CVE-2021-47519
📋 TL;DR
This is a memory leak vulnerability in the Linux kernel's CAN (Controller Area Network) subsystem. When the m_can_read_fifo() function fails during FIFO reading, it doesn't properly free allocated socket buffers, causing gradual memory exhaustion. This affects any Linux system using the m_can driver for CAN bus communication.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Continuous exploitation could lead to kernel memory exhaustion, causing system instability, denial of service, or potential kernel crashes.
Likely Case
Gradual memory consumption leading to system performance degradation and eventual denial of service under sustained CAN bus traffic.
If Mitigated
Minimal impact with proper monitoring and memory limits in place.
🎯 Exploit Status
Exploitation requires ability to send CAN bus messages to trigger the error condition. This typically requires local or network access to the CAN interface.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Patches available in stable kernel branches (commits 31cb32a590d62b18f69a9a6d433f4e69c74fdd56 and 75a422165477dd12d2d20aa7c9ee7c9a281c9908)
Vendor Advisory: https://git.kernel.org/stable/c/31cb32a590d62b18f69a9a6d433f4e69c74fdd56
Restart Required: Yes
Instructions:
1. Update to a patched kernel version from your distribution vendor. 2. Rebuild kernel if using custom kernel. 3. Reboot system to load new kernel.
🔧 Temporary Workarounds
Disable m_can driver
linuxUnload the vulnerable m_can driver if not needed
sudo rmmod m_can
sudo modprobe -r m_can
Blacklist m_can module
linuxPrevent m_can driver from loading at boot
echo 'blacklist m_can' | sudo tee /etc/modprobe.d/blacklist-m_can.conf
🧯 If You Can't Patch
- Implement memory monitoring and alerting for kernel memory usage
- Restrict access to CAN bus interfaces to trusted users/systems only
🔍 How to Verify
Check if Vulnerable:
Check if m_can module is loaded: lsmod | grep m_can. Check kernel version against patched versions.Check Version:
uname -rVerify Fix Applied:
Verify kernel version is updated and m_can module version includes the fix commit.📡 Detection & Monitoring
Log Indicators:
- Kernel oom-killer events
- Increasing kernel memory usage in /proc/meminfo
- System performance degradation logs
Network Indicators:
- Unusual CAN bus traffic patterns
- High frequency of CAN error frames
SIEM Query:
source="kernel" AND ("oom" OR "out of memory" OR "memory allocation failure")