CVE-2021-47378 – This is a use-after-free vulnerability in the L... (How to Fix)

Q: What is the severity of CVE-2021-47378?

CVE-2021-47378 has a CVSS score of 9.8 (CRITICAL). This is a use-after-free vulnerability in the Linux kernel's NVMe over RDMA subsystem. An attacker could exploit this to cause kernel memory corruption, potentially leading to denial of service, privilege escalation, or arbitrary code execution. Systems using NVMe over RDMA with affected Linux kernel versions are vulnerable.

📋 TL;DR

This is a use-after-free vulnerability in the Linux kernel's NVMe over RDMA subsystem. An attacker could exploit this to cause kernel memory corruption, potentially leading to denial of service, privilege escalation, or arbitrary code execution. Systems using NVMe over RDMA with affected Linux kernel versions are vulnerable.

💻 Affected Systems

Products:

Linux kernel

Versions: Specific affected versions not explicitly stated in CVE description, but references indicate stable kernel patches. Likely affects multiple kernel versions before fixes were backported.

Operating Systems: Linux distributions using affected kernel versions

Default Config Vulnerable: ✅ No

Notes: Only vulnerable if NVMe over RDMA subsystem is enabled and in use. Many systems may not have this configured.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Kernel panic leading to system crash, or privilege escalation allowing full system compromise and arbitrary code execution at kernel level.

🟠

Likely Case

System instability, kernel crashes, or denial of service affecting NVMe storage operations.

🟢

If Mitigated

Limited impact if exploit attempts are blocked by network segmentation or if NVMe over RDMA is not in use.

🌐 Internet-Facing: LOW - NVMe over RDMA typically operates on internal networks and storage fabrics, not directly internet-exposed.

🏢 Internal Only: HIGH - Critical for systems using NVMe over RDMA in data centers, cloud environments, or high-performance computing clusters.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: HIGH

Exploitation requires triggering specific RDMA connection establishment error conditions. Likely requires local access or network access to NVMe over RDMA services.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Multiple stable kernel versions with commits: 9817d763dbe15327b9b3ff4404fa6f27f927e744, d268a182c56e8361e19fb781137411643312b994, ecf0dc5a904830c926a64feffd8e01141f89822f

Vendor Advisory: https://git.kernel.org/stable/c/9817d763dbe15327b9b3ff4404fa6f27f927e744

Restart Required: Yes

Instructions:

1. Update Linux kernel to patched version from your distribution vendor. 2. Reboot system to load new kernel. 3. Verify kernel version matches patched release.

🔧 Temporary Workarounds

Disable NVMe over RDMA

linux

If NVMe over RDMA functionality is not required, disable it to eliminate the attack surface.

modprobe -r nvme-rdma
echo 'blacklist nvme-rdma' >> /etc/modprobe.d/blacklist.conf

🧯 If You Can't Patch

Implement strict network segmentation to isolate NVMe over RDMA traffic from untrusted networks.
Monitor systems for kernel panics or unusual NVMe/RDMA connection errors that might indicate exploitation attempts.

🔍 How to Verify

Check if Vulnerable:

Check if nvme-rdma module is loaded: lsmod | grep nvme_rdma. Check kernel version against patched releases from your distribution.

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version includes the fix commits. Check dmesg for any recent NVMe/RDMA errors after applying patch.

📡 Detection & Monitoring

Log Indicators:

Kernel panic messages
NVMe or RDMA connection errors in dmesg
Use-after-free warnings in kernel logs

Network Indicators:

Unusual RDMA connection attempts to NVMe ports
Multiple failed RDMA connections triggering error conditions

SIEM Query:

source="kernel" AND ("nvme" OR "rdma") AND ("panic" OR "error" OR "use-after-free")

📊 Metadata

CVE ID: CVE-2021-47378

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-416

Published: May 21, 2024

Last Updated: April 2, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-47378, you might also want to check these: