Cyber Resilience

CVE-2021-47636

High

Published: 26 February 2025

Published
26 February 2025
Modified
01 October 2025
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
EPSS Score 0.0001 3.1th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-47636 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Credential Access (T1212); ranked at the 3.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2021-47636 is an out-of-bounds read vulnerability in the Linux kernel's UBIFS (Unsorted Block Images File System) implementation, specifically within the ubifs_wbuf_write_nolock() function. This function can access the input buffer beyond its allocated bounds when handling unaligned lengths during write operations to LEBs (Logical Erase Blocks). For example, if the input length is 4089 bytes, it gets aligned to 4096 bytes, but after partially filling the write buffer and subtracting the used amount, subsequent calls to ubifs_leb_write() may read up to 8 bytes past the buffer's end. The issue was detected by KASAN during kernel writeback operations involving NAND flash pages with software ECC.

A local attacker with low privileges can exploit this vulnerability with low complexity and no user interaction required. Exploitation occurs during UBIFS journal writes, such as ubifs_jnl_write_inode(), triggered by normal filesystem operations like inode updates in a writeback workqueue. Successful exploitation leads to high-impact confidentiality violations through out-of-bounds reads of adjacent slab memory and high availability impact via kernel crashes, but without integrity effects.

Mitigation involves applying upstream kernel patches from the provided stable branch commits, such as 07a209fadee7b53b46858538e1177597273862e4, 3b7fb89135a20587d57f8877c02e25003e9edbdf, 4f2262a334641e05f645364d5ade1f565c85f20b, 5343575aa11c5d7044107d59d43f84aec01312b0, and a7054aaf1909cf40489c0ec1b728fdcf79c751a6. These fixes ensure ubifs_wbuf_write_nolock() properly handles unaligned lengths without exceeding buffer bounds during LEB writes. Systems using UBIFS on NAND storage should update to patched kernel versions.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: ubifs: Fix read out-of-bounds in ubifs_wbuf_write_nolock() Function ubifs_wbuf_write_nolock() may access buf out of bounds in following process: ubifs_wbuf_write_nolock(): aligned_len = ALIGN(len, 8); // Assume len = 4089, aligned_len = 4096…

more

if (aligned_len <= wbuf->avail) ... // Not satisfy if (wbuf->used) { ubifs_leb_write() // Fill some data in avail wbuf len -= wbuf->avail; // len is still not 8-bytes aligned aligned_len -= wbuf->avail; } n = aligned_len >> c->max_write_shift; if (n) { n <<= c->max_write_shift; err = ubifs_leb_write(c, wbuf->lnum, buf + written, wbuf->offs, n); // n > len, read out of bounds less than 8(n-len) bytes } , which can be catched by KASAN: ========================================================= BUG: KASAN: slab-out-of-bounds in ecc_sw_hamming_calculate+0x1dc/0x7d0 Read of size 4 at addr ffff888105594ff8 by task kworker/u8:4/128 Workqueue: writeback wb_workfn (flush-ubifs_0_0) Call Trace: kasan_report.cold+0x81/0x165 nand_write_page_swecc+0xa9/0x160 ubifs_leb_write+0xf2/0x1b0 [ubifs] ubifs_wbuf_write_nolock+0x421/0x12c0 [ubifs] write_head+0xdc/0x1c0 [ubifs] ubifs_jnl_write_inode+0x627/0x960 [ubifs] wb_workfn+0x8af/0xb80 Function ubifs_wbuf_write_nolock() accepts that parameter 'len' is not 8 bytes aligned, the 'len' represents the true length of buf (which is allocated in 'ubifs_jnl_xxx', eg. ubifs_jnl_write_inode), so ubifs_wbuf_write_nolock() must handle the length read from 'buf' carefully to write leb safely. Fetch a reproducer in [Link].

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1212 Exploitation for Credential Access Credential Access
Adversaries may exploit software vulnerabilities in an attempt to collect credentials.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Local kernel OOB read enables credential access via memory disclosure and system DoS via kernel crash during UBIFS operations.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2022-49368Same product: Linux Linux Kernel
CVE-2025-21743Same product: Linux Linux Kernel
CVE-2022-49738Same product: Linux Linux Kernel
CVE-2026-31774Same product: Linux Linux Kernel
CVE-2026-23325Same product: Linux Linux Kernel
CVE-2025-21815Same product: Linux Linux Kernel
CVE-2026-31779Same product: Linux Linux Kernel
CVE-2026-43051Same product: Linux Linux Kernel
CVE-2026-23269Same product: Linux Linux Kernel
CVE-2022-49249Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
2.6.27 — 4.19.238 · 4.20 — 5.4.189 · 5.5 — 5.10.110

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the out-of-bounds read vulnerability in UBIFS by requiring timely application of Linux kernel patches that fix improper buffer length alignment in ubifs_wbuf_write_nolock().

prevent

Implements runtime memory protections such as kernel address space layout randomization and slab allocators to mitigate exploitation of the UBIFS out-of-bounds read accessing adjacent slab memory.

detect

Enables vulnerability scanning to identify unpatched Linux kernel instances vulnerable to CVE-2021-47636 in UBIFS, triggering remediation processes.

References