CVE-2021-47618 – This vulnerability in the Linux kernel causes a... (How to Fix)

Q: What is the severity of CVE-2021-47618?

CVE-2021-47618 has a CVSS score of 5.5 (MEDIUM). This vulnerability in the Linux kernel causes a kernel panic when both KASAN (Kernel Address Sanitizer) and kprobes are enabled on ARM32 systems. The interaction between KASAN's register modifications and kprobes' instruction simulation leads to NULL pointer dereferences, resulting in system crashes. This affects ARM32 Linux systems with both debugging features enabled.

📋 TL;DR

This vulnerability in the Linux kernel causes a kernel panic when both KASAN (Kernel Address Sanitizer) and kprobes are enabled on ARM32 systems. The interaction between KASAN's register modifications and kprobes' instruction simulation leads to NULL pointer dereferences, resulting in system crashes. This affects ARM32 Linux systems with both debugging features enabled.

💻 Affected Systems

Products:

Linux kernel

Versions: Specific affected versions not explicitly stated in CVE, but references indicate stable kernel patches from 2022.

Operating Systems: Linux distributions running on ARM32 architecture

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when both KASAN and kprobes are enabled on ARM32 systems. Most production systems do not enable these debugging features.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Kernel panic leading to complete system crash and denial of service, potentially causing data loss or service disruption.

🟠

Likely Case

System crash when kprobes are used on KASAN-enabled ARM32 systems, requiring reboot to restore functionality.

🟢

If Mitigated

No impact if either KASAN or kprobes are disabled, or if the system is not ARM32 architecture.

🌐 Internet-Facing: LOW - Requires local access and specific debugging configurations to trigger.

🏢 Internal Only: LOW - Only affects systems with both KASAN and kprobes enabled, which are typically development/debugging environments.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: NO

Unauthenticated Exploit: ✅ No

Complexity: HIGH

Exploitation requires local access and ability to load kprobes on a system with KASAN enabled. Primarily a denial of service issue rather than privilege escalation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Patches available in stable kernel trees (commits: 1515e72aae803fc6b466adf918e71c4e4c9d5b3d, 8b59b0a53c840921b625378f137e88adfa87647e, ba1863be105b06e10d0e2f6b1b8a0570801cfc71)

Vendor Advisory: https://git.kernel.org/stable/c/1515e72aae803fc6b466adf918e71c4e4c9d5b3d

Restart Required: Yes

Instructions:

1. Update to a patched Linux kernel version. 2. Rebuild kernel if using custom build. 3. Reboot system to load new kernel.

🔧 Temporary Workarounds

Disable KASAN

linux

Disable Kernel Address Sanitizer feature

Rebuild kernel with CONFIG_KASAN=n

Disable kprobes

linux

Disable kernel probes debugging feature

Rebuild kernel with CONFIG_KPROBES=n or prevent kprobe usage

🧯 If You Can't Patch

Ensure KASAN is disabled in kernel configuration
Restrict kprobe usage to authorized users only

🔍 How to Verify

Check if Vulnerable:

Check if running ARM32 Linux with both KASAN and kprobes enabled: 'uname -m' should show armv7l or similar, and check kernel config for CONFIG_KASAN=y and CONFIG_KPROBES=y

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version includes the fix commits or test by attempting to use kprobes on KASAN-enabled system without panic

📡 Detection & Monitoring

Log Indicators:

Kernel panic messages mentioning 'Unable to handle kernel NULL pointer dereference' during kprobe operations
OOPs messages with references to emulate_ldr or kprobe_handler

Network Indicators:

None - local vulnerability only

SIEM Query:

kernel:panic AND ("NULL pointer dereference" OR "emulate_ldr" OR "kprobe_handler")

📊 Metadata

CVE ID: CVE-2021-47618

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-476

Published: June 20, 2024

Last Updated: September 17, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-47618, you might also want to check these: