In the Linux kernel, the following vulnerability has been resolved:
io_uring: fix link timeout refs
WARNING: CPU: 0 PID: 10242 at lib/refcount.c:28 refcount_warn_saturate+0x15b/0x1a0 lib/refcount.c:28
RIP: 0010:refcount_warn_saturate+0x15b/0x1a0 lib/refcount.c:28
Call Trace:
__refcount_sub_and_test include/linux/refcount.h:283 [inline]
__refcount_dec_and_test include/linux/refcount.h:315 [inline]
refcount_dec_and_test include/linux/refcount.h:333 [inline]
io_put_req fs/io_uring.c:2140 [inline]
io_queue_linked_timeout fs/io_uring.c:6300 [inline]
__io_queue_sqe+0xbef/0xec0 fs/io_uring.c:6354
io_submit_sqe fs/io_uring.c:6534 [inline]
io_submit_sqes+0x2bbd/0x7c50 fs/io_uring.c:6660
__do_sys_io_uring_enter fs/io_uring.c:9240 [inline]
__se_sys_io_uring_enter+0x256/0x1d60 fs/io_uring.c:9182
io_link_timeout_fn() should put only one reference of the linked timeout
request, however in case of racing with the master request's completion
first io_req_complete() puts one and then io_put_req_deferred() is
called.
Security readout for executives and security teams
Plain-English summary
A bug in Linux io_uring link timeout request handling could mishandle internal reference counts during a race. The public record shows a kernel warning and fix, but does not provide a CVSS score, confirmed impact, or exploitation evidence. Treat this as a kernel maintenance exposure until vendor guidance clarifies severity.
Executive priority
Schedule this through normal kernel patch governance unless the environment has high-risk shared Linux hosts or vendor guidance assigns higher severity. There is no supplied evidence of exploitation, but kernel bugs can carry broad operational impact if left unpatched.
Technical view
CVE-2021-47124 is a Linux kernel io_uring reference-counting flaw. In a race with master request completion, io_link_timeout_fn could release more references than intended after io_req_complete and io_put_req_deferred paths. The source identifies affected Linux kernel versions and stable kernel fixes, but not a CWE, CVSS vector, or concrete security impact.
Likely exposure
Exposure is most plausible on systems running affected Linux kernel versions with io_uring available. The bundle lists Linux 5.10.43, 5.10.55, 5.12, 5.12.10, 5.12.19, 5.13, and related commits as affected; distribution package mapping must be verified separately.
Exploitation context
The provided sources do not show active exploitation, public exploit code, or inclusion in KEV. They describe a kernel race and refcount warning resolved by stable commits. Any exploitability beyond the recorded bug is not established in the supplied evidence.
Researcher notes
The record is evidence-limited: no CVSS, CWE, or confirmed impact is provided. Analysis should focus on mapping distro kernels to the stable commits and understanding whether io_uring exposure exists in the target environment. Do not infer exploitability from the refcount warning alone.
Mitigation direction
Apply Linux kernel updates that include the referenced stable fixes.
Check your Linux distribution advisory for CVE-2021-47124 package mappings.
Prioritize internet-facing, multi-user, and container-host kernels for review.
Avoid claiming remediation from version strings alone; verify backported fixes.
Validation and detection
Inventory kernel versions across servers, workstations, and container hosts.
Compare installed kernel packages against vendor CVE-2021-47124 advisories.
Check package changelogs for the referenced stable commit IDs.
Review kernel logs for matching refcount warnings if instability was observed.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2021-47124 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.