{
    "dataType": "CVE_RECORD",
    "dataVersion": "5.2",
    "cveMetadata": {
        "cveId": "CVE-2021-47634",
        "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "state": "PUBLISHED",
        "assignerShortName": "Linux",
        "dateReserved": "2025-02-26T01:48:21.518Z",
        "datePublished": "2025-02-26T01:54:09.135Z",
        "dateUpdated": "2026-05-23T15:20:22.061Z"
    },
    "containers": {
        "cna": {
            "providerMetadata": {
                "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
                "shortName": "Linux",
                "dateUpdated": "2026-05-23T15:20:22.061Z"
            },
            "descriptions": [
                {
                    "lang": "en",
                    "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nubi: Fix race condition between ctrl_cdev_ioctl and ubi_cdev_ioctl\n\nHulk Robot reported a KASAN report about use-after-free:\n ==================================================================\n BUG: KASAN: use-after-free in __list_del_entry_valid+0x13d/0x160\n Read of size 8 at addr ffff888035e37d98 by task ubiattach/1385\n [...]\n Call Trace:\n  klist_dec_and_del+0xa7/0x4a0\n  klist_put+0xc7/0x1a0\n  device_del+0x4d4/0xed0\n  cdev_device_del+0x1a/0x80\n  ubi_attach_mtd_dev+0x2951/0x34b0 [ubi]\n  ctrl_cdev_ioctl+0x286/0x2f0 [ubi]\n\n Allocated by task 1414:\n  device_add+0x60a/0x18b0\n  cdev_device_add+0x103/0x170\n  ubi_create_volume+0x1118/0x1a10 [ubi]\n  ubi_cdev_ioctl+0xb7f/0x1ba0 [ubi]\n\n Freed by task 1385:\n  cdev_device_del+0x1a/0x80\n  ubi_remove_volume+0x438/0x6c0 [ubi]\n  ubi_cdev_ioctl+0xbf4/0x1ba0 [ubi]\n [...]\n ==================================================================\n\nThe lock held by ctrl_cdev_ioctl is ubi_devices_mutex, but the lock held\nby ubi_cdev_ioctl is ubi->device_mutex. Therefore, the two locks can be\nconcurrent.\n\nctrl_cdev_ioctl contains two operations: ubi_attach and ubi_detach.\nubi_detach is bug-free because it uses reference counting to prevent\nconcurrency. However, uif_init and uif_close in ubi_attach may race with\nubi_cdev_ioctl.\n\nuif_init will race with ubi_cdev_ioctl as in the following stack.\n           cpu1                   cpu2                  cpu3\n_______________________|________________________|______________________\nctrl_cdev_ioctl\n ubi_attach_mtd_dev\n  uif_init\n                           ubi_cdev_ioctl\n                            ubi_create_volume\n                             cdev_device_add\n   ubi_add_volume\n   // sysfs exist\n   kill_volumes\n                                                    ubi_cdev_ioctl\n                                                     ubi_remove_volume\n                                                      cdev_device_del\n                                                       // first free\n    ubi_free_volume\n     cdev_del\n     // double free\n   cdev_device_del\n\nAnd uif_close will race with ubi_cdev_ioctl as in the following stack.\n           cpu1                   cpu2                  cpu3\n_______________________|________________________|______________________\nctrl_cdev_ioctl\n ubi_attach_mtd_dev\n  uif_init\n                           ubi_cdev_ioctl\n                            ubi_create_volume\n                             cdev_device_add\n  ubi_debugfs_init_dev\n  //error goto out_uif;\n  uif_close\n   kill_volumes\n                                                    ubi_cdev_ioctl\n                                                     ubi_remove_volume\n                                                      cdev_device_del\n                                                       // first free\n    ubi_free_volume\n    // double free\n\nThe cause of this problem is that commit 714fb87e8bc0 make device\n\"available\" before it becomes accessible via sysfs. Therefore, we\nroll back the modification. We will fix the race condition between\nubi device creation and udev by removing ubi_get_device in\nvol_attribute_show and dev_attribute_show.This avoids accessing\nuninitialized ubi_devices[ubi_num].\n\nubi_get_device is used to prevent devices from being deleted during\nsysfs execution. However, now kernfs ensures that devices will not\nbe deleted before all reference counting are released.\nThe key process is shown in the following stack.\n\ndevice_del\n  device_remove_attrs\n    device_remove_groups\n      sysfs_remove_groups\n        sysfs_remove_group\n          remove_files\n            kernfs_remove_by_name\n              kernfs_remove_by_name_ns\n                __kernfs_remove\n                  kernfs_drain"
                }
            ],
            "affected": [
                {
                    "product": "Linux",
                    "vendor": "Linux",
                    "defaultStatus": "unaffected",
                    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
                    "programFiles": [
                        "drivers/mtd/ubi/build.c",
                        "drivers/mtd/ubi/vmt.c"
                    ],
                    "versions": [
                        {
                            "version": "714fb87e8bc05ff78255afc0dca981e8c5242785",
                            "lessThan": "f149b1bd213820363731aa119e5011ca892a2aac",
                            "status": "affected",
                            "versionType": "git"
                        },
                        {
                            "version": "714fb87e8bc05ff78255afc0dca981e8c5242785",
                            "lessThan": "a8ecee49259f8f78d91ddb329ab2be7e6fd01974",
                            "status": "affected",
                            "versionType": "git"
                        },
                        {
                            "version": "714fb87e8bc05ff78255afc0dca981e8c5242785",
                            "lessThan": "d727fd32cbd1abf3465f607021bc9c746f17b5a8",
                            "status": "affected",
                            "versionType": "git"
                        },
                        {
                            "version": "714fb87e8bc05ff78255afc0dca981e8c5242785",
                            "lessThan": "432b057f8e847ae5a2306515606f8d2defaca178",
                            "status": "affected",
                            "versionType": "git"
                        },
                        {
                            "version": "714fb87e8bc05ff78255afc0dca981e8c5242785",
                            "lessThan": "1a3f1cf87054833242fcd0218de0481cf855f888",
                            "status": "affected",
                            "versionType": "git"
                        },
                        {
                            "version": "714fb87e8bc05ff78255afc0dca981e8c5242785",
                            "lessThan": "c32fe764191b8ae8b128588beb96e3718d9179d8",
                            "status": "affected",
                            "versionType": "git"
                        },
                        {
                            "version": "714fb87e8bc05ff78255afc0dca981e8c5242785",
                            "lessThan": "5f9e9c223e48c264241d2f34d0bfc29e5fcb5c1b",
                            "status": "affected",
                            "versionType": "git"
                        },
                        {
                            "version": "714fb87e8bc05ff78255afc0dca981e8c5242785",
                            "lessThan": "3cbf0e392f173ba0ce425968c8374a6aa3e90f2e",
                            "status": "affected",
                            "versionType": "git"
                        },
                        {
                            "version": "016820bde3f0895d09fcad370415085ba0d1bd4a",
                            "status": "affected",
                            "versionType": "git"
                        },
                        {
                            "version": "12f567db822241090b90c5645ea9146f6cf8fa42",
                            "status": "affected",
                            "versionType": "git"
                        },
                        {
                            "version": "31b0fca8ab9b9786fe6e5027c4a8587b47db5abf",
                            "status": "affected",
                            "versionType": "git"
                        },
                        {
                            "version": "6117840dec60344167038f9511c3770d4c096eaa",
                            "status": "affected",
                            "versionType": "git"
                        },
                        {
                            "version": "bd7d3de27e7e1acce2e276074a498a82e0834663",
                            "status": "affected",
                            "versionType": "git"
                        },
                        {
                            "version": "cdf25333b42fb889f086ef65d0734d0dbdc49f4e",
                            "status": "affected",
                            "versionType": "git"
                        },
                        {
                            "version": "ae32d1b98ba29408df87c0ed47877ca0f248eae7",
                            "status": "affected",
                            "versionType": "git"
                        },
                        {
                            "version": "4056337b1e81a1b137aa562133dc5430cd2fd19e",
                            "status": "affected",
                            "versionType": "git"
                        },
                        {
                            "version": "f3db4c640b32485105554e0bfd16bbde585f6fb0",
                            "status": "affected",
                            "versionType": "git"
                        },
                        {
                            "version": "3.2.84",
                            "lessThan": "3.3",
                            "status": "affected",
                            "versionType": "semver"
                        },
                        {
                            "version": "3.10.103",
                            "lessThan": "3.11",
                            "status": "affected",
                            "versionType": "semver"
                        },
                        {
                            "version": "3.12.63",
                            "lessThan": "3.13",
                            "status": "affected",
                            "versionType": "semver"
                        },
                        {
                            "version": "3.14.77",
                            "lessThan": "3.15",
                            "status": "affected",
                            "versionType": "semver"
                        },
                        {
                            "version": "3.16.39",
                            "lessThan": "3.17",
                            "status": "affected",
                            "versionType": "semver"
                        },
                        {
                            "version": "3.18.40",
                            "lessThan": "3.19",
                            "status": "affected",
                            "versionType": "semver"
                        },
                        {
                            "version": "4.1.31",
                            "lessThan": "4.2",
                            "status": "affected",
                            "versionType": "semver"
                        },
                        {
                            "version": "4.4.19",
                            "lessThan": "4.5",
                            "status": "affected",
                            "versionType": "semver"
                        },
                        {
                            "version": "4.7.2",
                            "lessThan": "4.8",
                            "status": "affected",
                            "versionType": "semver"
                        }
                    ]
                },
                {
                    "product": "Linux",
                    "vendor": "Linux",
                    "defaultStatus": "affected",
                    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
                    "programFiles": [
                        "drivers/mtd/ubi/build.c",
                        "drivers/mtd/ubi/vmt.c"
                    ],
                    "versions": [
                        {
                            "version": "4.8",
                            "status": "affected"
                        },
                        {
                            "version": "0",
                            "lessThan": "4.8",
                            "status": "unaffected",
                            "versionType": "semver"
                        },
                        {
                            "version": "4.14.276",
                            "lessThanOrEqual": "4.14.*",
                            "status": "unaffected",
                            "versionType": "semver"
                        },
                        {
                            "version": "4.19.238",
                            "lessThanOrEqual": "4.19.*",
                            "status": "unaffected",
                            "versionType": "semver"
                        },
                        {
                            "version": "5.4.189",
                            "lessThanOrEqual": "5.4.*",
                            "status": "unaffected",
                            "versionType": "semver"
                        },
                        {
                            "version": "5.10.110",
                            "lessThanOrEqual": "5.10.*",
                            "status": "unaffected",
                            "versionType": "semver"
                        },
                        {
                            "version": "5.15.33",
                            "lessThanOrEqual": "5.15.*",
                            "status": "unaffected",
                            "versionType": "semver"
                        },
                        {
                            "version": "5.16.19",
                            "lessThanOrEqual": "5.16.*",
                            "status": "unaffected",
                            "versionType": "semver"
                        },
                        {
                            "version": "5.17.2",
                            "lessThanOrEqual": "5.17.*",
                            "status": "unaffected",
                            "versionType": "semver"
                        },
                        {
                            "version": "5.18",
                            "lessThanOrEqual": "*",
                            "status": "unaffected",
                            "versionType": "original_commit_for_fix"
                        }
                    ]
                }
            ],
            "cpeApplicability": [
                {
                    "nodes": [
                        {
                            "operator": "OR",
                            "negate": false,
                            "cpeMatch": [
                                {
                                    "vulnerable": true,
                                    "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                                    "versionStartIncluding": "4.8",
                                    "versionEndExcluding": "4.14.276"
                                },
                                {
                                    "vulnerable": true,
                                    "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                                    "versionStartIncluding": "4.8",
                                    "versionEndExcluding": "4.19.238"
                                },
                                {
                                    "vulnerable": true,
                                    "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                                    "versionStartIncluding": "4.8",
                                    "versionEndExcluding": "5.4.189"
                                },
                                {
                                    "vulnerable": true,
                                    "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                                    "versionStartIncluding": "4.8",
                                    "versionEndExcluding": "5.10.110"
                                },
                                {
                                    "vulnerable": true,
                                    "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                                    "versionStartIncluding": "4.8",
                                    "versionEndExcluding": "5.15.33"
                                },
                                {
                                    "vulnerable": true,
                                    "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                                    "versionStartIncluding": "4.8",
                                    "versionEndExcluding": "5.16.19"
                                },
                                {
                                    "vulnerable": true,
                                    "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                                    "versionStartIncluding": "4.8",
                                    "versionEndExcluding": "5.17.2"
                                },
                                {
                                    "vulnerable": true,
                                    "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                                    "versionStartIncluding": "4.8",
                                    "versionEndExcluding": "5.18"
                                },
                                {
                                    "vulnerable": true,
                                    "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                                    "versionStartIncluding": "3.2.84"
                                },
                                {
                                    "vulnerable": true,
                                    "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                                    "versionStartIncluding": "3.10.103"
                                },
                                {
                                    "vulnerable": true,
                                    "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                                    "versionStartIncluding": "3.12.63"
                                },
                                {
                                    "vulnerable": true,
                                    "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                                    "versionStartIncluding": "3.14.77"
                                },
                                {
                                    "vulnerable": true,
                                    "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                                    "versionStartIncluding": "3.16.39"
                                },
                                {
                                    "vulnerable": true,
                                    "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                                    "versionStartIncluding": "3.18.40"
                                },
                                {
                                    "vulnerable": true,
                                    "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                                    "versionStartIncluding": "4.1.31"
                                },
                                {
                                    "vulnerable": true,
                                    "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                                    "versionStartIncluding": "4.4.19"
                                },
                                {
                                    "vulnerable": true,
                                    "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                                    "versionStartIncluding": "4.7.2"
                                }
                            ]
                        }
                    ]
                }
            ],
            "references": [
                {
                    "url": "https://git.kernel.org/stable/c/f149b1bd213820363731aa119e5011ca892a2aac"
                },
                {
                    "url": "https://git.kernel.org/stable/c/a8ecee49259f8f78d91ddb329ab2be7e6fd01974"
                },
                {
                    "url": "https://git.kernel.org/stable/c/d727fd32cbd1abf3465f607021bc9c746f17b5a8"
                },
                {
                    "url": "https://git.kernel.org/stable/c/432b057f8e847ae5a2306515606f8d2defaca178"
                },
                {
                    "url": "https://git.kernel.org/stable/c/1a3f1cf87054833242fcd0218de0481cf855f888"
                },
                {
                    "url": "https://git.kernel.org/stable/c/c32fe764191b8ae8b128588beb96e3718d9179d8"
                },
                {
                    "url": "https://git.kernel.org/stable/c/5f9e9c223e48c264241d2f34d0bfc29e5fcb5c1b"
                },
                {
                    "url": "https://git.kernel.org/stable/c/3cbf0e392f173ba0ce425968c8374a6aa3e90f2e"
                }
            ],
            "title": "ubi: Fix race condition between ctrl_cdev_ioctl and ubi_cdev_ioctl",
            "x_generator": {
                "engine": "bippy-1.2.0"
            }
        },
        "adp": [
            {
                "metrics": [
                    {
                        "cvssV3_1": {
                            "scope": "UNCHANGED",
                            "version": "3.1",
                            "baseScore": 7.8,
                            "attackVector": "LOCAL",
                            "baseSeverity": "HIGH",
                            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                            "integrityImpact": "HIGH",
                            "userInteraction": "NONE",
                            "attackComplexity": "LOW",
                            "availabilityImpact": "HIGH",
                            "privilegesRequired": "LOW",
                            "confidentialityImpact": "HIGH"
                        }
                    },
                    {
                        "other": {
                            "type": "ssvc",
                            "content": {
                                "id": "CVE-2021-47634",
                                "role": "CISA Coordinator",
                                "options": [
                                    {
                                        "Exploitation": "none"
                                    },
                                    {
                                        "Automatable": "no"
                                    },
                                    {
                                        "Technical Impact": "total"
                                    }
                                ],
                                "version": "2.0.3",
                                "timestamp": "2025-02-27T18:17:56.634866Z"
                            }
                        }
                    }
                ],
                "problemTypes": [
                    {
                        "descriptions": [
                            {
                                "lang": "en",
                                "type": "CWE",
                                "cweId": "CWE-416",
                                "description": "CWE-416 Use After Free"
                            }
                        ]
                    }
                ],
                "title": "CISA ADP Vulnrichment",
                "providerMetadata": {
                    "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
                    "shortName": "CISA-ADP",
                    "dateUpdated": "2025-02-27T18:22:36.034Z"
                }
            }
        ]
    }
}