CVE-2021-47196 – This is a use-after-free vulnerability in the L... (How to Fix)

Q: What is the severity of CVE-2021-47196?

CVE-2021-47196 has a CVSS score of 7.8 (HIGH). This is a use-after-free vulnerability in the Linux kernel's RDMA subsystem that occurs during QP (Queue Pair) creation failure. It allows attackers with local access to potentially crash the system or execute arbitrary code. Affects systems using RDMA with mlx5 drivers in vulnerable kernel versions.

📋 TL;DR

This is a use-after-free vulnerability in the Linux kernel's RDMA subsystem that occurs during QP (Queue Pair) creation failure. It allows attackers with local access to potentially crash the system or execute arbitrary code. Affects systems using RDMA with mlx5 drivers in vulnerable kernel versions.

💻 Affected Systems

Products:

Linux kernel

Versions: Kernel versions before the fix commits (specific versions vary by distribution)

Operating Systems: Linux distributions with vulnerable kernel versions

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when RDMA is enabled and mlx5 drivers are in use. Many systems don't use RDMA by default.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local privilege escalation to kernel-level code execution, potentially leading to full system compromise.

🟠

Likely Case

Kernel panic or system crash causing denial of service.

🟢

If Mitigated

No impact if patched or RDMA not in use.

🌐 Internet-Facing: LOW - Requires local access to exploit.

🏢 Internal Only: MEDIUM - Local users or compromised accounts could exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires local access and ability to create RDMA QPs. The vulnerability is triggered during QP creation failure.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Kernel versions with commits 6cd7397d01c4a3e09757840299e4f114f0aa5fa0 or b70e072feffa0ba5c41a99b9524b9878dee7748e

Vendor Advisory: https://git.kernel.org/stable/c/6cd7397d01c4a3e09757840299e4f114f0aa5fa0

Restart Required: Yes

Instructions:

1. Update Linux kernel to patched version from your distribution vendor. 2. Reboot system to load new kernel.

🔧 Temporary Workarounds

Disable RDMA

linux

Disable RDMA functionality if not required

modprobe -r mlx5_ib
modprobe -r ib_core

Restrict RDMA access

linux

Use kernel module blacklisting to prevent RDMA module loading

echo 'blacklist mlx5_ib' >> /etc/modprobe.d/blacklist.conf
echo 'blacklist ib_core' >> /etc/modprobe.d/blacklist.conf

🧯 If You Can't Patch

Disable RDMA functionality completely if not required
Restrict local user access to systems with RDMA enabled

🔍 How to Verify

Check if Vulnerable:

Check kernel version and if RDMA modules are loaded: 'uname -r' and 'lsmod | grep -E "mlx5_ib|ib_core"'

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version is patched and test RDMA functionality if required

📡 Detection & Monitoring

Log Indicators:

Kernel panic logs
KASAN reports for use-after-free in create_qp
System crashes during RDMA operations

Network Indicators:

None - local vulnerability

SIEM Query:

source="kernel" AND ("KASAN" OR "use-after-free" OR "create_qp")

📊 Metadata

CVE ID: CVE-2021-47196

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-416

Published: April 10, 2024

Last Updated: March 4, 2025

🔗 References

https://git.kernel.org/stable/c/6cd7397d01c4a3e09757840299e4f114f0aa5fa0 Mailing List,Patch
https://git.kernel.org/stable/c/b70e072feffa0ba5c41a99b9524b9878dee7748e Mailing List,Patch
https://git.kernel.org/stable/c/6cd7397d01c4a3e09757840299e4f114f0aa5fa0 Mailing List,Patch
https://git.kernel.org/stable/c/b70e072feffa0ba5c41a99b9524b9878dee7748e Mailing List,Patch

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-47196, you might also want to check these: