Security readout for executives and security teams
Plain-English summary
This is a Linux kernel issue in the SCSI debug driver. A type mismatch can make the kernel copy more data than intended, causing a stack out-of-bounds read. It requires local access with low privileges, so business urgency is mainly for exposed multi-user Linux systems and environments where the affected driver is present.
Executive priority
Medium priority. This is not supported as actively exploited or remotely reachable from the supplied evidence, but it is a kernel memory-safety issue with high confidentiality impact. Patch through normal kernel maintenance, with faster handling for shared Linux systems.
Technical view
The flaw is in drivers/scsi/scsi_debug.c. Using min_t() with int caused sign extension, selecting a larger value and triggering stack out-of-bounds reads in memcpy through sg_copy_buffer and scsi_debug response handling. CVSS 3.1 is 6.6 with local attack vector, low complexity, low privileges, no user interaction, and high confidentiality impact.
Likely exposure
Exposure is limited to Linux systems running affected kernel versions where the scsi_debug code path is present and reachable. The CVE record lists Linux kernel versions including 5.8, 5.10.88, 5.15.11, and 5.16 as affected, with stable kernel commits referenced as fixes.
Exploitation context
The supplied sources do not report active exploitation, and the CVE is not listed as KEV. The stack trace came from KASAN/syzkaller-style kernel testing. Treat this as a local kernel memory-safety bug requiring host access, not a remotely exploitable internet-facing flaw based on available evidence.
Researcher notes
Focus validation on kernel version, distribution backport status, and scsi_debug reachability. The public record identifies the fix as changing min_t() to use u32 to avoid sign extension. Do not assume broader SCSI driver impact beyond the named scsi_debug path without vendor confirmation.
Mitigation direction
Review vendor kernel advisories for fixed packages matching the referenced stable commits.
Update affected Linux kernels through the normal distribution or kernel vendor channel.
Check whether scsi_debug is available or loaded on production systems.
Restrict local shell access on sensitive systems until patch status is confirmed.
Prioritize shared hosts, build systems, and multi-tenant Linux environments.
Validation and detection
Inventory Linux kernel versions across servers and endpoints.
Confirm whether scsi_debug is built, installed, or loaded.
Map running kernels to vendor advisories or the referenced stable commits.
Review local-user exposure on systems that cannot be patched quickly.
Track whether distribution backports include this specific fix.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2021-47580 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.