Login Sign Up

CVE-2021-47436

5.5 MEDIUM

📋 TL;DR

This CVE describes a kernel crash vulnerability in the Linux kernel's USB MUSB driver for DSPS platforms. When the probe function fails during device initialization, it doesn't properly clean up platform device resources, leading to potential NULL pointer dereferences and system crashes. This affects Linux systems using the affected MUSB driver, particularly on BeagleBone Black Wireless devices.

💻 Affected Systems

Products:
  • Linux kernel
Versions: Linux kernel versions containing the buggy commit 7c75bde329d7, particularly v5.10.70 and other versions where this was backported
Operating Systems: Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Specifically affects systems using USB MUSB driver for DSPS platforms, with BeagleBone Black Wireless mentioned as affected hardware.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Kernel panic and system crash leading to denial of service, potentially causing data loss or system instability.

🟠

Likely Case

System crash during boot or USB device initialization, requiring reboot to recover.

🟢

If Mitigated

No impact if patched or if the specific error condition doesn't occur.

🌐 Internet-Facing: LOW - This is a local kernel driver issue not directly exploitable over network.
🏢 Internal Only: MEDIUM - Can cause system instability but requires local device initialization failure.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: NO
Unauthenticated Exploit: ✅ No
Complexity: HIGH

Exploitation requires triggering specific error conditions during USB device initialization, making it difficult to weaponize for remote attacks.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Patched in kernel commits referenced in CVE description

Vendor Advisory: https://git.kernel.org/stable/c/5ed60a430fb5f3d93e7fef66264daef466b4d10c

Restart Required: Yes

Instructions:

1. Update Linux kernel to version containing fix commits
2. Rebuild kernel if using custom kernel
3. Reboot system to load patched kernel

🔧 Temporary Workarounds

Disable affected USB functionality

linux

Disable the MUSB DSPS driver or USB gadget functionality if not needed

echo 'blacklist musb_dsps' >> /etc/modprobe.d/blacklist.conf
modprobe -r musb_dsps

🧯 If You Can't Patch

  • Avoid using USB Ethernet gadget functionality on affected hardware
  • Monitor system logs for USB initialization errors and reboot if crashes occur

🔍 How to Verify

Check if Vulnerable:

Check kernel version and if musb_dsps module is loaded: 'uname -r' and 'lsmod | grep musb_dsps'

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version is updated beyond affected versions and check dmesg for USB initialization errors

📡 Detection & Monitoring

Log Indicators:

  • Kernel panic messages
  • NULL pointer dereference in USB/MUSB driver
  • USB device initialization failures

Network Indicators:

  • None - this is a local kernel issue

SIEM Query:

Search for kernel panic events or USB driver errors in system logs

📊 Metadata

CVE ID: CVE-2021-47436
CVSS v3 Score: 5.5 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-476
Published: May 22, 2024
Last Updated: March 1, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-47436, you might also want to check these:

CVE-2022-36648 10.0

This CVE describes a vulnerability in QEMU's hardware emulation where a malformed program executed i...

Same vulnerability type (CWE-476)
CVE-2019-20914 9.8

This vulnerability in GNU LibreDWG is a NULL pointer dereference that can cause application crashes ...

Same vulnerability type (CWE-476)
CVE-2022-30592 9.8

This vulnerability in LiteSpeed QUIC (LSQUIC) before version 3.1.0 involves improper handling of MAX...

Same vulnerability type (CWE-476)