LiveActive security incident?Get immediate response
CVE Record

CVE-2021-47608: bpf: Fix kernel address leakage in atomic fetch

In the Linux kernel, the following vulnerability has been resolved: bpf: Fix kernel address leakage in atomic fetch The change in commit 37086bfdc737 ("bpf: Propagate stack bounds to registers in atomics w/ BPF_FETCH") around check_mem_access() handling is buggy since this would allow for unprivileged users to leak kernel pointers. For example, an atomic fetch/and with -1 on a stack destination which holds a spilled pointer will migrate the spilled register type into a scalar, which can then be exported out of the program (since scalar != pointer) by dumping it into a map value. The original implementation of XADD was preventing this situation by using a double call to check_mem_access() one with BPF_READ and a subsequent one with BPF_WRITE, in both cases passing -1 as a placeholder value instead of register as per XADD semantics since it didn't contain a value fetch. The BPF_READ also included a check in check_stack_read_fixed_off() which rejects the program if the stack slot is of __is_pointer_value() if dst_regno < 0. The latter is to distinguish whether we're dealing with a regular stack spill/ fill or some arithmetical operation which is disallowed on non-scalars, see also 6e7e63cbb023 ("bpf: Forbid XADD on spilled pointers for unprivileged users") for more context on check_mem_access() and its handling of placeholder value -1. One minimally intrusive option to fix the leak is for the BPF_FETCH case to initially check the BPF_READ case via check_mem_access() with -1 as register, followed by the actual load case with non-negative load_reg to propagate stack bounds to registers.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

This Linux kernel flaw can let an unprivileged local user leak kernel memory addresses through eBPF atomic fetch handling. By itself, this is an information disclosure issue, but leaked kernel pointers can weaken defenses used against later kernel exploits. The source bundle does not provide CVSS scoring or evidence of active exploitation.

Executive priority

Handle through normal kernel patch governance, with higher urgency for shared Linux systems, developer workstations, and container hosts. There is no source-backed evidence of active exploitation, but kernel pointer leaks can reduce exploit resistance and increase risk when combined with other bugs.

Technical view

The bug is in BPF verifier memory-access handling for atomics with BPF_FETCH. A stack destination containing a spilled pointer could have pointer type information converted into a scalar and exported through a map value. The kernel fix adds an initial BPF_READ validation path to reject pointer-value stack reads before normal fetch handling.

Likely exposure

Exposure is most relevant on Linux systems running affected kernel versions where unprivileged users can load eBPF programs. The bundle names Linux 5.12 through 5.16-related versions, including 5.15.11, but does not provide distribution package mappings.

Exploitation context

The provided description frames exploitation as local and unprivileged, using eBPF program behavior to leak kernel pointers. There is no KEV listing and no cited evidence of in-the-wild exploitation. Treat this as a potential aid to exploit chaining rather than a standalone remote compromise.

Researcher notes

Key validation should focus on affected kernel lineage and unprivileged BPF availability. The vulnerability stems from verifier type-safety handling around atomic fetch operations, stack spills, and scalar export through map values. The bundle does not include a reproducer, CVSS vector, or distro-specific fixed versions.

Mitigation direction

  • Check Linux kernel vendor advisories for fixed package versions.
  • Prioritize updates for multi-user Linux hosts and container platforms.
  • Disable or restrict unprivileged eBPF where operationally feasible.
  • Track whether distributions backported the referenced stable kernel fixes.

Validation and detection

  • Inventory kernel versions across Linux servers and container hosts.
  • Confirm whether unprivileged eBPF is enabled on exposed systems.
  • Map running kernels to distribution advisories or stable fix commits.
  • Review vulnerability scanners for distro-specific CVE-2021-47608 coverage.
Prepared
Confidence
medium
Sources
4

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2021-47608 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
2ADP providers
3Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: partial

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CVECVE Program Container
CISA-ADPCISA ADP Vulnrichment
other:ssvc
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinux37086bfdc737ea6f66bf68dcf16757004d68e1e1, 37086bfdc737ea6f66bf68dcf16757004d68e1e1unaffected
LinuxLinux5.12, 0, 5.15.11, 5.16affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.