LiveActive security incident?Get immediate response
CVE Record

CVE-2021-47107: NFSD: Fix READDIR buffer overflow

In the Linux kernel, the following vulnerability has been resolved: NFSD: Fix READDIR buffer overflow If a client sends a READDIR count argument that is too small (say, zero), then the buffer size calculation in the new init_dirlist helper functions results in an underflow, allowing the XDR stream functions to write beyond the actual buffer. This calculation has always been suspect. NFSD has never sanity- checked the READDIR count argument, but the old entry encoders managed the problem correctly. With the commits below, entry encoding changed, exposing the underflow to the pointer arithmetic in xdr_reserve_space(). Modern NFS clients attempt to retrieve as much data as possible for each READDIR request. Also, we have no unit tests that exercise the behavior of READDIR at the lower bound of @count values. Thus this case was missed during testing.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysishigh

Security readout for executives and security teams

Plain-English summary

This is a Linux kernel NFS server flaw. A malformed READDIR request with an unusually small count can make NFSD miscalculate a buffer and write past its bounds. Business risk is highest where Linux systems expose NFS service to untrusted or broad client networks.

Executive priority

Treat as a priority patch for NFS servers, especially in shared infrastructure or operational environments. The issue is kernel-level memory corruption, but the source bundle does not prove exploitation in the wild.

Technical view

NFSD did not sanity-check the READDIR count argument. New init_dirlist helper calculations could underflow for very small counts, causing XDR stream reservation logic to write beyond the real buffer. The CVE record lists affected Linux kernel versions and stable kernel fixes.

Likely exposure

Exposure is likely limited to Linux systems running the in-kernel NFS server and accepting READDIR requests from clients. Internet exposure depends on local NFS firewalling and export design. Siemens also references this CVE, indicating some industrial product exposure may exist per vendor advisory.

Exploitation context

The sources describe a client-supplied READDIR count triggering a kernel-side buffer overflow condition. The bundle does not include CVSS, CWE, public exploit evidence, or KEV listing, so active exploitation is not established here.

Researcher notes

Focus analysis on NFSD READDIR handling, count lower-bound validation, init_dirlist buffer sizing, and xdr_reserve_space pointer arithmetic. The record states modern clients usually request large counts, which likely reduced natural test coverage of the malformed lower-bound case.

Mitigation direction

  • Apply the relevant Linux stable kernel fix from your distribution or vendor.
  • Review the Siemens advisory if operating affected Siemens products.
  • Restrict NFS access to trusted client networks only.
  • Check vendor guidance before using temporary workarounds.
  • Prioritize exposed NFS servers over non-serving Linux hosts.

Validation and detection

  • Inventory Linux hosts running NFSD or exporting NFS shares.
  • Confirm running kernel versions against vendor-fixed builds.
  • Verify NFS ports are not exposed to untrusted networks.
  • Review package or kernel changelogs for the referenced stable commits.
  • For Siemens environments, map assets against SSA-265688.
Prepared
Confidence
medium
Sources
6

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2021-47107 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
3ADP providers
5Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: partial

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
other:ssvc
CVECVE Program Container
siemens-SADPADP container
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinux37aa5e64022243e721b8334122997881177a4cfc, 7f87fc2d34d475225e78b7f5c4eabb121f4282b2, 7f87fc2d34d475225e78b7f5c4eabb121f4282b2unaffected
LinuxLinux5.13, 0, 5.15.12, 5.16affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.