Login Sign Up

CVE-2021-47464

7.4 HIGH
Denial of Service

📋 TL;DR

This CVE describes a null-pointer dereference vulnerability in the Linux kernel's audit subsystem. The flaw in audit_filter_rules() could allow local attackers to cause a kernel panic (denial of service) by triggering a null pointer access. Systems running vulnerable Linux kernel versions with audit functionality enabled are affected.

💻 Affected Systems

Products:
  • Linux kernel
Versions: Specific vulnerable kernel versions between the introduction of the bug and its fix; exact range depends on distribution backports
Operating Systems: Linux distributions using affected kernel versions
Default Config Vulnerable: ✅ No
Notes: Requires CONFIG_AUDIT=y and audit subsystem enabled/active. Many distributions have audit disabled by default.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Kernel panic leading to system crash and denial of service, potentially disrupting critical services and requiring physical or remote reboot.

🟠

Likely Case

Local denial of service through kernel panic, requiring system reboot to restore functionality.

🟢

If Mitigated

Minimal impact if audit subsystem is disabled or proper access controls prevent local users from triggering the vulnerable code path.

🌐 Internet-Facing: LOW - This is a local privilege vulnerability requiring access to the system, not directly exploitable over network.
🏢 Internal Only: MEDIUM - Local users or compromised accounts could trigger denial of service, but requires specific conditions and local access.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires local access and ability to trigger audit events. No public exploit code identified in references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Kernel versions containing commits: 16802fa4c33eb1a8efb23f1e93365190e4047d05, 4e9e46a700201b4c85081fd478c99c692a9aaa0d, 6e3ee990c90494561921c756481d0e2125d8b895, d6f451f1f60c58d73038c7c3177066f8f084e2a2

Vendor Advisory: https://git.kernel.org/stable/c/16802fa4c33eb1a8efb23f1e93365190e4047d05

Restart Required: Yes

Instructions:

1. Update Linux kernel to patched version from your distribution's repositories. 2. Reboot system to load new kernel. 3. Verify kernel version after reboot.

🔧 Temporary Workarounds

Disable audit subsystem

linux

Completely disable the audit subsystem to prevent exploitation of this vulnerability

echo 'blacklist audit' >> /etc/modprobe.d/blacklist-audit.conf
update-initramfs -u
reboot

Disable audit at boot

linux

Prevent audit module from loading at boot time

echo 'audit=0' >> /etc/default/grub
update-grub
reboot

🧯 If You Can't Patch

  • Restrict local user access to prevent untrusted users from triggering audit events
  • Implement strict access controls and monitor for suspicious audit subsystem activity

🔍 How to Verify

Check if Vulnerable:

Check if audit subsystem is active: 'auditctl -s' and check kernel version against patched versions

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version after update: 'uname -r' and ensure it's newer than vulnerable versions

📡 Detection & Monitoring

Log Indicators:

  • Kernel panic messages in /var/log/kern.log or dmesg
  • Audit subsystem crash logs
  • System reboot events without clear cause

Network Indicators:

  • None - this is local only vulnerability

SIEM Query:

source="kern.log" AND "kernel panic" OR "Oops" OR "BUG"

📊 Metadata

CVE ID: CVE-2021-47464
CVSS v3 Score: 7.4 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-476
Published: May 22, 2024
Last Updated: April 2, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-47464, you might also want to check these:

CVE-2022-36648 10.0

This CVE describes a vulnerability in QEMU's hardware emulation where a malformed program executed i...

Same vulnerability type (CWE-476)
CVE-2022-30592 9.8

This vulnerability in LiteSpeed QUIC (LSQUIC) before version 3.1.0 involves improper handling of MAX...

Same vulnerability type (CWE-476)
CVE-2023-47003 9.8

A NULL pointer dereference vulnerability in RedisGraph allows attackers to execute arbitrary code or...

Same vulnerability type (CWE-476)