CVE-2021-47634: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: ubi: Fix race condition between ctrl_cdev_ioctl and ubi_cdev_ioctl Hulk Robot reported a KASAN report about use-after-free: ================================================================== BUG: KASAN: use-after-free in __list_del_entry_valid+0x13d/0x160 Read of size 8 at addr ffff888035e37d98 by task ubiattach/1385 [...] Call Trace: klist_dec_and_del+0xa7/0x4a0 klist_put+0xc7/0x1a0 device_del+0x4d4/0xed0 cdev_device_del+0x1a/0x80 ubi_attach_mtd_dev+0x2951/0x34b0 [ubi] ctrl_cdev_ioctl+0x286/0x2f0 [ubi] Allocated by task 1414: device_add+0x60a/0x18b0 cdev_device_add+0x103/0x170 ubi_create_volume+0x1118/0x1a10 [ubi] ubi_cdev_ioctl+0xb7f/0x1ba0 [ubi] Freed by task 1385: cdev_device_del+0x1a/0x80 ubi_remove_volume+0x438/0x6c0 [ubi] ubi_cdev_ioctl+0xbf4/0x1ba0 [ubi] [...] ================================================================== The lock held by ctrl_cdev_ioctl is ubi_devices_mutex, but the lock held by ubi_cdev_ioctl is ubi->device_mutex. Therefore, the two locks can be concurrent. ctrl_cdev_ioctl contains two operations: ubi_attach and ubi_detach. ubi_detach is bug-free because it uses reference counting to prevent concurrency. However, uif_init and uif_close in ubi_attach may race with ubi_cdev_ioctl. uif_init will race with ubi_cdev_ioctl as in the following stack. cpu1 cpu2 cpu3 _______________________|________________________|______________________ ctrl_cdev_ioctl ubi_attach_mtd_dev uif_init ubi_cdev_ioctl ubi_create_volume cdev_device_add ubi_add_volume // sysfs exist kill_volumes ubi_cdev_ioctl ubi_remove_volume cdev_device_del // first free ubi_free_volume cdev_del // double free cdev_device_del And uif_close will race with ubi_cdev_ioctl as in the following stack. cpu1 cpu2 cpu3 _______________________|________________________|______________________ ctrl_cdev_ioctl ubi_attach_mtd_dev uif_init ubi_cdev_ioctl ubi_create_volume cdev_device_add ubi_debugfs_init_dev //error goto out_uif; uif_close kill_volumes ubi_cdev_ioctl ubi_remove_volume cdev_device_del // first free ubi_free_volume // double free The cause of this problem is that commit 714fb87e8bc0 make device "available" before it becomes accessible via sysfs. Therefore, we roll back the modification. We will fix the race condition between ubi device creation and udev by removing ubi_get_device in vol_attribute_show and dev_attribute_show.This avoids accessing uninitialized ubi_devices[ubi_num]. ubi_get_device is used to prevent devices from being deleted during sysfs execution. However, now kernfs ensures that devices will not be deleted before all reference counting are released. The key process is shown in the following stack. device_del device_remove_attrs device_remove_groups sysfs_remove_groups sysfs_remove_group remove_files kernfs_remove_by_name kernfs_remove_by_name_ns __kernfs_remove kernfs_drain
AI Analysis
Technical Summary
CVE-2021-47634 is a high-severity vulnerability in the Linux kernel's UBI (Unsorted Block Images) subsystem, specifically involving a race condition between two ioctl handlers: ctrl_cdev_ioctl and ubi_cdev_ioctl. The vulnerability arises from improper synchronization between these two code paths, which hold different mutexes (ubi_devices_mutex and ubi->device_mutex respectively), allowing concurrent execution that leads to use-after-free conditions. The root cause is a race between volume attachment and detachment operations within the UBI device management. Specifically, the ctrl_cdev_ioctl function handles ubi_attach and ubi_detach operations, where ubi_detach is protected by reference counting, but ubi_attach's uif_init and uif_close functions can race with ubi_cdev_ioctl's volume creation and removal routines. This results in double free and use-after-free bugs, as device structures may be freed while still being accessed concurrently. The problem was introduced by a commit (714fb87e8bc0) that made devices "available" before they were fully accessible via sysfs, leading to premature access and freeing. The fix involves rolling back this commit and removing the ubi_get_device calls in sysfs attribute show functions to prevent accessing uninitialized device entries. The kernel's kernfs infrastructure now ensures devices are not deleted prematurely, mitigating the race condition. Exploitation of this vulnerability could allow a local attacker with limited privileges (PR:L) to cause memory corruption, leading to privilege escalation or denial of service. The CVSS v3.1 score is 7.8 (high), reflecting high impact on confidentiality, integrity, and availability, with low attack complexity and no user interaction required. No known exploits are reported in the wild yet.
Potential Impact
For European organizations, this vulnerability poses a significant risk particularly to servers, embedded devices, and infrastructure running vulnerable Linux kernel versions with UBI support enabled. Exploitation can lead to local privilege escalation, allowing attackers to gain root access or disrupt system availability through kernel crashes or memory corruption. This is critical for sectors relying on Linux-based embedded systems, such as telecommunications, industrial control, automotive, and IoT devices prevalent in Europe. Data centers and cloud providers using Linux kernels with affected versions could face service disruptions or compromise of sensitive data. The vulnerability's local attack vector means insider threats or attackers with limited access could escalate privileges, increasing the risk profile. Given the widespread use of Linux in European IT infrastructure, failure to patch could lead to targeted attacks or lateral movement within networks. The absence of known exploits reduces immediate risk but does not eliminate the urgency for mitigation due to the high severity and potential impact on confidentiality, integrity, and availability.
Mitigation Recommendations
1. Immediate patching: Apply the latest Linux kernel updates that include the fix for CVE-2021-47634. If vendor-specific kernels are used (e.g., Ubuntu, Red Hat, Debian), ensure their security advisories are followed and patches applied promptly. 2. Kernel version auditing: Identify and inventory all systems running affected kernel versions, especially those with UBI enabled, to prioritize patching. 3. Restrict local access: Limit local user privileges and access to systems where possible to reduce the risk of exploitation by unprivileged users. 4. Monitor kernel logs: Implement monitoring for kernel warnings or crashes related to UBI subsystem operations that could indicate exploitation attempts. 5. Harden device management: Where feasible, disable or restrict UBI usage on systems that do not require it, reducing the attack surface. 6. Use security modules: Employ Linux Security Modules (e.g., SELinux, AppArmor) to enforce strict access controls on device ioctl operations. 7. Incident response readiness: Prepare for potential exploitation by having forensic and recovery procedures in place for affected systems. 8. Vendor coordination: Engage with hardware and OS vendors to ensure timely updates and support for embedded devices that may not receive regular kernel updates.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Sweden, Finland, Poland, Belgium
CVE-2021-47634: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: ubi: Fix race condition between ctrl_cdev_ioctl and ubi_cdev_ioctl Hulk Robot reported a KASAN report about use-after-free: ================================================================== BUG: KASAN: use-after-free in __list_del_entry_valid+0x13d/0x160 Read of size 8 at addr ffff888035e37d98 by task ubiattach/1385 [...] Call Trace: klist_dec_and_del+0xa7/0x4a0 klist_put+0xc7/0x1a0 device_del+0x4d4/0xed0 cdev_device_del+0x1a/0x80 ubi_attach_mtd_dev+0x2951/0x34b0 [ubi] ctrl_cdev_ioctl+0x286/0x2f0 [ubi] Allocated by task 1414: device_add+0x60a/0x18b0 cdev_device_add+0x103/0x170 ubi_create_volume+0x1118/0x1a10 [ubi] ubi_cdev_ioctl+0xb7f/0x1ba0 [ubi] Freed by task 1385: cdev_device_del+0x1a/0x80 ubi_remove_volume+0x438/0x6c0 [ubi] ubi_cdev_ioctl+0xbf4/0x1ba0 [ubi] [...] ================================================================== The lock held by ctrl_cdev_ioctl is ubi_devices_mutex, but the lock held by ubi_cdev_ioctl is ubi->device_mutex. Therefore, the two locks can be concurrent. ctrl_cdev_ioctl contains two operations: ubi_attach and ubi_detach. ubi_detach is bug-free because it uses reference counting to prevent concurrency. However, uif_init and uif_close in ubi_attach may race with ubi_cdev_ioctl. uif_init will race with ubi_cdev_ioctl as in the following stack. cpu1 cpu2 cpu3 _______________________|________________________|______________________ ctrl_cdev_ioctl ubi_attach_mtd_dev uif_init ubi_cdev_ioctl ubi_create_volume cdev_device_add ubi_add_volume // sysfs exist kill_volumes ubi_cdev_ioctl ubi_remove_volume cdev_device_del // first free ubi_free_volume cdev_del // double free cdev_device_del And uif_close will race with ubi_cdev_ioctl as in the following stack. cpu1 cpu2 cpu3 _______________________|________________________|______________________ ctrl_cdev_ioctl ubi_attach_mtd_dev uif_init ubi_cdev_ioctl ubi_create_volume cdev_device_add ubi_debugfs_init_dev //error goto out_uif; uif_close kill_volumes ubi_cdev_ioctl ubi_remove_volume cdev_device_del // first free ubi_free_volume // double free The cause of this problem is that commit 714fb87e8bc0 make device "available" before it becomes accessible via sysfs. Therefore, we roll back the modification. We will fix the race condition between ubi device creation and udev by removing ubi_get_device in vol_attribute_show and dev_attribute_show.This avoids accessing uninitialized ubi_devices[ubi_num]. ubi_get_device is used to prevent devices from being deleted during sysfs execution. However, now kernfs ensures that devices will not be deleted before all reference counting are released. The key process is shown in the following stack. device_del device_remove_attrs device_remove_groups sysfs_remove_groups sysfs_remove_group remove_files kernfs_remove_by_name kernfs_remove_by_name_ns __kernfs_remove kernfs_drain
AI-Powered Analysis
Technical Analysis
CVE-2021-47634 is a high-severity vulnerability in the Linux kernel's UBI (Unsorted Block Images) subsystem, specifically involving a race condition between two ioctl handlers: ctrl_cdev_ioctl and ubi_cdev_ioctl. The vulnerability arises from improper synchronization between these two code paths, which hold different mutexes (ubi_devices_mutex and ubi->device_mutex respectively), allowing concurrent execution that leads to use-after-free conditions. The root cause is a race between volume attachment and detachment operations within the UBI device management. Specifically, the ctrl_cdev_ioctl function handles ubi_attach and ubi_detach operations, where ubi_detach is protected by reference counting, but ubi_attach's uif_init and uif_close functions can race with ubi_cdev_ioctl's volume creation and removal routines. This results in double free and use-after-free bugs, as device structures may be freed while still being accessed concurrently. The problem was introduced by a commit (714fb87e8bc0) that made devices "available" before they were fully accessible via sysfs, leading to premature access and freeing. The fix involves rolling back this commit and removing the ubi_get_device calls in sysfs attribute show functions to prevent accessing uninitialized device entries. The kernel's kernfs infrastructure now ensures devices are not deleted prematurely, mitigating the race condition. Exploitation of this vulnerability could allow a local attacker with limited privileges (PR:L) to cause memory corruption, leading to privilege escalation or denial of service. The CVSS v3.1 score is 7.8 (high), reflecting high impact on confidentiality, integrity, and availability, with low attack complexity and no user interaction required. No known exploits are reported in the wild yet.
Potential Impact
For European organizations, this vulnerability poses a significant risk particularly to servers, embedded devices, and infrastructure running vulnerable Linux kernel versions with UBI support enabled. Exploitation can lead to local privilege escalation, allowing attackers to gain root access or disrupt system availability through kernel crashes or memory corruption. This is critical for sectors relying on Linux-based embedded systems, such as telecommunications, industrial control, automotive, and IoT devices prevalent in Europe. Data centers and cloud providers using Linux kernels with affected versions could face service disruptions or compromise of sensitive data. The vulnerability's local attack vector means insider threats or attackers with limited access could escalate privileges, increasing the risk profile. Given the widespread use of Linux in European IT infrastructure, failure to patch could lead to targeted attacks or lateral movement within networks. The absence of known exploits reduces immediate risk but does not eliminate the urgency for mitigation due to the high severity and potential impact on confidentiality, integrity, and availability.
Mitigation Recommendations
1. Immediate patching: Apply the latest Linux kernel updates that include the fix for CVE-2021-47634. If vendor-specific kernels are used (e.g., Ubuntu, Red Hat, Debian), ensure their security advisories are followed and patches applied promptly. 2. Kernel version auditing: Identify and inventory all systems running affected kernel versions, especially those with UBI enabled, to prioritize patching. 3. Restrict local access: Limit local user privileges and access to systems where possible to reduce the risk of exploitation by unprivileged users. 4. Monitor kernel logs: Implement monitoring for kernel warnings or crashes related to UBI subsystem operations that could indicate exploitation attempts. 5. Harden device management: Where feasible, disable or restrict UBI usage on systems that do not require it, reducing the attack surface. 6. Use security modules: Employ Linux Security Modules (e.g., SELinux, AppArmor) to enforce strict access controls on device ioctl operations. 7. Incident response readiness: Prepare for potential exploitation by having forensic and recovery procedures in place for affected systems. 8. Vendor coordination: Engage with hardware and OS vendors to ensure timely updates and support for embedded devices that may not receive regular kernel updates.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-02-26T01:48:21.518Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9822c4522896dcbde194
Added to database: 5/21/2025, 9:08:50 AM
Last enriched: 7/2/2025, 9:57:01 PM
Last updated: 8/12/2025, 3:31:36 PM
Views: 14
Related Threats
CVE-2025-9091: Hard-coded Credentials in Tenda AC20
LowCVE-2025-9090: Command Injection in Tenda AC20
MediumCVE-2025-9092: CWE-400 Uncontrolled Resource Consumption in Legion of the Bouncy Castle Inc. Bouncy Castle for Java - BC-FJA 2.1.0
LowCVE-2025-9089: Stack-based Buffer Overflow in Tenda AC20
HighCVE-2025-9088: Stack-based Buffer Overflow in Tenda AC20
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.