CVE-2021-47198 – A use-after-free vulnerability in the Linux ker... (How to Fix)

Q: What is the severity of CVE-2021-47198?

CVE-2021-47198 has a CVSS score of 7.8 (HIGH). A use-after-free vulnerability in the Linux kernel's lpfc SCSI driver allows local attackers to potentially crash the system or execute arbitrary code. This affects systems using the lpfc driver for Emulex Fibre Channel adapters. Attackers need local access to exploit this vulnerability.

📋 TL;DR

A use-after-free vulnerability in the Linux kernel's lpfc SCSI driver allows local attackers to potentially crash the system or execute arbitrary code. This affects systems using the lpfc driver for Emulex Fibre Channel adapters. Attackers need local access to exploit this vulnerability.

💻 Affected Systems

Products:

Linux kernel with lpfc driver

Versions: Linux kernel versions before the fix commits (specific versions vary by distribution)

Operating Systems: Linux distributions using vulnerable kernel versions

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems with Emulex Fibre Channel adapters using the lpfc driver. The vulnerability triggers when unloading the driver module.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local privilege escalation leading to kernel compromise, system crash, or arbitrary code execution with kernel privileges.

🟠

Likely Case

Kernel panic or system crash causing denial of service when unloading the lpfc driver.

🟢

If Mitigated

No impact if proper access controls prevent local users from unloading kernel modules.

🌐 Internet-Facing: LOW - Requires local access to exploit, not directly reachable from internet.

🏢 Internal Only: MEDIUM - Local users or compromised accounts could exploit this to crash systems or potentially escalate privileges.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires local access and ability to unload kernel modules. Exploitation requires understanding of kernel memory layout and timing.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in kernel commits 79b20beccea3a3938a8500acef4e6b9d7c66142f and dbebf865b3239595c1d4dba063b122862583b52a

Vendor Advisory: https://git.kernel.org/stable/c/79b20beccea3a3938a8500acef4e6b9d7c66142f

Restart Required: Yes

Instructions:

1. Update Linux kernel to version containing the fix. 2. Check with your distribution for specific patched kernel versions. 3. Reboot system after kernel update.

🔧 Temporary Workarounds

Restrict module unloading

linux

Prevent unauthorized users from unloading kernel modules

echo 1 > /proc/sys/kernel/modules_disabled
chmod 600 /proc/sys/kernel/modules_disabled

Disable lpfc module

linux

If not using Fibre Channel adapters, blacklist the lpfc module

echo 'blacklist lpfc' >> /etc/modprobe.d/blacklist.conf

🧯 If You Can't Patch

Restrict local user access to systems with vulnerable kernels
Implement strict access controls to prevent unauthorized users from unloading kernel modules

🔍 How to Verify

Check if Vulnerable:

Check kernel version and if lpfc module is loaded: lsmod | grep lpfc && uname -r

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version is updated to patched version and check for presence of fix commits in kernel source

📡 Detection & Monitoring

Log Indicators:

Kernel panic messages
KASAN use-after-free reports in dmesg
System crashes when unloading lpfc module

Network Indicators:

None - local vulnerability only

SIEM Query:

search 'KASAN: use-after-free in lpfc_unreg_rpi' OR 'kernel panic' AND 'lpfc'

📊 Metadata

CVE ID: CVE-2021-47198

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-416

Published: April 10, 2024

Last Updated: January 10, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-47198, you might also want to check these: