CVE-2021-47646
Published: 26 February 2025
Summary
CVE-2021-47646 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 5.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Deeper analysis
CVE-2021-47646 is a Use-After-Free (CWE-416) vulnerability in the Linux kernel's BFQ I/O scheduler within the block layer. The issue stems from a use-after-free condition introduced by an earlier commit and triggered in conjunction with commit 2d52c58b9c9b ("block, bfq: honor already-setup queue merges"). This led to a crash reported in Bugzilla (ID 214503), prompting a temporary revert via commit ebc69e897e17, which has now itself been reverted to restore the original commit while addressing the root cause through commit d29bd41428cf ("block, bfq: reset last_bfqq_created on group change").
A local attacker with low privileges (AV:L/AC:L/PR:L) can exploit this vulnerability without user interaction (UI:N) in an unprivileged scope (S:U). Successful exploitation could result in high-impact confidentiality, integrity, and availability violations (C:H/I:H/A:H), with a CVSS v3.1 base score of 7.8. The UAF may enable kernel memory corruption, potentially leading to privilege escalation, denial of service via crashes, or arbitrary code execution.
Mitigation requires updating to patched Linux kernel stable versions incorporating the relevant commits, such as 15729ff8143f8135b03988a100a19e66d7cb7ecd, 4083925bd6dc89216d156474a8076feec904e607, 65d8a737452e88f251fe5d925371de6d606df613, 931aff627469a75c77b9fd3823146d0575afffd6, and abc2129e646af7b43025d90a071f83043f1ae76c, available via kernel.org stable trees. The vulnerability was publicly disclosed on 2025-02-26 following the crash report.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-34659
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: Revert "Revert "block, bfq: honor already-setup queue merges"" A crash [1] happened to be triggered in conjunction with commit 2d52c58b9c9b ("block, bfq: honor already-setup queue merges"). The latter was then…
more
reverted by commit ebc69e897e17 ("Revert "block, bfq: honor already-setup queue merges""). Yet, the reverted commit was not the one introducing the bug. In fact, it actually triggered a UAF introduced by a different commit, and now fixed by commit d29bd41428cf ("block, bfq: reset last_bfqq_created on group change"). So, there is no point in keeping commit 2d52c58b9c9b ("block, bfq: honor already-setup queue merges") out. This commit restores it. [1] https://bugzilla.kernel.org/show_bug.cgi?id=214503
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Kernel UAF directly enables local exploitation for privilege escalation via memory corruption (with secondary paths to DoS or kernel RCE).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires identifying, prioritizing, and applying patches to remediate the Use-After-Free flaw in the Linux kernel's BFQ I/O scheduler.
Implements memory protection mechanisms like KASLR, SMEP/SMAP, and stack canaries to mitigate exploitation of the kernel UAF leading to corruption or escalation.
Mandates vulnerability scanning and monitoring to identify systems running vulnerable Linux kernel versions affected by CVE-2021-47646.