CVE-2021-47123: io_uring: fix ltout double free on completion race
In the Linux kernel, the following vulnerability has been resolved:
io_uring: fix ltout double free on completion race
Always remove linked timeout on io_link_timeout_fn() from the master
request link list, otherwise we may get use-after-free when first
io_link_timeout_fn() puts linked timeout in the fail path, and then
will be found and put on master's free.
Security readout for executives and security teams
Plain-English summary
This is a Linux kernel memory-management flaw in io_uring. A race during linked timeout completion could cause double free or use-after-free behavior. The public bundle does not provide CVSS, impact, or exploitation evidence, so urgency depends on whether affected kernel versions are present and reachable by untrusted local workloads.
Executive priority
Treat as a kernel patch-management item with uncertain severity. Prioritize validation on shared Linux infrastructure and environments running untrusted code, but avoid emergency assumptions unless vendor guidance or new exploitation evidence changes the risk picture.
Technical view
The resolved defect is in io_uring linked timeout handling. The fix always removes the linked timeout from the master request link list in io_link_timeout_fn(), preventing a completion race where the timeout is freed in one path and later found and freed again from the master request.
Likely exposure
Exposure is limited to Linux systems running affected kernel versions identified in the CVE record. The bundle lists Linux kernel 5.11, 5.12.10, and 5.13 data, but does not provide complete distro package mappings or remote exposure details.
Exploitation context
The bundle does not report active exploitation, and KEV is false. It provides kernel fix references but no exploit status, proof-of-concept, attack requirements, or confirmed impact beyond double free and use-after-free risk.
Researcher notes
Evidence is narrow: the record describes a resolved io_uring linked-timeout race causing double free or use-after-free. No CVSS, CWE, exploit maturity, privilege requirement, or distro-specific fixed version is included in the provided bundle.
Mitigation direction
Update affected Linux kernels to versions containing the referenced stable fixes.
Check Linux distribution advisories for exact fixed package versions.
Prioritize shared systems where untrusted local users or workloads can access io_uring.
Use vendor-supported hardening or io_uring restrictions only if patching is delayed.
Validation and detection
Inventory Linux kernel versions across servers, containers, and base images.
Map installed distro kernel packages to vendor advisories for CVE-2021-47123.
Confirm whether deployed kernels include the referenced stable commits.
Review multi-user and workload-hosting systems before lower-risk single-purpose hosts.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2021-47123 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.