Cyber Resilience

CVE-2021-47653

High

Published: 26 February 2025

Published
26 February 2025
Modified
24 March 2025
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0002 6.1th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-47653 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 6.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-10 (Software Usage Restrictions) and CM-7 (Least Functionality).

Deeper analysis

CVE-2021-47653 is a use-after-free vulnerability in the Linux kernel's media subsystem, specifically the DaVinci VPIF (Video Processing Interface) driver. During the driver's probe function, two platform device structures are allocated using devres and registered, but these devices are not deregistered in the driver's remove callback. As a result, when the driver core frees the structures after remove returns, it triggers a use-after-free condition. The issue is classified under CWE-416 with a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A local attacker with low privileges can exploit this vulnerability by triggering the driver unbind operation, such as through device removal or module unloading. Successful exploitation could allow the attacker to achieve high confidentiality, integrity, and availability impacts, potentially leading to arbitrary code execution, data corruption, or system crashes within the kernel context.

The provided kernel stable commit references detail the mitigation, which involves adding the missing deregistration calls for the platform devices in the driver's remove callback, failing the probe function on registration errors, and ensuring the devices are freed using a proper release callback to prevent resource leaks like device names. Security practitioners should apply these patches from the referenced stable kernel commits to affected versions.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: media: davinci: vpif: fix use-after-free on driver unbind The driver allocates and registers two platform device structures during probe, but the devices were never deregistered on driver unbind. This results…

more

in a use-after-free on driver unbind as the device structures were allocated using devres and would be freed by driver core when remove() returns. Fix this by adding the missing deregistration calls to the remove() callback and failing probe on registration errors. Note that the platform device structures must be freed using a proper release callback to avoid leaking associated resources like device names.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local kernel use-after-free in driver unbind path directly enables privilege escalation to arbitrary code execution in kernel context.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23111Same product: Linux Linux Kernel
CVE-2026-31530Same product: Linux Linux Kernel
CVE-2023-52974Same product: Linux Linux Kernel
CVE-2026-43019Same product: Linux Linux Kernel
CVE-2026-23158Same product: Linux Linux Kernel
CVE-2025-21893Same product: Linux Linux Kernel
CVE-2026-31446Same product: Linux Linux Kernel
CVE-2022-49176Same product: Linux Linux Kernel
CVE-2022-49291Same product: Linux Linux Kernel
CVE-2026-31650Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
4.13 — 5.15.54 · 5.16 — 5.16.19 · 5.17 — 5.17.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the use-after-free vulnerability by requiring timely application of the kernel patch that adds deregistration calls in the VPIF driver's remove callback and handles probe errors.

prevent

Prevents loading of the vulnerable DaVinci VPIF kernel module by enforcing software usage restrictions such as module blacklisting and signing requirements.

prevent

Eliminates the vulnerable driver from the attack surface by configuring the system for least functionality, disabling non-essential kernel drivers like VPIF when not required for hardware support.

References