LiveActive security incident?Get immediate response
CVE Record

CVE-2021-47055: mtd: require write permissions for locking and badblock ioctls

In the Linux kernel, the following vulnerability has been resolved: mtd: require write permissions for locking and badblock ioctls MEMLOCK, MEMUNLOCK and OTPLOCK modify protection bits. Thus require write permission. Depending on the hardware MEMLOCK might even be write-once, e.g. for SPI-NOR flashes with their WP# tied to GND. OTPLOCK is always write-once. MEMSETBADBLOCK modifies the bad block table.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysisunknown

Security readout for executives and security teams

Plain-English summary

This is a Linux kernel storage-control permission bug. A process with access to MTD device interfaces might change flash lock state or mark blocks bad without write access. On raw-flash systems, that can affect integrity or availability. The sources provide no CVSS score or active exploitation evidence.

Executive priority

Treat this as targeted infrastructure hygiene rather than an internet-wide emergency. Prioritize products and sites where Linux controls raw flash storage, because improper flash locking or bad-block changes can create durable operational impact. Lack of severity data means prioritization should be exposure-driven.

Technical view

Linux MTD ioctls MEMLOCK, MEMUNLOCK, OTPLOCK, and MEMSETBADBLOCK modified flash protection bits or bad-block data without requiring write permissions. The kernel fix requires write permission because some operations are persistent, and OTPLOCK is always write-once. Impact depends on MTD device exposure and hardware behavior.

Likely exposure

Exposure is most likely on Linux systems using MTD raw flash devices, especially embedded, appliance, IoT, or platform firmware environments. General-purpose servers may be unaffected if no MTD devices are present or accessible. The bundle lists Linux kernel versions and stable commits, but not distribution-specific package status.

Exploitation context

No provided source states active exploitation, and the CVE is not marked KEV. The issue appears local and permission-bound: a process would need access to relevant MTD device interfaces. Business risk is higher where flash state changes can persist or disrupt boot, firmware, or storage reliability.

Researcher notes

The source describes a missing permission check around state-changing MTD ioctls. It does not provide CVSS, CWE, exploit evidence, or distribution package mapping. Key research tasks are confirming backport presence and assessing whether local principals can reach MTD devices in affected deployments.

Mitigation direction

  • Upgrade to a vendor kernel containing the referenced stable MTD permission fix.
  • Prioritize embedded and appliance fleets that expose MTD character devices.
  • Restrict untrusted local access to MTD device nodes pending vendor remediation.
  • Confirm distribution backports instead of relying only on upstream version numbers.
  • Review vendor advisories for supported kernel package names and release status.

Validation and detection

  • Inventory Linux assets that use MTD raw flash devices.
  • Map running kernels to vendor advisories and the referenced stable commits.
  • Check whether MTD device nodes are accessible by untrusted users or services.
  • Verify fixed systems require write permission for affected MTD control operations.
  • Document any compensating device-permission controls for unsupported kernels.
Prepared
Confidence
medium
Sources
11

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2021-47055 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
2ADP providers
10Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: partial

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
other:ssvc
CVECVE Program Container
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinux1c9f9125892a43901438bf704ada6b7019e2a884, 583d42400532fbd6228b0254d7c732b771e4750d, 389c74c218d3b182e9cd767e98cee0e0fd0dabaa, ab1a602a9cea98aa37b2e6851b168d2a2633a58d, 9a53e8bd59d9f070505e51d3fd19606a270e6b93, f7e6b19bc76471ba03725fe58e0c218a3d6266c3, f7e6b19bc76471ba03725fe58e0c218a3d6266c3, f7e6b19bc76471ba03725fe58e0c218a3d6266c3, f7e6b19bc76471ba03725fe58e0c218a3d6266c3, 36a8b2f49235e63ab3f901fe12e1b6732f075c2e, eb3d82abc335624a5e8ecfb75aba0b684e2dc4dbunaffected
LinuxLinux5.9, 0, 4.4.269, 4.9.269, 4.14.233, 4.19.191, 5.4.119, 5.10.37, 5.11.21, 5.12.4, 5.13affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.