CVE-2021-47608: bpf: Fix kernel address leakage in atomic fetch
In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix kernel address leakage in atomic fetch
The change in commit 37086bfdc737 ("bpf: Propagate stack bounds to registers
in atomics w/ BPF_FETCH") around check_mem_access() handling is buggy since
this would allow for unprivileged users to leak kernel pointers. For example,
an atomic fetch/and with -1 on a stack destination which holds a spilled
pointer will migrate the spilled register type into a scalar, which can then
be exported out of the program (since scalar != pointer) by dumping it into
a map value.
The original implementation of XADD was preventing this situation by using
a double call to check_mem_access() one with BPF_READ and a subsequent one
with BPF_WRITE, in both cases passing -1 as a placeholder value instead of
register as per XADD semantics since it didn't contain a value fetch. The
BPF_READ also included a check in check_stack_read_fixed_off() which rejects
the program if the stack slot is of __is_pointer_value() if dst_regno < 0.
The latter is to distinguish whether we're dealing with a regular stack spill/
fill or some arithmetical operation which is disallowed on non-scalars, see
also 6e7e63cbb023 ("bpf: Forbid XADD on spilled pointers for unprivileged
users") for more context on check_mem_access() and its handling of placeholder
value -1.
One minimally intrusive option to fix the leak is for the BPF_FETCH case to
initially check the BPF_READ case via check_mem_access() with -1 as register,
followed by the actual load case with non-negative load_reg to propagate
stack bounds to registers.
Security readout for executives and security teams
Plain-English summary
This Linux kernel flaw can let an unprivileged local user leak kernel memory addresses through eBPF atomic fetch handling. By itself, this is an information disclosure issue, but leaked kernel pointers can weaken defenses used against later kernel exploits. The source bundle does not provide CVSS scoring or evidence of active exploitation.
Executive priority
Handle through normal kernel patch governance, with higher urgency for shared Linux systems, developer workstations, and container hosts. There is no source-backed evidence of active exploitation, but kernel pointer leaks can reduce exploit resistance and increase risk when combined with other bugs.
Technical view
The bug is in BPF verifier memory-access handling for atomics with BPF_FETCH. A stack destination containing a spilled pointer could have pointer type information converted into a scalar and exported through a map value. The kernel fix adds an initial BPF_READ validation path to reject pointer-value stack reads before normal fetch handling.
Likely exposure
Exposure is most relevant on Linux systems running affected kernel versions where unprivileged users can load eBPF programs. The bundle names Linux 5.12 through 5.16-related versions, including 5.15.11, but does not provide distribution package mappings.
Exploitation context
The provided description frames exploitation as local and unprivileged, using eBPF program behavior to leak kernel pointers. There is no KEV listing and no cited evidence of in-the-wild exploitation. Treat this as a potential aid to exploit chaining rather than a standalone remote compromise.
Researcher notes
Key validation should focus on affected kernel lineage and unprivileged BPF availability. The vulnerability stems from verifier type-safety handling around atomic fetch operations, stack spills, and scalar export through map values. The bundle does not include a reproducer, CVSS vector, or distro-specific fixed versions.
Mitigation direction
Check Linux kernel vendor advisories for fixed package versions.
Prioritize updates for multi-user Linux hosts and container platforms.
Disable or restrict unprivileged eBPF where operationally feasible.
Track whether distributions backported the referenced stable kernel fixes.
Validation and detection
Inventory kernel versions across Linux servers and container hosts.
Confirm whether unprivileged eBPF is enabled on exposed systems.
Map running kernels to distribution advisories or stable fix commits.
Review vulnerability scanners for distro-specific CVE-2021-47608 coverage.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2021-47608 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.