SCSI commands or ioctl calls. 6. Conduct vulnerability scans: Use specialized tools to detect the presence of vulnerable kernel versions and the scsi_debug driver in the environment. 7. Incident response readiness: Prepare for potential exploitation scenarios by having response plans for kernel crashes or suspicious kernel-level activity.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Poland, Italy, Spain
CVE-2021-47576: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: scsi: scsi_debug: Sanity check block descriptor length in resp_mode_select() In resp_mode_select() sanity check the block descriptor len to avoid UAF. BUG: KASAN: use-after-free in resp_mode_select+0xa4c/0xb40 drivers/scsi/scsi_debug.c:2509 Read of size 1 at addr ffff888026670f50 by task scsicmd/15032 CPU: 1 PID: 15032 Comm: scsicmd Not tainted 5.15.0-01d0625 #15 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Call Trace: <TASK> dump_stack_lvl+0x89/0xb5 lib/dump_stack.c:107 print_address_description.constprop.9+0x28/0x160 mm/kasan/report.c:257 kasan_report.cold.14+0x7d/0x117 mm/kasan/report.c:443 __asan_report_load1_noabort+0x14/0x20 mm/kasan/report_generic.c:306 resp_mode_select+0xa4c/0xb40 drivers/scsi/scsi_debug.c:2509 schedule_resp+0x4af/0x1a10 drivers/scsi/scsi_debug.c:5483 scsi_debug_queuecommand+0x8c9/0x1e70 drivers/scsi/scsi_debug.c:7537 scsi_queue_rq+0x16b4/0x2d10 drivers/scsi/scsi_lib.c:1521 blk_mq_dispatch_rq_list+0xb9b/0x2700 block/blk-mq.c:1640 __blk_mq_sched_dispatch_requests+0x28f/0x590 block/blk-mq-sched.c:325 blk_mq_sched_dispatch_requests+0x105/0x190 block/blk-mq-sched.c:358 __blk_mq_run_hw_queue+0xe5/0x150 block/blk-mq.c:1762 __blk_mq_delay_run_hw_queue+0x4f8/0x5c0 block/blk-mq.c:1839 blk_mq_run_hw_queue+0x18d/0x350 block/blk-mq.c:1891 blk_mq_sched_insert_request+0x3db/0x4e0 block/blk-mq-sched.c:474 blk_execute_rq_nowait+0x16b/0x1c0 block/blk-exec.c:63 sg_common_write.isra.18+0xeb3/0x2000 drivers/scsi/sg.c:837 sg_new_write.isra.19+0x570/0x8c0 drivers/scsi/sg.c:775 sg_ioctl_common+0x14d6/0x2710 drivers/scsi/sg.c:941 sg_ioctl+0xa2/0x180 drivers/scsi/sg.c:1166 __x64_sys_ioctl+0x19d/0x220 fs/ioctl.c:52 do_syscall_64+0x3a/0x80 arch/x86/entry/common.c:50 entry_SYSCALL_64_after_hwframe+0x44/0xae arch/x86/entry/entry_64.S:113
AI-Powered Analysis
Technical Analysis
CVE-2021-47576 is a use-after-free (UAF) vulnerability identified in the Linux kernel's SCSI debug driver, specifically within the resp_mode_select() function. The vulnerability arises due to insufficient sanity checks on the block descriptor length in the resp_mode_select() routine, which can lead to a use-after-free condition. This flaw was detected by Kernel Address Sanitizer (KASAN), which reported an invalid memory read of size 1 at a freed address during the execution of the scsicmd task. The vulnerability exists in the scsi_debug driver, a kernel module primarily used for testing and debugging SCSI subsystems by emulating SCSI devices. The issue occurs when the driver processes mode select commands and fails to properly validate the length of the block descriptor, leading to potential dereferencing of freed memory. This can cause kernel crashes (denial of service) or potentially allow an attacker to execute arbitrary code with kernel privileges if exploited successfully. The vulnerability affects specific Linux kernel versions prior to the patch that introduced proper sanity checks in resp_mode_select(). Although no known exploits are currently reported in the wild, the vulnerability is critical due to its kernel-level impact and the potential for privilege escalation or system instability. The scsi_debug driver is not typically enabled by default on production systems but may be present in environments that use it for testing or virtualization scenarios, such as QEMU-based virtual machines, as indicated by the hardware name in the report. The detailed call trace shows the vulnerability's triggering path through various SCSI and block layer functions, emphasizing the kernel's internal handling of SCSI commands and block requests.
Potential Impact
For European organizations, the impact of CVE-2021-47576 primarily depends on the deployment of affected Linux kernel versions and the usage of the scsi_debug driver. Organizations running Linux-based servers, especially those using virtualization platforms like QEMU or environments where scsi_debug is enabled for testing or debugging, could face risks of kernel crashes leading to denial of service or potential privilege escalation attacks. This could disrupt critical services, data processing, or cloud infrastructure operations. Given the kernel-level nature of the vulnerability, successful exploitation could compromise system integrity and confidentiality, allowing attackers to gain elevated privileges or execute arbitrary code. This is particularly concerning for sectors with high reliance on Linux infrastructure, such as finance, telecommunications, and government agencies across Europe. Additionally, the vulnerability could affect development and testing environments, potentially delaying software delivery or exposing sensitive data if exploited. However, since scsi_debug is not commonly enabled on production systems, the overall exposure might be limited but should not be disregarded, especially in virtualized or containerized environments prevalent in European data centers.
Mitigation Recommendations
1. Immediate patching: Apply the latest Linux kernel updates that include the fix for CVE-2021-47576 to ensure the resp_mode_select() function performs proper sanity checks on block descriptor lengths. 2. Disable scsi_debug driver: If the scsi_debug module is not required, disable or blacklist it to eliminate the attack surface. 3. Harden virtualization environments: For organizations using QEMU or similar virtualization platforms, verify that guest kernels are updated and that debugging drivers like scsi_debug are disabled unless explicitly needed. 4. Monitor kernel logs: Implement monitoring for kernel warnings or KASAN reports that may indicate attempts to exploit this vulnerability. 5. Restrict access: Limit user privileges and access to systems running vulnerable kernels to reduce the risk of exploitation, especially restricting access to users who can issue SCSI commands or ioctl calls. 6. Conduct vulnerability scans: Use specialized tools to detect the presence of vulnerable kernel versions and the scsi_debug driver in the environment. 7. Incident response readiness: Prepare for potential exploitation scenarios by having response plans for kernel crashes or suspicious kernel-level activity.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-24T15:11:00.730Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9833c4522896dcbe94e7
Added to database: 5/21/2025, 9:09:07 AM
Last enriched: 6/30/2025, 2:54:59 PM
Last updated: 8/12/2025, 8:21:18 AM
Views: 15
Related Threats
CVE-2025-8978: Insufficient Verification of Data Authenticity in D-Link DIR-619L
HighCVE-2025-8946: SQL Injection in projectworlds Online Notes Sharing Platform
MediumCVE-2025-51965: n/a
UnknownCVE-2025-8976: Cross Site Scripting in givanz Vvveb
MediumCVE-2025-8980: Insufficient Verification of Data Authenticity in Tenda G1
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.