CVE-2021-47646 – This CVE involves a use-after-free vulnerabilit... (How to Fix)

Q: What is the severity of CVE-2021-47646?

CVE-2021-47646 has a CVSS score of 7.8 (HIGH). This CVE involves a use-after-free vulnerability in the Linux kernel's BFQ I/O scheduler that could lead to system crashes or potential privilege escalation. It affects Linux systems using the BFQ scheduler with specific configurations. The vulnerability was introduced by one commit, triggered by another, and fixed by a third commit.

📋 TL;DR

This CVE involves a use-after-free vulnerability in the Linux kernel's BFQ I/O scheduler that could lead to system crashes or potential privilege escalation. It affects Linux systems using the BFQ scheduler with specific configurations. The vulnerability was introduced by one commit, triggered by another, and fixed by a third commit.

💻 Affected Systems

Products:

Linux kernel

Versions: Specific kernel versions between the introduction and fix of the vulnerability (exact range depends on distribution backports)

Operating Systems: Linux distributions using affected kernel versions

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when using the BFQ I/O scheduler (CONFIG_IOSCHED_BFQ=y). Many distributions don't enable BFQ by default.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Kernel panic leading to system crash, potential privilege escalation to kernel mode, or system instability requiring reboot.

🟠

Likely Case

System crash or kernel panic when specific I/O operations occur with BFQ scheduler configurations.

🟢

If Mitigated

Minimal impact if BFQ scheduler is not in use or systems are properly patched.

🌐 Internet-Facing: LOW - Requires local access or ability to execute code on the system.

🏢 Internal Only: MEDIUM - Local users or processes could trigger the vulnerability leading to system instability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires local access and ability to trigger specific I/O operations with BFQ scheduler. No known public exploits.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Kernel commit d29bd41428cf and subsequent commits that restore 2d52c58b9c9b

Vendor Advisory: https://git.kernel.org/stable/c/15729ff8143f8135b03988a100a19e66d7cb7ecd

Restart Required: Yes

Instructions:

1. Update to a patched kernel version from your distribution vendor. 2. For custom kernels, apply commits d29bd41428cf and 2d52c58b9c9b. 3. Reboot the system after kernel update.

🔧 Temporary Workarounds

Disable BFQ scheduler

linux

Switch to a different I/O scheduler like CFQ or deadline

echo cfq > /sys/block/[device]/queue/scheduler

🧯 If You Can't Patch

Disable BFQ scheduler on all block devices
Restrict local user access to systems where patching isn't possible

🔍 How to Verify

Check if Vulnerable:

Check kernel version and if BFQ scheduler is active: uname -r and check /sys/block/*/queue/scheduler

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version is patched and test with stress I/O operations

📡 Detection & Monitoring

Log Indicators:

Kernel panic messages in dmesg or system logs
OOPs messages related to BFQ or block layer

Network Indicators:

None - local vulnerability only

SIEM Query:

search 'kernel panic' OR 'Oops' OR 'BFQ' in system logs

📊 Metadata

CVE ID: CVE-2021-47646

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-416

EPSS Score: 0.05% exploit probability (15.2th percentile)

Published: February 26, 2025

Last Updated: March 24, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-47646, you might also want to check these: