CVE-2021-47365
📋 TL;DR
This CVE describes a memory leak vulnerability in the Linux kernel's AFS (Andrew File System) implementation. When writeback operations fail, the kernel fails to release page references, causing gradual memory exhaustion. This affects any system running a vulnerable Linux kernel with AFS support.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Complete system memory exhaustion leading to denial of service, system crashes, and potential data loss from improper writeback operations.
Likely Case
Gradual memory consumption over time causing performance degradation and eventual system instability requiring reboots.
If Mitigated
Minimal impact with proper monitoring and memory limits in place, though still causing resource inefficiency.
🎯 Exploit Status
Exploitation requires ability to trigger AFS writeback operations that fail, typically requiring local access. No known weaponized exploits in the wild.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in kernel commits 581b2027af0018944ba301d68e7af45c6d1128b5 and d130b5fdd42254d92948d06347940276140c927e
Vendor Advisory: https://git.kernel.org/stable/c/581b2027af0018944ba301d68e7af45c6d1128b5
Restart Required: Yes
Instructions:
1. Update to a kernel version containing the fix commits. 2. Check your distribution's security advisories for patched kernel packages. 3. Reboot the system after kernel update.
🔧 Temporary Workarounds
Disable AFS module
linuxIf AFS is not needed, prevent the vulnerable code from loading by blacklisting or removing the module.
echo 'blacklist afs' >> /etc/modprobe.d/blacklist-afs.conf
rmmod afs
Memory monitoring and limits
linuxImplement strict memory monitoring and cgroup limits to detect and contain memory leaks.
systemctl status systemd-oomd
cgcreate -g memory:afs_limit
cgset -r memory.limit_in_bytes=2G afs_limit
🧯 If You Can't Patch
- Implement aggressive memory monitoring with alerts for unusual consumption patterns
- Isolate systems using AFS to minimize blast radius and implement strict access controls
🔍 How to Verify
Check if Vulnerable:
Check kernel version and if AFS module is loaded: 'uname -r' and 'lsmod | grep afs'Check Version:
uname -rVerify Fix Applied:
Verify kernel version includes fix commits or check with distribution-specific security update verification tools📡 Detection & Monitoring
Log Indicators:
- Kernel oom-killer messages
- Rapid memory consumption in system logs
- AFS-related errors in dmesg
Network Indicators:
- None - this is a local memory management issue
SIEM Query:
source="kernel" AND ("Out of memory" OR "oom-killer" OR memory AND consumption) AND process="afs"