CVE-2021-47636
Published: 26 February 2025
Summary
CVE-2021-47636 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Credential Access (T1212); ranked at the 3.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Deeper analysis
CVE-2021-47636 is an out-of-bounds read vulnerability in the Linux kernel's UBIFS (Unsorted Block Images File System) implementation, specifically within the ubifs_wbuf_write_nolock() function. This function can access the input buffer beyond its allocated bounds when handling unaligned lengths during write operations to LEBs (Logical Erase Blocks). For example, if the input length is 4089 bytes, it gets aligned to 4096 bytes, but after partially filling the write buffer and subtracting the used amount, subsequent calls to ubifs_leb_write() may read up to 8 bytes past the buffer's end. The issue was detected by KASAN during kernel writeback operations involving NAND flash pages with software ECC.
A local attacker with low privileges can exploit this vulnerability with low complexity and no user interaction required. Exploitation occurs during UBIFS journal writes, such as ubifs_jnl_write_inode(), triggered by normal filesystem operations like inode updates in a writeback workqueue. Successful exploitation leads to high-impact confidentiality violations through out-of-bounds reads of adjacent slab memory and high availability impact via kernel crashes, but without integrity effects.
Mitigation involves applying upstream kernel patches from the provided stable branch commits, such as 07a209fadee7b53b46858538e1177597273862e4, 3b7fb89135a20587d57f8877c02e25003e9edbdf, 4f2262a334641e05f645364d5ade1f565c85f20b, 5343575aa11c5d7044107d59d43f84aec01312b0, and a7054aaf1909cf40489c0ec1b728fdcf79c751a6. These fixes ensure ubifs_wbuf_write_nolock() properly handles unaligned lengths without exceeding buffer bounds during LEB writes. Systems using UBIFS on NAND storage should update to patched kernel versions.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-34668
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: ubifs: Fix read out-of-bounds in ubifs_wbuf_write_nolock() Function ubifs_wbuf_write_nolock() may access buf out of bounds in following process: ubifs_wbuf_write_nolock(): aligned_len = ALIGN(len, 8); // Assume len = 4089, aligned_len = 4096…
more
if (aligned_len <= wbuf->avail) ... // Not satisfy if (wbuf->used) { ubifs_leb_write() // Fill some data in avail wbuf len -= wbuf->avail; // len is still not 8-bytes aligned aligned_len -= wbuf->avail; } n = aligned_len >> c->max_write_shift; if (n) { n <<= c->max_write_shift; err = ubifs_leb_write(c, wbuf->lnum, buf + written, wbuf->offs, n); // n > len, read out of bounds less than 8(n-len) bytes } , which can be catched by KASAN: ========================================================= BUG: KASAN: slab-out-of-bounds in ecc_sw_hamming_calculate+0x1dc/0x7d0 Read of size 4 at addr ffff888105594ff8 by task kworker/u8:4/128 Workqueue: writeback wb_workfn (flush-ubifs_0_0) Call Trace: kasan_report.cold+0x81/0x165 nand_write_page_swecc+0xa9/0x160 ubifs_leb_write+0xf2/0x1b0 [ubifs] ubifs_wbuf_write_nolock+0x421/0x12c0 [ubifs] write_head+0xdc/0x1c0 [ubifs] ubifs_jnl_write_inode+0x627/0x960 [ubifs] wb_workfn+0x8af/0xb80 Function ubifs_wbuf_write_nolock() accepts that parameter 'len' is not 8 bytes aligned, the 'len' represents the true length of buf (which is allocated in 'ubifs_jnl_xxx', eg. ubifs_jnl_write_inode), so ubifs_wbuf_write_nolock() must handle the length read from 'buf' carefully to write leb safely. Fetch a reproducer in [Link].
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel OOB read enables credential access via memory disclosure and system DoS via kernel crash during UBIFS operations.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the out-of-bounds read vulnerability in UBIFS by requiring timely application of Linux kernel patches that fix improper buffer length alignment in ubifs_wbuf_write_nolock().
Implements runtime memory protections such as kernel address space layout randomization and slab allocators to mitigate exploitation of the UBIFS out-of-bounds read accessing adjacent slab memory.
Enables vulnerability scanning to identify unpatched Linux kernel instances vulnerable to CVE-2021-47636 in UBIFS, triggering remediation processes.