CVE-2021-47055: mtd: require write permissions for locking and badblock ioctls
In the Linux kernel, the following vulnerability has been resolved:
mtd: require write permissions for locking and badblock ioctls
MEMLOCK, MEMUNLOCK and OTPLOCK modify protection bits. Thus require
write permission. Depending on the hardware MEMLOCK might even be
write-once, e.g. for SPI-NOR flashes with their WP# tied to GND. OTPLOCK
is always write-once.
MEMSETBADBLOCK modifies the bad block table.
Security readout for executives and security teams
Plain-English summary
This is a Linux kernel storage-control permission bug. A process with access to MTD device interfaces might change flash lock state or mark blocks bad without write access. On raw-flash systems, that can affect integrity or availability. The sources provide no CVSS score or active exploitation evidence.
Executive priority
Treat this as targeted infrastructure hygiene rather than an internet-wide emergency. Prioritize products and sites where Linux controls raw flash storage, because improper flash locking or bad-block changes can create durable operational impact. Lack of severity data means prioritization should be exposure-driven.
Technical view
Linux MTD ioctls MEMLOCK, MEMUNLOCK, OTPLOCK, and MEMSETBADBLOCK modified flash protection bits or bad-block data without requiring write permissions. The kernel fix requires write permission because some operations are persistent, and OTPLOCK is always write-once. Impact depends on MTD device exposure and hardware behavior.
Likely exposure
Exposure is most likely on Linux systems using MTD raw flash devices, especially embedded, appliance, IoT, or platform firmware environments. General-purpose servers may be unaffected if no MTD devices are present or accessible. The bundle lists Linux kernel versions and stable commits, but not distribution-specific package status.
Exploitation context
No provided source states active exploitation, and the CVE is not marked KEV. The issue appears local and permission-bound: a process would need access to relevant MTD device interfaces. Business risk is higher where flash state changes can persist or disrupt boot, firmware, or storage reliability.
Researcher notes
The source describes a missing permission check around state-changing MTD ioctls. It does not provide CVSS, CWE, exploit evidence, or distribution package mapping. Key research tasks are confirming backport presence and assessing whether local principals can reach MTD devices in affected deployments.
Mitigation direction
Upgrade to a vendor kernel containing the referenced stable MTD permission fix.
Prioritize embedded and appliance fleets that expose MTD character devices.
Restrict untrusted local access to MTD device nodes pending vendor remediation.
Confirm distribution backports instead of relying only on upstream version numbers.
Review vendor advisories for supported kernel package names and release status.
Validation and detection
Inventory Linux assets that use MTD raw flash devices.
Map running kernels to vendor advisories and the referenced stable commits.
Check whether MTD device nodes are accessible by untrusted users or services.
Verify fixed systems require write permission for affected MTD control operations.
Document any compensating device-permission controls for unsupported kernels.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2021-47055 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.