LiveActive security incident?Get immediate response
CVE Record

CVE-2021-47633: ath5k: fix OOB in ath5k_eeprom_read_pcal_info_5111

In the Linux kernel, the following vulnerability has been resolved: ath5k: fix OOB in ath5k_eeprom_read_pcal_info_5111 The bug was found during fuzzing. Stacktrace locates it in ath5k_eeprom_convert_pcal_info_5111. When none of the curve is selected in the loop, idx can go up to AR5K_EEPROM_N_PD_CURVES. The line makes pd out of bound. pd = &chinfo[pier].pd_curves[idx]; There are many OOB writes using pd later in the code. So I added a sanity check for idx. Checks for other loops involving AR5K_EEPROM_N_PD_CURVES are not needed as the loop index is not used outside the loops. The patch is NOT tested with real device. The following is the fuzzing report BUG: KASAN: slab-out-of-bounds in ath5k_eeprom_read_pcal_info_5111+0x126a/0x1390 [ath5k] Write of size 1 at addr ffff8880174a4d60 by task modprobe/214 CPU: 0 PID: 214 Comm: modprobe Not tainted 5.6.0 #1 Call Trace: dump_stack+0x76/0xa0 print_address_description.constprop.0+0x16/0x200 ? ath5k_eeprom_read_pcal_info_5111+0x126a/0x1390 [ath5k] ? ath5k_eeprom_read_pcal_info_5111+0x126a/0x1390 [ath5k] __kasan_report.cold+0x37/0x7c ? ath5k_eeprom_read_pcal_info_5111+0x126a/0x1390 [ath5k] kasan_report+0xe/0x20 ath5k_eeprom_read_pcal_info_5111+0x126a/0x1390 [ath5k] ? apic_timer_interrupt+0xa/0x20 ? ath5k_eeprom_init_11a_pcal_freq+0xbc0/0xbc0 [ath5k] ? ath5k_pci_eeprom_read+0x228/0x3c0 [ath5k] ath5k_eeprom_init+0x2513/0x6290 [ath5k] ? ath5k_eeprom_init_11a_pcal_freq+0xbc0/0xbc0 [ath5k] ? usleep_range+0xb8/0x100 ? apic_timer_interrupt+0xa/0x20 ? ath5k_eeprom_read_pcal_info_2413+0x2f20/0x2f20 [ath5k] ath5k_hw_init+0xb60/0x1970 [ath5k] ath5k_init_ah+0x6fe/0x2530 [ath5k] ? kasprintf+0xa6/0xe0 ? ath5k_stop+0x140/0x140 [ath5k] ? _dev_notice+0xf6/0xf6 ? apic_timer_interrupt+0xa/0x20 ath5k_pci_probe.cold+0x29a/0x3d6 [ath5k] ? ath5k_pci_eeprom_read+0x3c0/0x3c0 [ath5k] ? mutex_lock+0x89/0xd0 ? ath5k_pci_eeprom_read+0x3c0/0x3c0 [ath5k] local_pci_probe+0xd3/0x160 pci_device_probe+0x23f/0x3e0 ? pci_device_remove+0x280/0x280 ? pci_device_remove+0x280/0x280 really_probe+0x209/0x5d0

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

CVE-2021-47633 is an out-of-bounds write in the Linux kernel ath5k wireless driver. The issue was found by fuzzing while the driver parsed calibration data. Business exposure is mainly systems that load ath5k for older Atheros wireless hardware, especially endpoints or embedded devices rather than typical servers.

Executive priority

Treat this as a targeted kernel maintenance item, not an internet-wide emergency. Patch affected Linux endpoints or embedded devices in normal security cycles, faster where ath5k hardware is present or untrusted physical access is plausible.

Technical view

The flaw is in ath5k_eeprom_read_pcal_info_5111. If no calibration curve is selected, idx can reach AR5K_EEPROM_N_PD_CURVES, and later code writes through an out-of-bounds pd_curves entry. The source notes multiple later OOB writes and a KASAN slab-out-of-bounds report during modprobe/probe initialization.

Likely exposure

Likely exposure is limited to Linux systems with affected kernels that use or load the ath5k driver. Systems without ath5k-capable wireless hardware, or where the module is unavailable or disabled, are less likely to be exposed based on the provided sources.

Exploitation context

The bundle reports fuzzing discovery and says the patch was not tested with a real device. It does not cite public exploitation, and KEV is false. The sources do not establish remote exploitability, privilege impact, or a complete attack path.

Researcher notes

Key uncertainty remains exploitability outside fuzzed EEPROM parsing. The crash occurred during driver initialization, and the report identifies slab out-of-bounds writes. Do not assume active exploitation or broad remote reach from the provided evidence.

Mitigation direction

  • Update to a vendor-supported kernel containing the referenced stable ath5k fixes.
  • Prioritize endpoints, appliances, and embedded Linux systems using older Atheros wireless adapters.
  • If ath5k is unnecessary, disable or remove the module using approved vendor guidance.
  • Track distribution advisories because package fixed versions may differ from upstream commit references.

Validation and detection

  • Inventory Linux systems for kernels and ath5k driver availability or use.
  • Identify systems with Atheros ath5k-compatible wireless hardware or module autoload behavior.
  • Compare installed kernel packages against vendor advisories and upstream stable fix references.
  • After updating, confirm the replacement kernel is running and ath5k still functions if required.
Prepared
Confidence
medium
Sources
11

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2021-47633 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
0ADP providers
10Source links

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinux8e218fb24faef0bfe95bc91b3c05261e20439527, 8e218fb24faef0bfe95bc91b3c05261e20439527, 8e218fb24faef0bfe95bc91b3c05261e20439527, 8e218fb24faef0bfe95bc91b3c05261e20439527, 8e218fb24faef0bfe95bc91b3c05261e20439527, 8e218fb24faef0bfe95bc91b3c05261e20439527, 8e218fb24faef0bfe95bc91b3c05261e20439527, 8e218fb24faef0bfe95bc91b3c05261e20439527, 8e218fb24faef0bfe95bc91b3c05261e20439527unaffected
LinuxLinux2.6.30, 0, 4.9.311, 4.14.276, 4.19.238, 5.4.189, 5.10.111, 5.15.34, 5.16.20, 5.17.3, 5.18affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.