LiveActive security incident?Get immediate response
CVE Record

CVE-2021-47004: f2fs: fix to avoid touching checkpointed data in get_victim()

In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid touching checkpointed data in get_victim() In CP disabling mode, there are two issues when using LFS or SSR | AT_SSR mode to select victim: 1. LFS is set to find source section during GC, the victim should have no checkpointed data, since after GC, section could not be set free for reuse. Previously, we only check valid chpt blocks in current segment rather than section, fix it. 2. SSR | AT_SSR are set to find target segment for writes which can be fully filled by checkpointed and newly written blocks, we should never select such segment, otherwise it can cause panic or data corruption during allocation, potential case is described as below: a) target segment has 'n' (n < 512) ckpt valid blocks b) GC migrates 'n' valid blocks to other segment (segment is still in dirty list) c) GC migrates '512 - n' blocks to target segment (segment has 'n' cp_vblocks and '512 - n' vblocks) d) If GC selects target segment via {AT,}SSR allocator, however there is no free space in targe segment.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

This Linux kernel flaw affects F2FS garbage collection in checkpoint-disabling mode. Under specific allocation conditions, the filesystem can select a segment that is not actually reusable, leading to kernel panic or data corruption. Business risk is mainly availability and data integrity on systems that use F2FS, not broad remote compromise.

Executive priority

Treat as a targeted storage reliability issue. It deserves prompt handling where F2FS is used for important data, but the provided sources do not support emergency remote-exploitation prioritization.

Technical view

The issue is in F2FS get_victim() victim selection. In CP disabling mode, LFS could consider only checkpointed blocks in the current segment instead of the whole section, and SSR/AT_SSR could select fully occupied target segments. The resolved behavior avoids touching checkpointed data that cannot be safely reclaimed.

Likely exposure

Exposure appears limited to Linux systems using F2FS, especially configurations involving checkpoint disabling and garbage collection. The source lists Linux kernel affected ranges and stable fix commits, but distro-specific backports are not identified in the bundle.

Exploitation context

The bundle does not cite public exploitation, proof-of-concept activity, or CISA KEV listing. The described impact is panic or data corruption during allocation, suggesting a reliability and integrity issue requiring the vulnerable F2FS condition to be present.

Researcher notes

Key review areas are F2FS garbage collection victim selection, checkpointed block accounting at section versus segment scope, and SSR/AT_SSR target selection. Evidence is limited to the CVE record and kernel stable commits.

Mitigation direction

  • Update to a vendor kernel containing the referenced F2FS stable fixes.
  • Check distribution advisories for backported fixes before relying on version numbers alone.
  • Prioritize systems using F2FS with checkpoint-disabling workflows.
  • Maintain current backups for affected F2FS storage until remediation is verified.
  • Avoid unsupported kernel builds missing the referenced stable commits.

Validation and detection

  • Inventory Linux hosts using F2FS filesystems.
  • Identify kernel versions and vendor patch levels on those hosts.
  • Confirm whether kernel source or package changelog includes the referenced fix commits.
  • Review system logs for F2FS panic, allocation, or corruption symptoms.
  • Validate backups and filesystem health after updating affected systems.
Prepared
Confidence
medium
Sources
6

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2021-47004 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
2ADP providers
5Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: partial

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CVECVE Program Container
CISA-ADPCISA ADP Vulnrichment
other:ssvc
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinux4354994f097d068a894aa1a0860da54571df3582, 4354994f097d068a894aa1a0860da54571df3582, 4354994f097d068a894aa1a0860da54571df3582, 4354994f097d068a894aa1a0860da54571df3582unaffected
LinuxLinux4.20, 0, 5.10.38, 5.11.22, 5.12.5, 5.13affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.