In the Linux kernel, the following vulnerability has been resolved:
NFSD: Fix READDIR buffer overflow
If a client sends a READDIR count argument that is too small (say,
zero), then the buffer size calculation in the new init_dirlist
helper functions results in an underflow, allowing the XDR stream
functions to write beyond the actual buffer.
This calculation has always been suspect. NFSD has never sanity-
checked the READDIR count argument, but the old entry encoders
managed the problem correctly.
With the commits below, entry encoding changed, exposing the
underflow to the pointer arithmetic in xdr_reserve_space().
Modern NFS clients attempt to retrieve as much data as possible
for each READDIR request. Also, we have no unit tests that
exercise the behavior of READDIR at the lower bound of @count
values. Thus this case was missed during testing.
Security readout for executives and security teams
Plain-English summary
This is a Linux kernel NFS server flaw. A malformed READDIR request with an unusually small count can make NFSD miscalculate a buffer and write past its bounds. Business risk is highest where Linux systems expose NFS service to untrusted or broad client networks.
Executive priority
Treat as a priority patch for NFS servers, especially in shared infrastructure or operational environments. The issue is kernel-level memory corruption, but the source bundle does not prove exploitation in the wild.
Technical view
NFSD did not sanity-check the READDIR count argument. New init_dirlist helper calculations could underflow for very small counts, causing XDR stream reservation logic to write beyond the real buffer. The CVE record lists affected Linux kernel versions and stable kernel fixes.
Likely exposure
Exposure is likely limited to Linux systems running the in-kernel NFS server and accepting READDIR requests from clients. Internet exposure depends on local NFS firewalling and export design. Siemens also references this CVE, indicating some industrial product exposure may exist per vendor advisory.
Exploitation context
The sources describe a client-supplied READDIR count triggering a kernel-side buffer overflow condition. The bundle does not include CVSS, CWE, public exploit evidence, or KEV listing, so active exploitation is not established here.
Researcher notes
Focus analysis on NFSD READDIR handling, count lower-bound validation, init_dirlist buffer sizing, and xdr_reserve_space pointer arithmetic. The record states modern clients usually request large counts, which likely reduced natural test coverage of the malformed lower-bound case.
Mitigation direction
Apply the relevant Linux stable kernel fix from your distribution or vendor.
Review the Siemens advisory if operating affected Siemens products.
Restrict NFS access to trusted client networks only.
Check vendor guidance before using temporary workarounds.
Prioritize exposed NFS servers over non-serving Linux hosts.
Validation and detection
Inventory Linux hosts running NFSD or exporting NFS shares.
Confirm running kernel versions against vendor-fixed builds.
Verify NFS ports are not exposed to untrusted networks.
Review package or kernel changelogs for the referenced stable commits.
For Siemens environments, map assets against SSA-265688.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2021-47107 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.