CVE-2021-47640
Published: 26 February 2025
Summary
CVE-2021-47640 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 5.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2021-47640 is a vulnerability in the Linux kernel's powerpc/kasan component, where the shadow page table is not correctly updated during early boot when PTE_RPN_SHIFT is 24 and PAGE_SHIFT is 12. This issue affects Kernel Address Sanitizer (KASAN) functionality on powerpc architectures, leading to both false positives and false negatives in memory error detection. False positives trigger erroneous KASAN reports, such as out-of-bounds writes during per-CPU allocator initialization (e.g., in pcpu_alloc), potentially causing kernel BUG panics. False negatives fail to detect actual out-of-bounds accesses, as demonstrated in KASAN tests like vmalloc_oob.
A local attacker with low privileges (AV:L/AC:L/PR:L/UI:N) can exploit this vulnerability, achieving high impacts on confidentiality, integrity, and availability (CVSS 3.1 score of 7.8, CWE-787: Out-of-bounds Write). On affected powerpc systems with KASAN enabled, an attacker could leverage false negatives to bypass memory safety checks, enabling undetected memory corruption, or induce false positives to trigger denial-of-service via kernel crashes during early initialization tasks like slab cache creation.
Mitigation requires applying upstream kernel patches from stable repositories, such as commits 5a3d8f3192a409893c57808cc935e16484df1068, 7f19245c3647afea8c7c41f795506ef70f64b9f2, dd75080aa8409ce10d50fb58981c6b59bf8707d3, de56beace6648065d404cd9835aa7d30e3df519d, and e3d157a4b4f4e0268c98be5b7013bf4b31234bb6. These fixes align the early shadow page entry logic with corrected KASAN handling, resolving both false positive reports and test failures. Security practitioners should prioritize updating powerpc kernels with KASAN in production environments.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-34664
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: powerpc/kasan: Fix early region not updated correctly The shadow's page table is not updated when PTE_RPN_SHIFT is 24 and PAGE_SHIFT is 12. It not only causes false positives but also…
more
false negative as shown the following text. Fix it by bringing the logic of kasan_early_shadow_page_entry here. 1. False Positive: ================================================================== BUG: KASAN: vmalloc-out-of-bounds in pcpu_alloc+0x508/0xa50 Write of size 16 at addr f57f3be0 by task swapper/0/1 CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.15.0-12267-gdebe436e77c7 #1 Call Trace: [c80d1c20] [c07fe7b8] dump_stack_lvl+0x4c/0x6c (unreliable) [c80d1c40] [c02ff668] print_address_description.constprop.0+0x88/0x300 [c80d1c70] [c02ff45c] kasan_report+0x1ec/0x200 [c80d1cb0] [c0300b20] kasan_check_range+0x160/0x2f0 [c80d1cc0] [c03018a4] memset+0x34/0x90 [c80d1ce0] [c0280108] pcpu_alloc+0x508/0xa50 [c80d1d40] [c02fd7bc] __kmem_cache_create+0xfc/0x570 [c80d1d70] [c0283d64] kmem_cache_create_usercopy+0x274/0x3e0 [c80d1db0] [c2036580] init_sd+0xc4/0x1d0 [c80d1de0] [c00044a0] do_one_initcall+0xc0/0x33c [c80d1eb0] [c2001624] kernel_init_freeable+0x2c8/0x384 [c80d1ef0] [c0004b14] kernel_init+0x24/0x170 [c80d1f10] [c001b26c] ret_from_kernel_thread+0x5c/0x64 Memory state around the buggy address: f57f3a80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f57f3b00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 >f57f3b80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ^ f57f3c00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f57f3c80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ================================================================== 2. False Negative (with KASAN tests): ================================================================== Before fix: ok 45 - kmalloc_double_kzfree # vmalloc_oob: EXPECTATION FAILED at lib/test_kasan.c:1039 KASAN failure expected in "((volatile char *)area)[3100]", but none occurred not ok 46 - vmalloc_oob not ok 1 - kasan ================================================================== After fix: ok 1 - kasan
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
False negatives in KASAN enable undetected kernel memory corruption leading to privilege escalation; false positives trigger kernel panics for DoS.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Timely flaw remediation requires patching the Linux kernel to fix incorrect KASAN shadow page table updates on powerpc, eliminating false positives causing kernel panics and false negatives enabling undetected corruption.
Least functionality prevents enabling unnecessary KASAN on production powerpc systems, avoiding the early boot shadow page table vulnerability entirely.
Vulnerability monitoring and scanning identifies powerpc kernels with enabled KASAN affected by CVE-2021-47640 for targeted remediation.