Login Sign Up

CVE-2021-47087

7.8 HIGH
Denial of Service

📋 TL;DR

This vulnerability in the Linux kernel's TEE (Trusted Execution Environment) subsystem allows incorrect memory page freeing due to a pointer manipulation bug. It affects systems using the OP-TEE implementation and could lead to memory corruption or system instability. Any Linux system with OP-TEE enabled is potentially vulnerable.

💻 Affected Systems

Products:
  • Linux kernel with OP-TEE driver
Versions: Linux kernel versions before the fix commits (specific versions vary by distribution)
Operating Systems: Linux distributions with vulnerable kernel versions
Default Config Vulnerable: ✅ No
Notes: Only vulnerable if OP-TEE is enabled and in use. Many systems may not have this feature enabled by default.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Kernel memory corruption leading to system crash, denial of service, or potential privilege escalation if combined with other vulnerabilities.

🟠

Likely Case

System instability, crashes, or denial of service affecting the TEE functionality.

🟢

If Mitigated

Limited impact if OP-TEE is not in use or system has proper memory protection mechanisms.

🌐 Internet-Facing: LOW - Requires local access or ability to execute code on the system.
🏢 Internal Only: MEDIUM - Could be exploited by malicious local users or compromised applications.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: HIGH

Exploitation requires local access and ability to interact with the TEE subsystem. No public exploits known.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in kernel commits: 18549bf4b21c739a9def39f27dcac53e27286ab5, 806142c805cacd098e61bdc0f72c778a2389fe4a, 91e94e42f6fc49635f1a16d8ae3f79552bcfda29, ad338d825e3f7b96ee542bf313728af2d19fe9ad

Vendor Advisory: https://git.kernel.org/stable/c/18549bf4b21c739a9def39f27dcac53e27286ab5

Restart Required: Yes

Instructions:

1. Update Linux kernel to version containing the fix commits. 2. Check your distribution's security advisories for specific patched versions. 3. Reboot system after kernel update.

🔧 Temporary Workarounds

Disable OP-TEE

linux

Disable the OP-TEE driver if not required for system functionality

modprobe -r optee
echo 'blacklist optee' >> /etc/modprobe.d/blacklist.conf

🧯 If You Can't Patch

  • Disable OP-TEE functionality if not required
  • Implement strict access controls to limit who can interact with TEE subsystem

🔍 How to Verify

Check if Vulnerable:

Check if OP-TEE module is loaded: lsmod | grep optee. If loaded, check kernel version against patched versions.

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version includes the fix commits or check with distribution's security advisory. Confirm OP-TEE functionality works without issues.

📡 Detection & Monitoring

Log Indicators:

  • Kernel oops messages
  • System crashes related to TEE/OP-TEE
  • Memory allocation failures in kernel logs

Network Indicators:

  • None - this is a local vulnerability

SIEM Query:

Search for kernel panic or oops messages containing 'optee' or 'tee' in system logs

📊 Metadata

CVE ID: CVE-2021-47087
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-763
Published: March 4, 2024
Last Updated: January 16, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-47087, you might also want to check these:

CVE-2024-44852 9.8

CVE-2024-44852 is a critical memory corruption vulnerability in ROS2 navigation2's theta_star planne...

Same vulnerability type (CWE-763)
CVE-2021-24028 9.8

This vulnerability in Facebook Thrift's table-based serialization allows an invalid free operation t...

Same vulnerability type (CWE-763)
CVE-2021-3682 8.5

This vulnerability in QEMU's USB redirector device emulation allows a malicious SPICE client to trig...

Same vulnerability type (CWE-763)