LiveActive security incident?Get immediate response
CVE Record

CVE-2021-47026: RDMA/rtrs-clt: destroy sysfs after removing session from active list

In the Linux kernel, the following vulnerability has been resolved: RDMA/rtrs-clt: destroy sysfs after removing session from active list A session can be removed dynamically by sysfs interface "remove_path" that eventually calls rtrs_clt_remove_path_from_sysfs function. The current rtrs_clt_remove_path_from_sysfs first removes the sysfs interfaces and frees sess->stats object. Second it removes the session from the active list. Therefore some functions could access non-connected session and access the freed sess->stats object even-if they check the session status before accessing the session. For instance rtrs_clt_request and get_next_path_min_inflight check the session status and try to send IO to the session. The session status could be changed when they are trying to send IO but they could not catch the change and update the statistics information in sess->stats object, and generate use-after-free problem. (see: "RDMA/rtrs-clt: Check state of the rtrs_clt_sess before reading its stats") This patch changes the rtrs_clt_remove_path_from_sysfs to remove the session from the active session list and then destroy the sysfs interfaces. Each function still should check the session status because closing or error recovery paths can change the status.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysisunknown

Security readout for executives and security teams

Plain-English summary

This is a Linux kernel RDMA/RTRS client bug where removing a path through sysfs could leave other code using statistics memory after it was freed. Business risk is concentrated in systems using this kernel feature. The public sources do not provide CVSS, severity, or evidence of active exploitation.

Executive priority

Treat this as a targeted kernel maintenance issue, not a broad internet emergency based on available evidence. Prioritize patch verification for infrastructure using RDMA/RTRS or custom kernels, and rely on vendor advisories for exact package-level remediation.

Technical view

The flaw is a use-after-free in rtrs_clt_remove_path_from_sysfs. The vulnerable sequence destroyed sysfs interfaces and freed sess->stats before removing the session from the active list, allowing request/path-selection code to pass state checks and update freed stats memory. The fix removes the session from the active list before destroying sysfs.

Likely exposure

Exposure appears limited to Linux systems using the RDMA RTRS client path removal interface on affected kernel versions or unfixed downstream builds. The source bundle lists Linux kernel versions and stable commits, but does not map every distribution package or configuration state.

Exploitation context

The CVE is not listed as KEV in the provided bundle, and no cited source states active exploitation. The described trigger involves dynamic path removal through the sysfs remove_path interface while other code may access the session. Practical exploitability is not established by the sources.

Researcher notes

The key race is ordering: stats are freed before active-list removal, so state checks do not prevent concurrent access to freed sess->stats. The patch changes teardown order but still notes functions must check session state because close and recovery paths can change it.

Mitigation direction

  • Update to a Linux kernel release containing the referenced stable fixes.
  • Check your distribution vendor advisories for backported fixes.
  • Prioritize systems using RDMA/RTRS client functionality.
  • Reduce or disable RTRS client use where operationally feasible until patched.
  • Avoid direct wrangler deploy; not relevant to this CVE.

Validation and detection

  • Inventory Linux kernel versions on RDMA-capable systems.
  • Confirm whether RTRS client functionality is enabled or used.
  • Check vendor kernel changelogs for CVE-2021-47026 or referenced commits.
  • Verify patched behavior through distribution package metadata.
  • Record systems where RDMA/RTRS is absent as lower exposure.
Prepared
Confidence
medium
Sources
6

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2021-47026 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
2ADP providers
5Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: partial

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
other:ssvc
CVECVE Program Container
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinux6a98d71daea186247005099758af549e6afdd244, 6a98d71daea186247005099758af549e6afdd244, 6a98d71daea186247005099758af549e6afdd244, 6a98d71daea186247005099758af549e6afdd244unaffected
LinuxLinux5.8, 0, 5.10.37, 5.11.21, 5.12.4, 5.13affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.