CVE-2021-47303 – A use-after-free vulnerability in the Linux ker... (How to Fix)

Q: What is the severity of CVE-2021-47303?

CVE-2021-47303 has a CVSS score of 7.8 (HIGH). A use-after-free vulnerability in the Linux kernel's BPF subsystem allows attackers to access freed memory when running BPF programs. This can lead to kernel crashes, information leaks, or potential privilege escalation. Systems running vulnerable Linux kernel versions with BPF enabled are affected.

📋 TL;DR

A use-after-free vulnerability in the Linux kernel's BPF subsystem allows attackers to access freed memory when running BPF programs. This can lead to kernel crashes, information leaks, or potential privilege escalation. Systems running vulnerable Linux kernel versions with BPF enabled are affected.

💻 Affected Systems

Products:

Linux Kernel

Versions: Specific versions between initial introduction of the bug and fix commits (approximately kernel 5.12+ until fixed versions)

Operating Systems: Linux distributions using affected kernel versions

Default Config Vulnerable: ⚠️ Yes

Notes: Requires BPF subsystem to be enabled and accessible. Systems with BPF disabled or restricted via kernel lockdown are less vulnerable.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Kernel panic leading to system crash, potential privilege escalation to root, or arbitrary code execution in kernel context.

🟠

Likely Case

Kernel crash causing system instability or denial of service, potentially leading to information disclosure through memory leaks.

🟢

If Mitigated

Limited impact if BPF is disabled or systems are properly patched, though unpatched systems remain vulnerable to crashes.

🌐 Internet-Facing: MEDIUM - Requires local access or ability to execute BPF programs, but could be combined with other vulnerabilities for remote exploitation.

🏢 Internal Only: HIGH - Local attackers or malicious users with BPF program execution capabilities can exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires ability to load and execute BPF programs, which typically requires CAP_BPF or similar capabilities. The vulnerability is in kernel memory management logic.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in stable kernel versions via commits: 599148d40366bd5d1d504a3a8fcd65e21107e500, a9f36bf3613c65cb587c70fac655c775d911409b, f263a81451c12da5a342d90572e317e611846f2c

Vendor Advisory: https://git.kernel.org/stable/c/599148d40366bd5d1d504a3a8fcd65e21107e500

Restart Required: Yes

Instructions:

1. Update to a patched kernel version from your distribution vendor. 2. For custom kernels, apply the relevant fix commits from kernel.org. 3. Reboot the system to load the new kernel.

🔧 Temporary Workarounds

Disable BPF subsystem

linux

Prevents loading of BPF programs that could trigger the vulnerability

echo 1 > /proc/sys/kernel/unprivileged_bpf_disabled
sysctl -w kernel.unprivileged_bpf_disabled=1

Restrict BPF capabilities

linux

Limit which users can load BPF programs using Linux capabilities

setcap -r /path/to/binary
Use Linux Security Modules (LSM) like SELinux or AppArmor to restrict BPF

🧯 If You Can't Patch

Implement strict access controls to prevent unauthorized users from loading BPF programs
Monitor system logs for BPF-related errors or crashes and implement immediate incident response procedures

🔍 How to Verify

Check if Vulnerable:

Check kernel version and verify if it's between vulnerable ranges. Examine dmesg for KASAN reports related to prog_array_map_poke_run.

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version includes the fix commits or is newer than the patched versions. Test BPF functionality to ensure stability.

📡 Detection & Monitoring

Log Indicators:

KASAN reports in dmesg/kernel logs mentioning 'use-after-free' in 'prog_array_map_poke_run'
Kernel panic or oops messages related to BPF

Network Indicators:

Unusual BPF program loading activity from unexpected users or processes

SIEM Query:

source="kernel" AND ("KASAN" OR "use-after-free" OR "prog_array_map_poke_run")

📊 Metadata

CVE ID: CVE-2021-47303

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-416

Published: May 21, 2024

Last Updated: December 26, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-47303, you might also want to check these: