CVE-2021-47646

High

Published: 26 February 2025

Published

26 February 2025

Modified

24 March 2025

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0002 3.4th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

In the Linux kernel, the following vulnerability has been resolved: Revert "Revert "block, bfq: honor already-setup queue merges"" A crash [1] happened to be triggered in conjunction with commit 2d52c58b9c9b ("block, bfq: honor already-setup queue merges"). The latter was then reverted by commit ebc69e897e17 ("Revert "block, bfq: honor already-setup queue merges""). Yet, the reverted commit was not the one introducing the bug. In fact, it actually triggered a UAF introduced by a different commit, and now fixed by commit d29bd41428cf ("block, bfq: reset last_bfqq_created on group change"). So, there is no point in keeping commit 2d52c58b9c9b ("block, bfq: honor already-setup queue merges") out. This commit restores it. [1] https://bugzilla.kernel.org/show_bug.cgi?id=214503

Security Summary

CVE-2021-47646 is a Use-After-Free (CWE-416) vulnerability in the Linux kernel's BFQ I/O scheduler within the block layer. The issue stems from a use-after-free condition introduced by an earlier commit and triggered in conjunction with commit 2d52c58b9c9b ("block, bfq: honor already-setup queue merges"). This led to a crash reported in Bugzilla (ID 214503), prompting a temporary revert via commit ebc69e897e17, which has now itself been reverted to restore the original commit while addressing the root cause through commit d29bd41428cf ("block, bfq: reset last_bfqq_created on group change").

A local attacker with low privileges (AV:L/AC:L/PR:L) can exploit this vulnerability without user interaction (UI:N) in an unprivileged scope (S:U). Successful exploitation could result in high-impact confidentiality, integrity, and availability violations (C:H/I:H/A:H), with a CVSS v3.1 base score of 7.8. The UAF may enable kernel memory corruption, potentially leading to privilege escalation, denial of service via crashes, or arbitrary code execution.

Mitigation requires updating to patched Linux kernel stable versions incorporating the relevant commits, such as 15729ff8143f8135b03988a100a19e66d7cb7ecd, 4083925bd6dc89216d156474a8076feec904e607, 65d8a737452e88f251fe5d925371de6d606df613, 931aff627469a75c77b9fd3823146d0575afffd6, and abc2129e646af7b43025d90a071f83043f1ae76c, available via kernel.org stable trees. The vulnerability was publicly disclosed on 2025-02-26 following the crash report.

Details

CWE(s): CWE-416

Affected Products

linux

linux kernel

≤ 4.19.238 · 4.20 — 5.4.189 · 5.5 — 5.10.110

References

https://git.kernel.org/stable/c/15729ff8143f8135b03988a100a19e66d7cb7ecd
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/4083925bd6dc89216d156474a8076feec904e607
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/65d8a737452e88f251fe5d925371de6d606df613
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/931aff627469a75c77b9fd3823146d0575afffd6
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/abc2129e646af7b43025d90a071f83043f1ae76c
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/cc051f497eac9d8a0d816cd4bffa3415f2724871
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/f990f0985eda59d4f29fc83fcf300c92b1225d39
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67