CVE-2021-47603: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: audit: improve robustness of the audit queue handling If the audit daemon were ever to get stuck in a stopped state the kernel's kauditd_thread() could get blocked attempting to send audit records to the userspace audit daemon. With the kernel thread blocked it is possible that the audit queue could grow unbounded as certain audit record generating events must be exempt from the queue limits else the system enter a deadlock state. This patch resolves this problem by lowering the kernel thread's socket sending timeout from MAX_SCHEDULE_TIMEOUT to HZ/10 and tweaks the kauditd_send_queue() function to better manage the various audit queues when connection problems occur between the kernel and the audit daemon. With this patch, the backlog may temporarily grow beyond the defined limits when the audit daemon is stopped and the system is under heavy audit pressure, but kauditd_thread() will continue to make progress and drain the queues as it would for other connection problems. For example, with the audit daemon put into a stopped state and the system configured to audit every syscall it was still possible to shutdown the system without a kernel panic, deadlock, etc.; granted, the system was slow to shutdown but that is to be expected given the extreme pressure of recording every syscall. The timeout value of HZ/10 was chosen primarily through experimentation and this developer's "gut feeling". There is likely no one perfect value, but as this scenario is limited in scope (root privileges would be needed to send SIGSTOP to the audit daemon), it is likely not worth exposing this as a tunable at present. This can always be done at a later date if it proves necessary.
AI Analysis
Technical Summary
CVE-2021-47603 is a vulnerability identified in the Linux kernel's audit subsystem, specifically related to the handling of the audit queue by the kernel audit daemon thread (kauditd_thread). The audit subsystem is responsible for recording system events for security and compliance purposes. The vulnerability arises when the userspace audit daemon is stopped or becomes unresponsive, causing the kernel thread to block while attempting to send audit records. This blocking can lead to an unbounded growth of the audit queue because certain audit record generating events are exempt from queue limits to avoid deadlocks. Without proper handling, this situation could cause the system to enter a deadlock state or kernel panic under heavy audit pressure, such as when auditing every system call. The patch addressing this vulnerability reduces the socket sending timeout from MAX_SCHEDULE_TIMEOUT (effectively indefinite) to HZ/10 (a fraction of a second) and improves queue management to allow the kauditd_thread to continue processing audit records even if the audit daemon is stopped. This prevents the audit queue from growing indefinitely and avoids system deadlock or kernel panic, albeit at the cost of slower system shutdown under extreme audit load. Exploitation requires root privileges to stop the audit daemon (e.g., sending SIGSTOP), limiting the attack vector to privileged users. The fix is implemented in Linux kernel versions after the affected commits, ensuring more robust audit queue handling and system stability during audit daemon failures or stoppages.
Potential Impact
For European organizations relying on Linux systems, especially those with stringent auditing and compliance requirements (e.g., financial institutions, healthcare providers, government agencies), this vulnerability could lead to system instability or denial of service under specific conditions where the audit daemon is stopped or unresponsive. Although exploitation requires root access, an attacker or misconfigured system could cause audit daemon stoppage, leading to potential deadlocks or kernel panics that disrupt critical services. This could impact availability of key infrastructure, delay shutdowns, or cause unexpected system behavior during high audit loads. Organizations with high audit verbosity (e.g., auditing every syscall) are particularly at risk. The vulnerability does not directly expose confidentiality or integrity risks but poses a significant availability risk, which can indirectly affect operational continuity and compliance reporting accuracy.
Mitigation Recommendations
European organizations should ensure that their Linux systems are updated to kernel versions that include the patch for CVE-2021-47603. Specifically, they should track kernel updates from their Linux distribution vendors and apply security patches promptly. Additionally, organizations should monitor the audit daemon's health and configure alerting to detect if the audit daemon stops or becomes unresponsive. Implementing automated recovery or restart mechanisms for the audit daemon can prevent prolonged stoppages. Limiting root access and enforcing strict privilege management reduces the risk of malicious or accidental stopping of the audit daemon. For systems with extremely high audit loads, consider tuning audit policies to balance audit coverage with system performance and stability. Finally, testing shutdown procedures under audit pressure can help identify potential issues before production deployment.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2021-47603: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: audit: improve robustness of the audit queue handling If the audit daemon were ever to get stuck in a stopped state the kernel's kauditd_thread() could get blocked attempting to send audit records to the userspace audit daemon. With the kernel thread blocked it is possible that the audit queue could grow unbounded as certain audit record generating events must be exempt from the queue limits else the system enter a deadlock state. This patch resolves this problem by lowering the kernel thread's socket sending timeout from MAX_SCHEDULE_TIMEOUT to HZ/10 and tweaks the kauditd_send_queue() function to better manage the various audit queues when connection problems occur between the kernel and the audit daemon. With this patch, the backlog may temporarily grow beyond the defined limits when the audit daemon is stopped and the system is under heavy audit pressure, but kauditd_thread() will continue to make progress and drain the queues as it would for other connection problems. For example, with the audit daemon put into a stopped state and the system configured to audit every syscall it was still possible to shutdown the system without a kernel panic, deadlock, etc.; granted, the system was slow to shutdown but that is to be expected given the extreme pressure of recording every syscall. The timeout value of HZ/10 was chosen primarily through experimentation and this developer's "gut feeling". There is likely no one perfect value, but as this scenario is limited in scope (root privileges would be needed to send SIGSTOP to the audit daemon), it is likely not worth exposing this as a tunable at present. This can always be done at a later date if it proves necessary.
AI-Powered Analysis
Technical Analysis
CVE-2021-47603 is a vulnerability identified in the Linux kernel's audit subsystem, specifically related to the handling of the audit queue by the kernel audit daemon thread (kauditd_thread). The audit subsystem is responsible for recording system events for security and compliance purposes. The vulnerability arises when the userspace audit daemon is stopped or becomes unresponsive, causing the kernel thread to block while attempting to send audit records. This blocking can lead to an unbounded growth of the audit queue because certain audit record generating events are exempt from queue limits to avoid deadlocks. Without proper handling, this situation could cause the system to enter a deadlock state or kernel panic under heavy audit pressure, such as when auditing every system call. The patch addressing this vulnerability reduces the socket sending timeout from MAX_SCHEDULE_TIMEOUT (effectively indefinite) to HZ/10 (a fraction of a second) and improves queue management to allow the kauditd_thread to continue processing audit records even if the audit daemon is stopped. This prevents the audit queue from growing indefinitely and avoids system deadlock or kernel panic, albeit at the cost of slower system shutdown under extreme audit load. Exploitation requires root privileges to stop the audit daemon (e.g., sending SIGSTOP), limiting the attack vector to privileged users. The fix is implemented in Linux kernel versions after the affected commits, ensuring more robust audit queue handling and system stability during audit daemon failures or stoppages.
Potential Impact
For European organizations relying on Linux systems, especially those with stringent auditing and compliance requirements (e.g., financial institutions, healthcare providers, government agencies), this vulnerability could lead to system instability or denial of service under specific conditions where the audit daemon is stopped or unresponsive. Although exploitation requires root access, an attacker or misconfigured system could cause audit daemon stoppage, leading to potential deadlocks or kernel panics that disrupt critical services. This could impact availability of key infrastructure, delay shutdowns, or cause unexpected system behavior during high audit loads. Organizations with high audit verbosity (e.g., auditing every syscall) are particularly at risk. The vulnerability does not directly expose confidentiality or integrity risks but poses a significant availability risk, which can indirectly affect operational continuity and compliance reporting accuracy.
Mitigation Recommendations
European organizations should ensure that their Linux systems are updated to kernel versions that include the patch for CVE-2021-47603. Specifically, they should track kernel updates from their Linux distribution vendors and apply security patches promptly. Additionally, organizations should monitor the audit daemon's health and configure alerting to detect if the audit daemon stops or becomes unresponsive. Implementing automated recovery or restart mechanisms for the audit daemon can prevent prolonged stoppages. Limiting root access and enforcing strict privilege management reduces the risk of malicious or accidental stopping of the audit daemon. For systems with extremely high audit loads, consider tuning audit policies to balance audit coverage with system performance and stability. Finally, testing shutdown procedures under audit pressure can help identify potential issues before production deployment.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-24T15:11:00.736Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9822c4522896dcbde18c
Added to database: 5/21/2025, 9:08:50 AM
Last enriched: 6/28/2025, 5:26:25 AM
Last updated: 7/30/2025, 11:01:52 PM
Views: 11
Related Threats
CVE-2025-49895: CWE-352 Cross-Site Request Forgery (CSRF) in iThemes ServerBuddy by PluginBuddy.com
HighCVE-2025-55284: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in anthropics claude-code
HighCVE-2025-55286: CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer in vancluever z2d
HighCVE-2025-52621: CWE-346 Origin Validation Error in HCL Software BigFix SaaS Remediate
MediumCVE-2025-52620: CWE-20 Improper Input Validation in HCL Software BigFix SaaS Remediate
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.