CVE-2021-47656: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: jffs2: fix use-after-free in jffs2_clear_xattr_subsystem When we mount a jffs2 image, assume that the first few blocks of the image are normal and contain at least one xattr-related inode, but the next block is abnormal. As a result, an error is returned in jffs2_scan_eraseblock(). jffs2_clear_xattr_subsystem() is then called in jffs2_build_filesystem() and then again in jffs2_do_fill_super(). Finally we can observe the following report: ================================================================== BUG: KASAN: use-after-free in jffs2_clear_xattr_subsystem+0x95/0x6ac Read of size 8 at addr ffff8881243384e0 by task mount/719 Call Trace: dump_stack+0x115/0x16b jffs2_clear_xattr_subsystem+0x95/0x6ac jffs2_do_fill_super+0x84f/0xc30 jffs2_fill_super+0x2ea/0x4c0 mtd_get_sb+0x254/0x400 mtd_get_sb_by_nr+0x4f/0xd0 get_tree_mtd+0x498/0x840 jffs2_get_tree+0x25/0x30 vfs_get_tree+0x8d/0x2e0 path_mount+0x50f/0x1e50 do_mount+0x107/0x130 __se_sys_mount+0x1c5/0x2f0 __x64_sys_mount+0xc7/0x160 do_syscall_64+0x45/0x70 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Allocated by task 719: kasan_save_stack+0x23/0x60 __kasan_kmalloc.constprop.0+0x10b/0x120 kasan_slab_alloc+0x12/0x20 kmem_cache_alloc+0x1c0/0x870 jffs2_alloc_xattr_ref+0x2f/0xa0 jffs2_scan_medium.cold+0x3713/0x4794 jffs2_do_mount_fs.cold+0xa7/0x2253 jffs2_do_fill_super+0x383/0xc30 jffs2_fill_super+0x2ea/0x4c0 [...] Freed by task 719: kmem_cache_free+0xcc/0x7b0 jffs2_free_xattr_ref+0x78/0x98 jffs2_clear_xattr_subsystem+0xa1/0x6ac jffs2_do_mount_fs.cold+0x5e6/0x2253 jffs2_do_fill_super+0x383/0xc30 jffs2_fill_super+0x2ea/0x4c0 [...] The buggy address belongs to the object at ffff8881243384b8 which belongs to the cache jffs2_xattr_ref of size 48 The buggy address is located 40 bytes inside of 48-byte region [ffff8881243384b8, ffff8881243384e8) [...] ================================================================== The triggering of the BUG is shown in the following stack: ----------------------------------------------------------- jffs2_fill_super jffs2_do_fill_super jffs2_do_mount_fs jffs2_build_filesystem jffs2_scan_medium jffs2_scan_eraseblock <--- ERROR jffs2_clear_xattr_subsystem <--- free jffs2_clear_xattr_subsystem <--- free again ----------------------------------------------------------- An error is returned in jffs2_do_mount_fs(). If the error is returned by jffs2_sum_init(), the jffs2_clear_xattr_subsystem() does not need to be executed. If the error is returned by jffs2_build_filesystem(), the jffs2_clear_xattr_subsystem() also does not need to be executed again. So move jffs2_clear_xattr_subsystem() from 'out_inohash' to 'out_root' to fix this UAF problem.
AI Analysis
Technical Summary
CVE-2021-47656 is a high-severity use-after-free (UAF) vulnerability in the Linux kernel's JFFS2 (Journaling Flash File System version 2) implementation. The flaw arises during the mounting process of a JFFS2 filesystem image. Specifically, the vulnerability occurs when the system assumes that the initial blocks of the JFFS2 image are normal and contain at least one extended attribute (xattr)-related inode, but encounters an abnormal block subsequently. This abnormal block triggers an error in the jffs2_scan_eraseblock() function. Following this, the function jffs2_clear_xattr_subsystem() is called twice erroneously during the filesystem build and mount process (once in jffs2_build_filesystem() and again in jffs2_do_fill_super()). This double invocation leads to a use-after-free condition where memory previously freed is accessed again, causing a kernel memory corruption. The kernel's Kernel Address Sanitizer (KASAN) detects this as a BUG report indicating a read of freed memory. The root cause is improper error handling and cleanup sequencing in the JFFS2 mounting code, where jffs2_clear_xattr_subsystem() is called redundantly after an error return, leading to double free and use-after-free. The fix involves moving the call to jffs2_clear_xattr_subsystem() from one error handling path ('out_inohash') to another ('out_root') to ensure it is only called once, preventing the UAF. This vulnerability is tracked under CWE-416 (Use After Free) and has a CVSS v3.1 base score of 7.8, indicating high severity. Exploitation requires local privileges (low attack vector), low complexity, and no user interaction, but partial privileges (PR:L) are needed. Successful exploitation could lead to full confidentiality, integrity, and availability compromise of the affected system due to kernel memory corruption. No known exploits are currently reported in the wild. The affected versions correspond to specific Linux kernel commits prior to the patch. This vulnerability is relevant to systems using JFFS2, which is commonly used in embedded devices and systems with flash memory storage. The vulnerability could be triggered by mounting a crafted JFFS2 image, potentially leading to privilege escalation or denial of service via kernel crash.
Potential Impact
For European organizations, the impact of CVE-2021-47656 depends largely on the deployment of Linux-based embedded systems or devices using JFFS2 filesystems. Many industrial control systems, IoT devices, routers, and embedded appliances in sectors such as manufacturing, telecommunications, and critical infrastructure may rely on Linux kernels with JFFS2 support. Exploitation could allow an attacker with local access to execute arbitrary code in kernel space, escalate privileges, or cause system crashes leading to denial of service. This poses significant risks to operational continuity, data confidentiality, and system integrity. In critical sectors like energy, transportation, and healthcare, such disruptions could have cascading effects on safety and service availability. Additionally, the vulnerability could be leveraged as a stepping stone for lateral movement within networks if attackers gain initial footholds on vulnerable devices. Although exploitation requires local privileges, compromised devices in distributed environments could be targeted by insiders or malware that gains local access. The lack of known exploits in the wild suggests limited immediate threat, but the high severity and kernel-level impact necessitate proactive mitigation to prevent future attacks. Organizations relying on embedded Linux devices or custom Linux distributions should assess their exposure and patch accordingly to maintain security posture.
Mitigation Recommendations
1. Apply official Linux kernel patches that address CVE-2021-47656 as soon as they become available from trusted sources or Linux distribution vendors. 2. For embedded devices or custom Linux builds, rebuild kernels with the patched JFFS2 code to eliminate the vulnerability. 3. Audit and inventory all devices and systems using JFFS2 filesystems to identify potentially vulnerable endpoints. 4. Restrict local access to systems running vulnerable kernels to trusted personnel only, minimizing risk of local exploitation. 5. Implement strict access controls and monitoring on devices with JFFS2 to detect suspicious mounting operations or kernel errors indicative of exploitation attempts. 6. Where possible, consider migrating from JFFS2 to more modern and actively maintained filesystems that do not exhibit this vulnerability. 7. Employ kernel hardening techniques such as Kernel Address Space Layout Randomization (KASLR), SELinux/AppArmor policies, and seccomp filters to reduce exploitation impact. 8. Regularly update and patch embedded device firmware and Linux kernels to incorporate security fixes. 9. For critical infrastructure, implement network segmentation to isolate vulnerable embedded devices and limit attack surface. 10. Conduct penetration testing and vulnerability assessments focusing on embedded Linux devices to validate mitigations.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Sweden, Finland, Poland, Belgium
CVE-2021-47656: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: jffs2: fix use-after-free in jffs2_clear_xattr_subsystem When we mount a jffs2 image, assume that the first few blocks of the image are normal and contain at least one xattr-related inode, but the next block is abnormal. As a result, an error is returned in jffs2_scan_eraseblock(). jffs2_clear_xattr_subsystem() is then called in jffs2_build_filesystem() and then again in jffs2_do_fill_super(). Finally we can observe the following report: ================================================================== BUG: KASAN: use-after-free in jffs2_clear_xattr_subsystem+0x95/0x6ac Read of size 8 at addr ffff8881243384e0 by task mount/719 Call Trace: dump_stack+0x115/0x16b jffs2_clear_xattr_subsystem+0x95/0x6ac jffs2_do_fill_super+0x84f/0xc30 jffs2_fill_super+0x2ea/0x4c0 mtd_get_sb+0x254/0x400 mtd_get_sb_by_nr+0x4f/0xd0 get_tree_mtd+0x498/0x840 jffs2_get_tree+0x25/0x30 vfs_get_tree+0x8d/0x2e0 path_mount+0x50f/0x1e50 do_mount+0x107/0x130 __se_sys_mount+0x1c5/0x2f0 __x64_sys_mount+0xc7/0x160 do_syscall_64+0x45/0x70 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Allocated by task 719: kasan_save_stack+0x23/0x60 __kasan_kmalloc.constprop.0+0x10b/0x120 kasan_slab_alloc+0x12/0x20 kmem_cache_alloc+0x1c0/0x870 jffs2_alloc_xattr_ref+0x2f/0xa0 jffs2_scan_medium.cold+0x3713/0x4794 jffs2_do_mount_fs.cold+0xa7/0x2253 jffs2_do_fill_super+0x383/0xc30 jffs2_fill_super+0x2ea/0x4c0 [...] Freed by task 719: kmem_cache_free+0xcc/0x7b0 jffs2_free_xattr_ref+0x78/0x98 jffs2_clear_xattr_subsystem+0xa1/0x6ac jffs2_do_mount_fs.cold+0x5e6/0x2253 jffs2_do_fill_super+0x383/0xc30 jffs2_fill_super+0x2ea/0x4c0 [...] The buggy address belongs to the object at ffff8881243384b8 which belongs to the cache jffs2_xattr_ref of size 48 The buggy address is located 40 bytes inside of 48-byte region [ffff8881243384b8, ffff8881243384e8) [...] ================================================================== The triggering of the BUG is shown in the following stack: ----------------------------------------------------------- jffs2_fill_super jffs2_do_fill_super jffs2_do_mount_fs jffs2_build_filesystem jffs2_scan_medium jffs2_scan_eraseblock <--- ERROR jffs2_clear_xattr_subsystem <--- free jffs2_clear_xattr_subsystem <--- free again ----------------------------------------------------------- An error is returned in jffs2_do_mount_fs(). If the error is returned by jffs2_sum_init(), the jffs2_clear_xattr_subsystem() does not need to be executed. If the error is returned by jffs2_build_filesystem(), the jffs2_clear_xattr_subsystem() also does not need to be executed again. So move jffs2_clear_xattr_subsystem() from 'out_inohash' to 'out_root' to fix this UAF problem.
AI-Powered Analysis
Technical Analysis
CVE-2021-47656 is a high-severity use-after-free (UAF) vulnerability in the Linux kernel's JFFS2 (Journaling Flash File System version 2) implementation. The flaw arises during the mounting process of a JFFS2 filesystem image. Specifically, the vulnerability occurs when the system assumes that the initial blocks of the JFFS2 image are normal and contain at least one extended attribute (xattr)-related inode, but encounters an abnormal block subsequently. This abnormal block triggers an error in the jffs2_scan_eraseblock() function. Following this, the function jffs2_clear_xattr_subsystem() is called twice erroneously during the filesystem build and mount process (once in jffs2_build_filesystem() and again in jffs2_do_fill_super()). This double invocation leads to a use-after-free condition where memory previously freed is accessed again, causing a kernel memory corruption. The kernel's Kernel Address Sanitizer (KASAN) detects this as a BUG report indicating a read of freed memory. The root cause is improper error handling and cleanup sequencing in the JFFS2 mounting code, where jffs2_clear_xattr_subsystem() is called redundantly after an error return, leading to double free and use-after-free. The fix involves moving the call to jffs2_clear_xattr_subsystem() from one error handling path ('out_inohash') to another ('out_root') to ensure it is only called once, preventing the UAF. This vulnerability is tracked under CWE-416 (Use After Free) and has a CVSS v3.1 base score of 7.8, indicating high severity. Exploitation requires local privileges (low attack vector), low complexity, and no user interaction, but partial privileges (PR:L) are needed. Successful exploitation could lead to full confidentiality, integrity, and availability compromise of the affected system due to kernel memory corruption. No known exploits are currently reported in the wild. The affected versions correspond to specific Linux kernel commits prior to the patch. This vulnerability is relevant to systems using JFFS2, which is commonly used in embedded devices and systems with flash memory storage. The vulnerability could be triggered by mounting a crafted JFFS2 image, potentially leading to privilege escalation or denial of service via kernel crash.
Potential Impact
For European organizations, the impact of CVE-2021-47656 depends largely on the deployment of Linux-based embedded systems or devices using JFFS2 filesystems. Many industrial control systems, IoT devices, routers, and embedded appliances in sectors such as manufacturing, telecommunications, and critical infrastructure may rely on Linux kernels with JFFS2 support. Exploitation could allow an attacker with local access to execute arbitrary code in kernel space, escalate privileges, or cause system crashes leading to denial of service. This poses significant risks to operational continuity, data confidentiality, and system integrity. In critical sectors like energy, transportation, and healthcare, such disruptions could have cascading effects on safety and service availability. Additionally, the vulnerability could be leveraged as a stepping stone for lateral movement within networks if attackers gain initial footholds on vulnerable devices. Although exploitation requires local privileges, compromised devices in distributed environments could be targeted by insiders or malware that gains local access. The lack of known exploits in the wild suggests limited immediate threat, but the high severity and kernel-level impact necessitate proactive mitigation to prevent future attacks. Organizations relying on embedded Linux devices or custom Linux distributions should assess their exposure and patch accordingly to maintain security posture.
Mitigation Recommendations
1. Apply official Linux kernel patches that address CVE-2021-47656 as soon as they become available from trusted sources or Linux distribution vendors. 2. For embedded devices or custom Linux builds, rebuild kernels with the patched JFFS2 code to eliminate the vulnerability. 3. Audit and inventory all devices and systems using JFFS2 filesystems to identify potentially vulnerable endpoints. 4. Restrict local access to systems running vulnerable kernels to trusted personnel only, minimizing risk of local exploitation. 5. Implement strict access controls and monitoring on devices with JFFS2 to detect suspicious mounting operations or kernel errors indicative of exploitation attempts. 6. Where possible, consider migrating from JFFS2 to more modern and actively maintained filesystems that do not exhibit this vulnerability. 7. Employ kernel hardening techniques such as Kernel Address Space Layout Randomization (KASLR), SELinux/AppArmor policies, and seccomp filters to reduce exploitation impact. 8. Regularly update and patch embedded device firmware and Linux kernels to incorporate security fixes. 9. For critical infrastructure, implement network segmentation to isolate vulnerable embedded devices and limit attack surface. 10. Conduct penetration testing and vulnerability assessments focusing on embedded Linux devices to validate mitigations.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-02-26T01:48:21.521Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9834c4522896dcbe96a7
Added to database: 5/21/2025, 9:09:08 AM
Last enriched: 7/3/2025, 5:39:53 AM
Last updated: 7/31/2025, 11:03:55 PM
Views: 13
Related Threats
Researcher to release exploit for full auth bypass on FortiWeb
HighCVE-2025-9091: Hard-coded Credentials in Tenda AC20
LowCVE-2025-9090: Command Injection in Tenda AC20
MediumCVE-2025-9092: CWE-400 Uncontrolled Resource Consumption in Legion of the Bouncy Castle Inc. Bouncy Castle for Java - BC-FJA 2.1.0
LowCVE-2025-9089: Stack-based Buffer Overflow in Tenda AC20
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.