Cyber Resilience

CVE-2021-47640

High

Published: 26 February 2025

Published
26 February 2025
Modified
01 October 2025
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0002 5.6th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-47640 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 5.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2021-47640 is a vulnerability in the Linux kernel's powerpc/kasan component, where the shadow page table is not correctly updated during early boot when PTE_RPN_SHIFT is 24 and PAGE_SHIFT is 12. This issue affects Kernel Address Sanitizer (KASAN) functionality on powerpc architectures, leading to both false positives and false negatives in memory error detection. False positives trigger erroneous KASAN reports, such as out-of-bounds writes during per-CPU allocator initialization (e.g., in pcpu_alloc), potentially causing kernel BUG panics. False negatives fail to detect actual out-of-bounds accesses, as demonstrated in KASAN tests like vmalloc_oob.

A local attacker with low privileges (AV:L/AC:L/PR:L/UI:N) can exploit this vulnerability, achieving high impacts on confidentiality, integrity, and availability (CVSS 3.1 score of 7.8, CWE-787: Out-of-bounds Write). On affected powerpc systems with KASAN enabled, an attacker could leverage false negatives to bypass memory safety checks, enabling undetected memory corruption, or induce false positives to trigger denial-of-service via kernel crashes during early initialization tasks like slab cache creation.

Mitigation requires applying upstream kernel patches from stable repositories, such as commits 5a3d8f3192a409893c57808cc935e16484df1068, 7f19245c3647afea8c7c41f795506ef70f64b9f2, dd75080aa8409ce10d50fb58981c6b59bf8707d3, de56beace6648065d404cd9835aa7d30e3df519d, and e3d157a4b4f4e0268c98be5b7013bf4b31234bb6. These fixes align the early shadow page entry logic with corrected KASAN handling, resolving both false positive reports and test failures. Security practitioners should prioritize updating powerpc kernels with KASAN in production environments.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: powerpc/kasan: Fix early region not updated correctly The shadow's page table is not updated when PTE_RPN_SHIFT is 24 and PAGE_SHIFT is 12. It not only causes false positives but also…

more

false negative as shown the following text. Fix it by bringing the logic of kasan_early_shadow_page_entry here. 1. False Positive: ================================================================== BUG: KASAN: vmalloc-out-of-bounds in pcpu_alloc+0x508/0xa50 Write of size 16 at addr f57f3be0 by task swapper/0/1 CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.15.0-12267-gdebe436e77c7 #1 Call Trace: [c80d1c20] [c07fe7b8] dump_stack_lvl+0x4c/0x6c (unreliable) [c80d1c40] [c02ff668] print_address_description.constprop.0+0x88/0x300 [c80d1c70] [c02ff45c] kasan_report+0x1ec/0x200 [c80d1cb0] [c0300b20] kasan_check_range+0x160/0x2f0 [c80d1cc0] [c03018a4] memset+0x34/0x90 [c80d1ce0] [c0280108] pcpu_alloc+0x508/0xa50 [c80d1d40] [c02fd7bc] __kmem_cache_create+0xfc/0x570 [c80d1d70] [c0283d64] kmem_cache_create_usercopy+0x274/0x3e0 [c80d1db0] [c2036580] init_sd+0xc4/0x1d0 [c80d1de0] [c00044a0] do_one_initcall+0xc0/0x33c [c80d1eb0] [c2001624] kernel_init_freeable+0x2c8/0x384 [c80d1ef0] [c0004b14] kernel_init+0x24/0x170 [c80d1f10] [c001b26c] ret_from_kernel_thread+0x5c/0x64 Memory state around the buggy address: f57f3a80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f57f3b00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 >f57f3b80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ^ f57f3c00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f57f3c80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ================================================================== 2. False Negative (with KASAN tests): ================================================================== Before fix: ok 45 - kmalloc_double_kzfree # vmalloc_oob: EXPECTATION FAILED at lib/test_kasan.c:1039 KASAN failure expected in "((volatile char *)area)[3100]", but none occurred not ok 46 - vmalloc_oob not ok 1 - kasan ================================================================== After fix: ok 1 - kasan

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

False negatives in KASAN enable undetected kernel memory corruption leading to privilege escalation; false positives trigger kernel panics for DoS.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23194Same product: Linux Linux Kernel
CVE-2026-31505Same product: Linux Linux Kernel
CVE-2026-23323Same product: Linux Linux Kernel
CVE-2026-23422Same product: Linux Linux Kernel
CVE-2022-49645Same product: Linux Linux Kernel
CVE-2022-49722Same product: Linux Linux Kernel
CVE-2026-31698Same product: Linux Linux Kernel
CVE-2025-71137Same product: Linux Linux Kernel
CVE-2026-31772Same product: Linux Linux Kernel
CVE-2022-49612Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
5.4 — 5.4.189 · 5.5 — 5.10.110 · 5.11 — 5.15.33

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely flaw remediation requires patching the Linux kernel to fix incorrect KASAN shadow page table updates on powerpc, eliminating false positives causing kernel panics and false negatives enabling undetected corruption.

prevent

Least functionality prevents enabling unnecessary KASAN on production powerpc systems, avoiding the early boot shadow page table vulnerability entirely.

detect

Vulnerability monitoring and scanning identifies powerpc kernels with enabled KASAN affected by CVE-2021-47640 for targeted remediation.

References