CVE-2021-47026: RDMA/rtrs-clt: destroy sysfs after removing session from active list
In the Linux kernel, the following vulnerability has been resolved:
RDMA/rtrs-clt: destroy sysfs after removing session from active list
A session can be removed dynamically by sysfs interface "remove_path" that
eventually calls rtrs_clt_remove_path_from_sysfs function. The current
rtrs_clt_remove_path_from_sysfs first removes the sysfs interfaces and
frees sess->stats object. Second it removes the session from the active
list.
Therefore some functions could access non-connected session and access the
freed sess->stats object even-if they check the session status before
accessing the session.
For instance rtrs_clt_request and get_next_path_min_inflight check the
session status and try to send IO to the session. The session status
could be changed when they are trying to send IO but they could not catch
the change and update the statistics information in sess->stats object,
and generate use-after-free problem.
(see: "RDMA/rtrs-clt: Check state of the rtrs_clt_sess before reading its
stats")
This patch changes the rtrs_clt_remove_path_from_sysfs to remove the
session from the active session list and then destroy the sysfs
interfaces.
Each function still should check the session status because closing or
error recovery paths can change the status.
Security readout for executives and security teams
Plain-English summary
This is a Linux kernel RDMA/RTRS client bug where removing a path through sysfs could leave other code using statistics memory after it was freed. Business risk is concentrated in systems using this kernel feature. The public sources do not provide CVSS, severity, or evidence of active exploitation.
Executive priority
Treat this as a targeted kernel maintenance issue, not a broad internet emergency based on available evidence. Prioritize patch verification for infrastructure using RDMA/RTRS or custom kernels, and rely on vendor advisories for exact package-level remediation.
Technical view
The flaw is a use-after-free in rtrs_clt_remove_path_from_sysfs. The vulnerable sequence destroyed sysfs interfaces and freed sess->stats before removing the session from the active list, allowing request/path-selection code to pass state checks and update freed stats memory. The fix removes the session from the active list before destroying sysfs.
Likely exposure
Exposure appears limited to Linux systems using the RDMA RTRS client path removal interface on affected kernel versions or unfixed downstream builds. The source bundle lists Linux kernel versions and stable commits, but does not map every distribution package or configuration state.
Exploitation context
The CVE is not listed as KEV in the provided bundle, and no cited source states active exploitation. The described trigger involves dynamic path removal through the sysfs remove_path interface while other code may access the session. Practical exploitability is not established by the sources.
Researcher notes
The key race is ordering: stats are freed before active-list removal, so state checks do not prevent concurrent access to freed sess->stats. The patch changes teardown order but still notes functions must check session state because close and recovery paths can change it.
Mitigation direction
Update to a Linux kernel release containing the referenced stable fixes.
Check your distribution vendor advisories for backported fixes.
Prioritize systems using RDMA/RTRS client functionality.
Reduce or disable RTRS client use where operationally feasible until patched.
Avoid direct wrangler deploy; not relevant to this CVE.
Validation and detection
Inventory Linux kernel versions on RDMA-capable systems.
Confirm whether RTRS client functionality is enabled or used.
Check vendor kernel changelogs for CVE-2021-47026 or referenced commits.
Verify patched behavior through distribution package metadata.
Record systems where RDMA/RTRS is absent as lower exposure.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2021-47026 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.