CVE-2021-47582 is a vulnerability identified in the Linux kernel's USB core subsystem, specifically related to the handling of USBDEVFS_CONTROL and USBDEVFS_BULK ioctl calls. These ioctls invoke the function usb_start_wait_urb(), which performs an uninterruptible wait with a user-specified timeout. If the timeout value is set very high and the USB device being accessed does not respond promptly, the kernel task executing the ioctl can become blocked for an extended period, as observed in testing by syzbot. This blocking manifests as a "Task X blocked for more than N seconds" kernel warning, indicating a hung task. The root cause is that usb_start_wait_urb() uses a non-killable wait, which prevents the task from being interrupted or killed during the wait period, potentially leading to system resource exhaustion or degraded system responsiveness. The patch addressing this vulnerability replaces the calls to usb_control_msg() and usb_bulk_msg() with specialized code that performs equivalent operations but uses a killable wait and GFP_KERNEL memory allocation flags instead of GFP_NOIO. This change allows the waiting task to be interrupted or killed if necessary, preventing indefinite blocking and improving system stability. The vulnerability affects Linux kernel versions prior to the patch and is related to USB device communication, particularly when user-space processes interact with USB devices via USBDEVFS ioctls with large timeout values. There are no known exploits in the wild, and the vulnerability does not have an assigned CVSS score. The issue primarily impacts system availability and stability rather than confidentiality or integrity.

For European organizations, this vulnerability poses a risk primarily to system availability and operational stability, especially in environments where Linux systems interact extensively with USB devices using user-space USBDEVFS ioctls. Systems that rely on USB peripherals for critical operations—such as industrial control systems, medical devices, or secure workstations—may experience hangs or degraded performance if a USB device becomes unresponsive and triggers this blocking behavior. This could lead to denial of service conditions on affected hosts, potentially disrupting business processes or critical infrastructure operations. While the vulnerability does not directly compromise data confidentiality or integrity, the resulting system hangs could indirectly affect service availability and operational continuity. Organizations with large Linux deployments, including cloud providers, data centers, and enterprises using Linux-based endpoints, may be impacted if USB device interactions are common. The lack of known exploits reduces immediate risk, but the vulnerability should be addressed proactively to avoid potential future exploitation or accidental system outages.

European organizations should apply the Linux kernel patch that addresses CVE-2021-47582 as soon as it becomes available for their specific kernel versions and distributions. Kernel updates from trusted Linux vendors or distributions should be monitored and deployed promptly. In environments where immediate patching is not feasible, organizations can mitigate risk by limiting or controlling user-space access to USBDEVFS ioctls, restricting which users or processes can perform USB device control or bulk transfers. Monitoring kernel logs for hung task warnings related to USB operations can help detect attempts to trigger this condition. Additionally, organizations should audit USB device usage policies and consider disabling or restricting USB device access on critical systems where possible. For systems with custom or embedded Linux kernels, recompilation with the patched USB core code is recommended. Finally, educating system administrators about this vulnerability and its symptoms can aid in early detection and response.