CVE-2021-47600
📋 TL;DR
This CVE describes a use-after-free vulnerability in the Linux kernel's device mapper btree remove functionality. An attacker with local access could potentially exploit this to cause a kernel crash (denial of service) or possibly execute arbitrary code. Systems running affected Linux kernel versions with device mapper functionality are vulnerable.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Local privilege escalation to kernel-level code execution, potentially leading to full system compromise.
Likely Case
Kernel panic leading to system crash and denial of service.
If Mitigated
System crash requiring reboot, but no privilege escalation if kernel hardening features are enabled.
🎯 Exploit Status
Exploitation requires local access and knowledge of device mapper internals. The use-after-free occurs during btree rebalancing operations.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Kernel versions with commits 0e21e6cd5eebfc929ac5fa3b97ca2d4ace3cb6a3 or later
Vendor Advisory: https://git.kernel.org/stable/c/0e21e6cd5eebfc929ac5fa3b97ca2d4ace3cb6a3
Restart Required: Yes
Instructions:
1. Update Linux kernel to patched version from your distribution's repositories. 2. Reboot system to load new kernel. 3. Verify kernel version after reboot.
🔧 Temporary Workarounds
Disable device mapper functionality
linuxRemove or disable device mapper modules if not needed
modprobe -r dm_mod
echo 'blacklist dm_mod' >> /etc/modprobe.d/blacklist.conf
🧯 If You Can't Patch
- Restrict local user access to minimize attack surface
- Implement kernel hardening features like KASLR and SMEP/SMAP
🔍 How to Verify
Check if Vulnerable:
Check kernel version and compare with distribution security advisories. Check if device mapper is loaded: lsmod | grep dm_Check Version:
uname -rVerify Fix Applied:
Verify kernel version after update matches patched version. Check that device mapper still functions correctly.📡 Detection & Monitoring
Log Indicators:
- Kernel panic messages in /var/log/messages or dmesg
- OOM killer activity related to kernel memory
Network Indicators:
- None - local vulnerability only
SIEM Query:
Search for kernel panic events or abnormal system crashes in system logs🔗 References
- https://git.kernel.org/stable/c/0e21e6cd5eebfc929ac5fa3b97ca2d4ace3cb6a3
- https://git.kernel.org/stable/c/1b8d2789dad0005fd5e7d35dab26a8e1203fb6da
- https://git.kernel.org/stable/c/293f957be5e39720778fb1851ced7f5fba6d51c3
- https://git.kernel.org/stable/c/501ecd90efdc9b2edc6c28852ecd098a4adf8f00
- https://git.kernel.org/stable/c/607beb420b3fe23b948a9bf447d993521a02fbbb
- https://git.kernel.org/stable/c/66ea642af6fd4eacb5d0271a922130fcf8700424
- https://git.kernel.org/stable/c/a48f6a2bf33734ec5669ee03067dfb6c5b4818d6
- https://git.kernel.org/stable/c/b03abd0aa09c05099f537cb05b8460c4298f0861
- https://git.kernel.org/stable/c/0e21e6cd5eebfc929ac5fa3b97ca2d4ace3cb6a3
- https://git.kernel.org/stable/c/1b8d2789dad0005fd5e7d35dab26a8e1203fb6da
- https://git.kernel.org/stable/c/293f957be5e39720778fb1851ced7f5fba6d51c3
- https://git.kernel.org/stable/c/501ecd90efdc9b2edc6c28852ecd098a4adf8f00
- https://git.kernel.org/stable/c/607beb420b3fe23b948a9bf447d993521a02fbbb
- https://git.kernel.org/stable/c/66ea642af6fd4eacb5d0271a922130fcf8700424
- https://git.kernel.org/stable/c/a48f6a2bf33734ec5669ee03067dfb6c5b4818d6
- https://git.kernel.org/stable/c/b03abd0aa09c05099f537cb05b8460c4298f0861
