Security readout for executives and security teams
Plain-English summary
This is a Linux kernel information leak. An unprivileged local user could cause kernel memory bytes to be copied back through UDP socket diagnostics. The source bundle does not show active exploitation or remote reachability, but kernel memory disclosure can weaken defense-in-depth and support further attacks.
Executive priority
Treat this as a moderate-priority kernel patching item. It is not shown as remotely exploitable or actively exploited, but unprivileged local kernel information leaks matter on shared systems and can assist broader compromise chains.
Technical view
UDP handling did not initialize r->idiag_expires before inet_sk_diag_fill() returned socket diagnostic data. KMSAN observed uninitialized bytes copied to user space through netlink diagnostic output. The fix initializes the field in inet_sk_diag_fill() so UDP and future callers do not leak uninitialized kernel data.
Likely exposure
Linux systems running affected kernel versions are relevant, especially multi-user systems or hosts where untrusted local users can execute code. The bundle lists Linux as affected from 3.3 through fixed stable lines including 5.4.168, 5.10.88, 5.15.11, and 5.16.
Exploitation context
The kernel description says the issue can be exploited by unprivileged users. The bundle marks KEV as false and provides no evidence of active exploitation in the wild. The report appears to come from KMSAN and syzkaller-style testing, not a public weaponized exploit.
Researcher notes
Focus analysis on inet_diag UDP diagnostic output and initialization of idiag_expires in inet_sk_diag_fill(). The source does not provide CVSS, CWE, exploit maturity, or distribution-specific package status, so validation should rely on kernel commit presence or vendor backport confirmation.
Mitigation direction
Update to a vendor kernel containing the referenced stable fixes.
Check distribution advisories for backported CVE-2021-47597 patches.
Prioritize systems allowing untrusted local user or workload execution.
Reduce unnecessary local user access while patching is pending.
Avoid custom kernels missing the inet_diag fix.
Validation and detection
Inventory running Linux kernel versions across affected fleets.
Compare installed kernels against vendor fixed builds or referenced commits.
Review package changelogs for CVE-2021-47597 or inet_diag fixes.
Confirm unsupported or custom kernels include the stable patch.
Track remediation separately for externally managed appliances.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2021-47597 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.