CVE-2021-47607: bpf: Fix kernel address leakage in atomic cmpxchg's r0 aux reg
In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix kernel address leakage in atomic cmpxchg's r0 aux reg
The implementation of BPF_CMPXCHG on a high level has the following parameters:
.-[old-val] .-[new-val]
BPF_R0 = cmpxchg{32,64}(DST_REG + insn->off, BPF_R0, SRC_REG)
`-[mem-loc] `-[old-val]
Given a BPF insn can only have two registers (dst, src), the R0 is fixed and
used as an auxilliary register for input (old value) as well as output (returning
old value from memory location). While the verifier performs a number of safety
checks, it misses to reject unprivileged programs where R0 contains a pointer as
old value.
Through brute-forcing it takes about ~16sec on my machine to leak a kernel pointer
with BPF_CMPXCHG. The PoC is basically probing for kernel addresses by storing the
guessed address into the map slot as a scalar, and using the map value pointer as
R0 while SRC_REG has a canary value to detect a matching address.
Fix it by checking R0 for pointers, and reject if that's the case for unprivileged
programs.
Security readout for executives and security teams
Plain-English summary
This Linux kernel issue can let an unprivileged local BPF program disclose a kernel memory address. That matters because address leaks can weaken kernel hardening and help chain other bugs, but the bundle does not show remote exploitation or active exploitation.
Executive priority
Treat this as a medium-priority kernel hardening issue. It is not shown as actively exploited, but it affects local privilege boundaries and could support exploit chains on shared systems.
Technical view
The BPF verifier failed to reject unprivileged BPF_CMPXCHG use when R0 held a pointer as the expected old value. The kernel fix adds pointer checks for R0 and rejects that case for unprivileged programs, preventing kernel pointer leakage through cmpxchg behavior.
Likely exposure
Exposure is most likely on Linux systems running affected kernel builds where unprivileged users can run BPF programs. The provided version data is limited and should be checked against distribution advisories and the referenced stable commits.
Exploitation context
The CVE description says a proof of concept could leak a kernel pointer by brute force. CISA KEV status is false in the bundle, and no cited source states active exploitation.
Researcher notes
The source bundle supports kernel pointer disclosure via unprivileged BPF_CMPXCHG verifier behavior. It does not provide CVSS, CWE, detailed distro package ranges, or evidence of exploitation in the wild.
Mitigation direction
Update Linux kernels to builds containing the referenced stable fixes.
Check distribution advisories for backported fixes covering your kernel packages.
Restrict unprivileged BPF access where compatible with operations.
Prioritize internet-facing multi-user hosts and shared compute environments.
Track vendor guidance if no fixed package is available.
Validation and detection
Inventory Linux kernel versions across servers, endpoints, and containers hosts.
Compare deployed kernels with vendor advisories and referenced stable commits.
Confirm whether unprivileged BPF execution is enabled on relevant systems.
Review patch management records for fixed kernel package deployment.
Document any systems awaiting vendor-specific remediation guidance.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2021-47607 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.