Login Sign Up

CVE-2021-47321

7.8 HIGH

📋 TL;DR

A use-after-free vulnerability in the Linux kernel watchdog driver occurs when the driver's remove function calls del_timer() without ensuring the timer handler has finished. This could allow an attacker to execute arbitrary code with kernel privileges. All systems running affected Linux kernel versions are potentially vulnerable.

💻 Affected Systems

Products:
  • Linux kernel
Versions: Specific affected versions not specified in CVE, but patches exist in stable kernel trees
Operating Systems: Linux distributions using vulnerable kernel versions
Default Config Vulnerable: ⚠️ Yes
Notes: Requires the watchdog driver to be loaded and the remove path to be triggered, which typically requires module unloading or driver removal.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Kernel privilege escalation leading to full system compromise, arbitrary code execution, or system crash.

🟠

Likely Case

System instability, kernel panic, or denial of service due to memory corruption.

🟢

If Mitigated

Minimal impact if systems are patched or have proper kernel hardening measures.

🌐 Internet-Facing: LOW - Requires local access or ability to load/unload kernel modules.
🏢 Internal Only: MEDIUM - Local attackers or malicious insiders could exploit this to escalate privileges.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: HIGH

Exploitation requires local access and ability to trigger the vulnerable code path, making it challenging to weaponize.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Patched in stable kernel commits referenced in CVE

Vendor Advisory: https://git.kernel.org/stable/c/1a053c4d716898a53c2e31c574a70ea0c37044a3

Restart Required: Yes

Instructions:

1. Update Linux kernel to a version containing the fix. 2. Check distribution-specific security advisories. 3. Reboot system to load patched kernel.

🔧 Temporary Workarounds

Disable watchdog module

linux

Prevent loading of vulnerable watchdog driver module

echo 'blacklist watchdog' >> /etc/modprobe.d/blacklist.conf
rmmod watchdog

🧯 If You Can't Patch

  • Restrict local access to prevent potential privilege escalation
  • Implement kernel module signing to prevent unauthorized module loading

🔍 How to Verify

Check if Vulnerable:

Check kernel version and compare with patched versions in distribution advisories

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version after update matches patched version from vendor

📡 Detection & Monitoring

Log Indicators:

  • Kernel panic logs
  • Watchdog driver loading/unloading events
  • System crash dumps

Network Indicators:

  • None - local vulnerability

SIEM Query:

Search for kernel panic events or watchdog module activity in system logs

📊 Metadata

CVE ID: CVE-2021-47321
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-416
Published: May 21, 2024
Last Updated: December 26, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-47321, you might also want to check these:

CVE-2025-24085 10.0

This CVE describes a use-after-free vulnerability (CWE-416) in Apple operating systems that allows m...

Same vulnerability type (CWE-416)
CVE-2024-43102 10.0

This CVE describes a use-after-free vulnerability in FreeBSD's umtx (user mutex) subsystem where con...

Same vulnerability type (CWE-416)
CVE-2021-33796 10.0

CVE-2021-33796 is a use-after-free vulnerability in MuJS's regexp source property access that can le...

Same vulnerability type (CWE-416)