LiveActive security incident?Get immediate response
CVE Record

CVE-2021-47582: USB: core: Make do_proc_control() and do_proc_bulk() killable

In the Linux kernel, the following vulnerability has been resolved: USB: core: Make do_proc_control() and do_proc_bulk() killable The USBDEVFS_CONTROL and USBDEVFS_BULK ioctls invoke usb_start_wait_urb(), which contains an uninterruptible wait with a user-specified timeout value. If timeout value is very large and the device being accessed does not respond in a reasonable amount of time, the kernel will complain about "Task X blocked for more than N seconds", as found in testing by syzbot: INFO: task syz-executor.0:8700 blocked for more than 143 seconds. Not tainted 5.14.0-rc7-syzkaller #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz-executor.0 state:D stack:23192 pid: 8700 ppid: 8455 flags:0x00004004 Call Trace: context_switch kernel/sched/core.c:4681 [inline] __schedule+0xc07/0x11f0 kernel/sched/core.c:5938 schedule+0x14b/0x210 kernel/sched/core.c:6017 schedule_timeout+0x98/0x2f0 kernel/time/timer.c:1857 do_wait_for_common+0x2da/0x480 kernel/sched/completion.c:85 __wait_for_common kernel/sched/completion.c:106 [inline] wait_for_common kernel/sched/completion.c:117 [inline] wait_for_completion_timeout+0x46/0x60 kernel/sched/completion.c:157 usb_start_wait_urb+0x167/0x550 drivers/usb/core/message.c:63 do_proc_bulk+0x978/0x1080 drivers/usb/core/devio.c:1236 proc_bulk drivers/usb/core/devio.c:1273 [inline] usbdev_do_ioctl drivers/usb/core/devio.c:2547 [inline] usbdev_ioctl+0x3441/0x6b10 drivers/usb/core/devio.c:2713 ... To fix this problem, this patch replaces usbfs's calls to usb_control_msg() and usb_bulk_msg() with special-purpose code that does essentially the same thing (as recommended in the comment for usb_start_wait_urb()), except that it always uses a killable wait and it uses GFP_KERNEL rather than GFP_NOIO.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

This Linux kernel issue can let a process become stuck while waiting on a nonresponsive USB device with a very long timeout. The main business risk is local denial of service or operational disruption on systems where users or services can interact with USB devices through usbfs.

Executive priority

Treat this as a kernel reliability issue with local denial-of-service potential, not a confirmed remote compromise. Prioritize patching USB-exposed workstations, kiosks, build hosts, lab systems, and hardware appliances before general server fleets with no USB access.

Technical view

USBDEVFS_CONTROL and USBDEVFS_BULK ioctls used usb_start_wait_urb() with an uninterruptible wait and user-specified timeout. A nonresponsive USB device plus a large timeout could leave tasks blocked in D state and trigger hung-task warnings. The fix replaces those paths with killable waits for usbfs control and bulk handling.

Likely exposure

Exposure is most plausible on Linux systems allowing local users, containers, services, or hardware-facing workloads to access USB device nodes. Internet-only servers without USB access are less likely exposed. The source metadata lists affected Linux kernel ranges starting at 2.6.12 and fixed around 5.15.11 or 5.16, but distro backports must be confirmed.

Exploitation context

The supplied sources do not show active exploitation, and KEV is false. The described trigger came from syzbot testing. Abuse appears to require local access to usbfs ioctls and a USB device behavior that fails to respond within a reasonable time.

Researcher notes

The record lacks CVSS, CWE, and detailed distro mappings. The key behavioral change is replacing uninterruptible waits in usbfs control and bulk ioctl handling with killable waits. Avoid assuming privilege escalation or remote reachability without additional vendor evidence.

Mitigation direction

  • Apply vendor kernel updates containing the referenced stable fixes.
  • Confirm distribution advisories for backported fixes, not only upstream version numbers.
  • Restrict unnecessary access to USB device nodes and usbfs interfaces.
  • Reduce local untrusted user access on systems with attached USB devices.
  • Monitor for repeated hung-task warnings involving drivers/usb/core/devio.c.

Validation and detection

  • Inventory kernel versions and vendor patch levels across USB-capable systems.
  • Check whether users, containers, or services can access USB device nodes.
  • Review logs for hung tasks in usb_start_wait_urb or usbdev_ioctl paths.
  • Verify the stable commit or vendor equivalent is present.
  • Confirm regression tests cover USB ioctl timeout behavior if locally maintained.
Prepared
Confidence
medium
Sources
4

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2021-47582 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
2ADP providers
3Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: partial

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CVECVE Program Container
CISA-ADPCISA ADP Vulnrichment
other:ssvc
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2, 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2unaffected
LinuxLinux2.6.12, 0, 5.15.11, 5.16affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.