CVE-2021-47589: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: igbvf: fix double free in `igbvf_probe` In `igbvf_probe`, if register_netdev() fails, the program will go to label err_hw_init, and then to label err_ioremap. In free_netdev() which is just below label err_ioremap, there is `list_for_each_entry_safe` and `netif_napi_del` which aims to delete all entries in `dev->napi_list`. The program has added an entry `adapter->rx_ring->napi` which is added by `netif_napi_add` in igbvf_alloc_queues(). However, adapter->rx_ring has been freed below label err_hw_init. So this a UAF. In terms of how to patch the problem, we can refer to igbvf_remove() and delete the entry before `adapter->rx_ring`. The KASAN logs are as follows: [ 35.126075] BUG: KASAN: use-after-free in free_netdev+0x1fd/0x450 [ 35.127170] Read of size 8 at addr ffff88810126d990 by task modprobe/366 [ 35.128360] [ 35.128643] CPU: 1 PID: 366 Comm: modprobe Not tainted 5.15.0-rc2+ #14 [ 35.129789] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 [ 35.131749] Call Trace: [ 35.132199] dump_stack_lvl+0x59/0x7b [ 35.132865] print_address_description+0x7c/0x3b0 [ 35.133707] ? free_netdev+0x1fd/0x450 [ 35.134378] __kasan_report+0x160/0x1c0 [ 35.135063] ? free_netdev+0x1fd/0x450 [ 35.135738] kasan_report+0x4b/0x70 [ 35.136367] free_netdev+0x1fd/0x450 [ 35.137006] igbvf_probe+0x121d/0x1a10 [igbvf] [ 35.137808] ? igbvf_vlan_rx_add_vid+0x100/0x100 [igbvf] [ 35.138751] local_pci_probe+0x13c/0x1f0 [ 35.139461] pci_device_probe+0x37e/0x6c0 [ 35.165526] [ 35.165806] Allocated by task 366: [ 35.166414] ____kasan_kmalloc+0xc4/0xf0 [ 35.167117] foo_kmem_cache_alloc_trace+0x3c/0x50 [igbvf] [ 35.168078] igbvf_probe+0x9c5/0x1a10 [igbvf] [ 35.168866] local_pci_probe+0x13c/0x1f0 [ 35.169565] pci_device_probe+0x37e/0x6c0 [ 35.179713] [ 35.179993] Freed by task 366: [ 35.180539] kasan_set_track+0x4c/0x80 [ 35.181211] kasan_set_free_info+0x1f/0x40 [ 35.181942] ____kasan_slab_free+0x103/0x140 [ 35.182703] kfree+0xe3/0x250 [ 35.183239] igbvf_probe+0x1173/0x1a10 [igbvf] [ 35.184040] local_pci_probe+0x13c/0x1f0
AI Analysis
Technical Summary
CVE-2021-47589 is a use-after-free (UAF) vulnerability identified in the Linux kernel's igbvf network driver, specifically within the igbvf_probe function. The vulnerability arises during the initialization sequence of the igbvf virtual function network device driver. When the function register_netdev() fails, the error handling code attempts to free network device resources by calling free_netdev(). Within free_netdev(), a loop iterates over the device's NAPI (New API) structures to delete them using netif_napi_del(). However, the adapter's receive ring buffer (adapter->rx_ring), which contains one of these NAPI entries, has already been freed earlier in the error handling path (err_hw_init label). This results in a use-after-free condition because free_netdev() accesses memory that has been deallocated. The kernel's KASAN (Kernel Address Sanitizer) logs confirm this UAF, showing an invalid read of freed memory during the modprobe task execution. The root cause is improper cleanup ordering: the NAPI entry linked to the freed rx_ring is not removed before the rx_ring is freed. The recommended patch approach is to remove the NAPI entry associated with adapter->rx_ring before freeing the rx_ring, as done in the igbvf_remove() function. This vulnerability affects Linux kernel versions including 5.15.0-rc2+ and likely others where the igbvf driver is present without the fix. Exploitation could lead to kernel memory corruption, potential system crashes (denial of service), or escalation of privileges if an attacker can trigger the error path. However, exploitation requires triggering the specific failure path in igbvf_probe, which is typically during device initialization or module loading. No known exploits are reported in the wild as of publication.
Potential Impact
For European organizations, the impact of CVE-2021-47589 depends on their use of Linux systems running the affected kernel versions with the igbvf driver enabled. The igbvf driver is commonly used in virtualized environments, especially with Intel network interface cards (NICs) in virtual functions (VF) mode, often found in data centers and cloud infrastructure. Organizations relying on Linux-based virtualization platforms or cloud services that utilize Intel SR-IOV capable NICs with igbvf may be vulnerable. Successful exploitation could allow attackers with local access or the ability to trigger device initialization failures to cause kernel crashes, leading to denial of service, or potentially escalate privileges to gain unauthorized control over the system. This could disrupt critical services, compromise data integrity, and impact availability of networked systems. Given the prevalence of Linux in European enterprise servers, cloud providers, and telecom infrastructure, the vulnerability poses a moderate risk. However, exploitation complexity and lack of known active exploits reduce immediate threat severity. Still, targeted attacks against virtualized environments in sectors such as finance, government, and critical infrastructure could leverage this vulnerability to disrupt operations or gain footholds.
Mitigation Recommendations
1. Apply official Linux kernel patches that fix the use-after-free in igbvf_probe as soon as they become available. Monitor kernel updates from trusted sources and vendors. 2. For environments using custom or older kernels, backport the patch from igbvf_remove() that removes the NAPI entry before freeing the rx_ring. 3. Limit access to systems running vulnerable kernels to trusted administrators only, reducing the risk of triggering the error path. 4. Implement strict module loading policies and verify hardware compatibility to avoid triggering register_netdev() failures. 5. Employ kernel hardening techniques such as Kernel Address Sanitizer (KASAN) in testing environments to detect similar issues early. 6. Monitor system logs for kernel errors related to igbvf or network device initialization failures to detect potential exploitation attempts. 7. In virtualized environments, consider isolating or restricting use of Intel SR-IOV virtual functions until patched. 8. Coordinate with hardware and cloud providers to ensure updated drivers and kernels are deployed promptly. These steps go beyond generic advice by focusing on the specific driver and error path involved, emphasizing patching, access control, and monitoring tailored to the vulnerability's context.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Ireland, Italy, Spain, Poland
CVE-2021-47589: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: igbvf: fix double free in `igbvf_probe` In `igbvf_probe`, if register_netdev() fails, the program will go to label err_hw_init, and then to label err_ioremap. In free_netdev() which is just below label err_ioremap, there is `list_for_each_entry_safe` and `netif_napi_del` which aims to delete all entries in `dev->napi_list`. The program has added an entry `adapter->rx_ring->napi` which is added by `netif_napi_add` in igbvf_alloc_queues(). However, adapter->rx_ring has been freed below label err_hw_init. So this a UAF. In terms of how to patch the problem, we can refer to igbvf_remove() and delete the entry before `adapter->rx_ring`. The KASAN logs are as follows: [ 35.126075] BUG: KASAN: use-after-free in free_netdev+0x1fd/0x450 [ 35.127170] Read of size 8 at addr ffff88810126d990 by task modprobe/366 [ 35.128360] [ 35.128643] CPU: 1 PID: 366 Comm: modprobe Not tainted 5.15.0-rc2+ #14 [ 35.129789] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 [ 35.131749] Call Trace: [ 35.132199] dump_stack_lvl+0x59/0x7b [ 35.132865] print_address_description+0x7c/0x3b0 [ 35.133707] ? free_netdev+0x1fd/0x450 [ 35.134378] __kasan_report+0x160/0x1c0 [ 35.135063] ? free_netdev+0x1fd/0x450 [ 35.135738] kasan_report+0x4b/0x70 [ 35.136367] free_netdev+0x1fd/0x450 [ 35.137006] igbvf_probe+0x121d/0x1a10 [igbvf] [ 35.137808] ? igbvf_vlan_rx_add_vid+0x100/0x100 [igbvf] [ 35.138751] local_pci_probe+0x13c/0x1f0 [ 35.139461] pci_device_probe+0x37e/0x6c0 [ 35.165526] [ 35.165806] Allocated by task 366: [ 35.166414] ____kasan_kmalloc+0xc4/0xf0 [ 35.167117] foo_kmem_cache_alloc_trace+0x3c/0x50 [igbvf] [ 35.168078] igbvf_probe+0x9c5/0x1a10 [igbvf] [ 35.168866] local_pci_probe+0x13c/0x1f0 [ 35.169565] pci_device_probe+0x37e/0x6c0 [ 35.179713] [ 35.179993] Freed by task 366: [ 35.180539] kasan_set_track+0x4c/0x80 [ 35.181211] kasan_set_free_info+0x1f/0x40 [ 35.181942] ____kasan_slab_free+0x103/0x140 [ 35.182703] kfree+0xe3/0x250 [ 35.183239] igbvf_probe+0x1173/0x1a10 [igbvf] [ 35.184040] local_pci_probe+0x13c/0x1f0
AI-Powered Analysis
Technical Analysis
CVE-2021-47589 is a use-after-free (UAF) vulnerability identified in the Linux kernel's igbvf network driver, specifically within the igbvf_probe function. The vulnerability arises during the initialization sequence of the igbvf virtual function network device driver. When the function register_netdev() fails, the error handling code attempts to free network device resources by calling free_netdev(). Within free_netdev(), a loop iterates over the device's NAPI (New API) structures to delete them using netif_napi_del(). However, the adapter's receive ring buffer (adapter->rx_ring), which contains one of these NAPI entries, has already been freed earlier in the error handling path (err_hw_init label). This results in a use-after-free condition because free_netdev() accesses memory that has been deallocated. The kernel's KASAN (Kernel Address Sanitizer) logs confirm this UAF, showing an invalid read of freed memory during the modprobe task execution. The root cause is improper cleanup ordering: the NAPI entry linked to the freed rx_ring is not removed before the rx_ring is freed. The recommended patch approach is to remove the NAPI entry associated with adapter->rx_ring before freeing the rx_ring, as done in the igbvf_remove() function. This vulnerability affects Linux kernel versions including 5.15.0-rc2+ and likely others where the igbvf driver is present without the fix. Exploitation could lead to kernel memory corruption, potential system crashes (denial of service), or escalation of privileges if an attacker can trigger the error path. However, exploitation requires triggering the specific failure path in igbvf_probe, which is typically during device initialization or module loading. No known exploits are reported in the wild as of publication.
Potential Impact
For European organizations, the impact of CVE-2021-47589 depends on their use of Linux systems running the affected kernel versions with the igbvf driver enabled. The igbvf driver is commonly used in virtualized environments, especially with Intel network interface cards (NICs) in virtual functions (VF) mode, often found in data centers and cloud infrastructure. Organizations relying on Linux-based virtualization platforms or cloud services that utilize Intel SR-IOV capable NICs with igbvf may be vulnerable. Successful exploitation could allow attackers with local access or the ability to trigger device initialization failures to cause kernel crashes, leading to denial of service, or potentially escalate privileges to gain unauthorized control over the system. This could disrupt critical services, compromise data integrity, and impact availability of networked systems. Given the prevalence of Linux in European enterprise servers, cloud providers, and telecom infrastructure, the vulnerability poses a moderate risk. However, exploitation complexity and lack of known active exploits reduce immediate threat severity. Still, targeted attacks against virtualized environments in sectors such as finance, government, and critical infrastructure could leverage this vulnerability to disrupt operations or gain footholds.
Mitigation Recommendations
1. Apply official Linux kernel patches that fix the use-after-free in igbvf_probe as soon as they become available. Monitor kernel updates from trusted sources and vendors. 2. For environments using custom or older kernels, backport the patch from igbvf_remove() that removes the NAPI entry before freeing the rx_ring. 3. Limit access to systems running vulnerable kernels to trusted administrators only, reducing the risk of triggering the error path. 4. Implement strict module loading policies and verify hardware compatibility to avoid triggering register_netdev() failures. 5. Employ kernel hardening techniques such as Kernel Address Sanitizer (KASAN) in testing environments to detect similar issues early. 6. Monitor system logs for kernel errors related to igbvf or network device initialization failures to detect potential exploitation attempts. 7. In virtualized environments, consider isolating or restricting use of Intel SR-IOV virtual functions until patched. 8. Coordinate with hardware and cloud providers to ensure updated drivers and kernels are deployed promptly. These steps go beyond generic advice by focusing on the specific driver and error path involved, emphasizing patching, access control, and monitoring tailored to the vulnerability's context.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-24T15:11:00.732Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9833c4522896dcbe9538
Added to database: 5/21/2025, 9:09:07 AM
Last enriched: 6/30/2025, 2:58:16 PM
Last updated: 8/12/2025, 8:20:29 AM
Views: 17
Related Threats
CVE-2025-36088: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in IBM Storage TS4500 Library
MediumCVE-2025-43490: CWE-59 Improper Link Resolution Before File Access ('Link Following') in HP, Inc. HP Hotkey Support Software
MediumCVE-2025-9060: CWE-20 Improper Input Validation in MSoft MFlash
CriticalCVE-2025-8675: CWE-918 Server-Side Request Forgery (SSRF) in Drupal AI SEO Link Advisor
MediumCVE-2025-8362: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Drupal GoogleTag Manager
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.