Cyber Resilience

CVE-2021-47633

High

Published: 26 February 2025

Published
26 February 2025
Modified
23 September 2025
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
EPSS Score 0.0001 1.3th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-47633 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 1.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2021-47633 is an out-of-bounds write vulnerability in the Linux kernel's ath5k driver, specifically in the ath5k_eeprom_read_pcal_info_5111 function. The issue occurs when no power detector (PD) curve is selected in a loop, causing the index idx to reach AR5K_EEPROM_N_PD_CURVES, which results in an out-of-bounds access to pd = &chinfo[pier].pd_curves[idx]. Subsequent code performs multiple out-of-bounds writes using this pointer. The vulnerability was identified through fuzzing and confirmed by KASAN during module loading with modprobe on kernel version 5.6.0.

A local attacker with low privileges can exploit this vulnerability with low attack complexity and no user interaction required. It triggers during ath5k driver initialization, such as when probing a compatible PCI device. Successful exploitation leads to high-impact confidentiality loss through information disclosure and high-impact availability disruption, potentially via memory corruption or kernel crash, as indicated by the CVSS 3.1 score of 7.1 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H). The issue is associated with CWE-125.

Mitigation involves applying the upstream kernel patches referenced in the stable commit links, which add a sanity check for the idx value before the out-of-bounds access. These patches resolve the issue in ath5k_eeprom_convert_pcal_info_5111 without requiring changes to other loops using AR5K_EEPROM_N_PD_CURVES.

The vulnerability was discovered via fuzzing, with KASAN reporting a slab-out-of-bounds write during modprobe of the ath5k module. The fix patch was not tested on real hardware. No real-world exploitation has been reported.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: ath5k: fix OOB in ath5k_eeprom_read_pcal_info_5111 The bug was found during fuzzing. Stacktrace locates it in ath5k_eeprom_convert_pcal_info_5111. When none of the curve is selected in the loop, idx can go up…

more

to AR5K_EEPROM_N_PD_CURVES. The line makes pd out of bound. pd = &chinfo[pier].pd_curves[idx]; There are many OOB writes using pd later in the code. So I added a sanity check for idx. Checks for other loops involving AR5K_EEPROM_N_PD_CURVES are not needed as the loop index is not used outside the loops. The patch is NOT tested with real device. The following is the fuzzing report BUG: KASAN: slab-out-of-bounds in ath5k_eeprom_read_pcal_info_5111+0x126a/0x1390 [ath5k] Write of size 1 at addr ffff8880174a4d60 by task modprobe/214 CPU: 0 PID: 214 Comm: modprobe Not tainted 5.6.0 #1 Call Trace: dump_stack+0x76/0xa0 print_address_description.constprop.0+0x16/0x200 ? ath5k_eeprom_read_pcal_info_5111+0x126a/0x1390 [ath5k] ? ath5k_eeprom_read_pcal_info_5111+0x126a/0x1390 [ath5k] __kasan_report.cold+0x37/0x7c ? ath5k_eeprom_read_pcal_info_5111+0x126a/0x1390 [ath5k] kasan_report+0xe/0x20 ath5k_eeprom_read_pcal_info_5111+0x126a/0x1390 [ath5k] ? apic_timer_interrupt+0xa/0x20 ? ath5k_eeprom_init_11a_pcal_freq+0xbc0/0xbc0 [ath5k] ? ath5k_pci_eeprom_read+0x228/0x3c0 [ath5k] ath5k_eeprom_init+0x2513/0x6290 [ath5k] ? ath5k_eeprom_init_11a_pcal_freq+0xbc0/0xbc0 [ath5k] ? usleep_range+0xb8/0x100 ? apic_timer_interrupt+0xa/0x20 ? ath5k_eeprom_read_pcal_info_2413+0x2f20/0x2f20 [ath5k] ath5k_hw_init+0xb60/0x1970 [ath5k] ath5k_init_ah+0x6fe/0x2530 [ath5k] ? kasprintf+0xa6/0xe0 ? ath5k_stop+0x140/0x140 [ath5k] ? _dev_notice+0xf6/0xf6 ? apic_timer_interrupt+0xa/0x20 ath5k_pci_probe.cold+0x29a/0x3d6 [ath5k] ? ath5k_pci_eeprom_read+0x3c0/0x3c0 [ath5k] ? mutex_lock+0x89/0xd0 ? ath5k_pci_eeprom_read+0x3c0/0x3c0 [ath5k] local_pci_probe+0xd3/0x160 pci_device_probe+0x23f/0x3e0 ? pci_device_remove+0x280/0x280 ? pci_device_remove+0x280/0x280 really_probe+0x209/0x5d0

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

OOB write in kernel driver enables local memory corruption for privilege escalation (T1068) during module load/probe.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-43048Same product: Linux Linux Kernel
CVE-2026-23406Same product: Linux Linux Kernel
CVE-2024-57998Same product: Linux Linux Kernel
CVE-2026-31641Same product: Linux Linux Kernel
CVE-2022-49503Same product: Linux Linux Kernel
CVE-2026-23099Same product: Linux Linux Kernel
CVE-2026-23288Same product: Linux Linux Kernel
CVE-2026-31675Same product: Linux Linux Kernel
CVE-2026-31570Same product: Linux Linux Kernel
CVE-2026-23407Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
2.6.30 — 4.9.311 · 4.10 — 4.14.276 · 4.15 — 4.19.238

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the OOB write vulnerability by requiring timely remediation through kernel patches that add sanity checks on the pd_curves index in ath5k_eeprom_read_pcal_info_5111.

prevent

Addresses the root cause by enforcing validation of indices derived from EEPROM data during ath5k driver initialization to prevent out-of-bounds array access.

prevent

Provides kernel memory protections such as stack canaries and address randomization to mitigate exploitation impacts like corruption or crashes from the OOB write.

References