LiveActive security incident?Get immediate response
CVE Record

CVE-2021-47634: ubi: Fix race condition between ctrl_cdev_ioctl and ubi_cdev_ioctl

In the Linux kernel, the following vulnerability has been resolved: ubi: Fix race condition between ctrl_cdev_ioctl and ubi_cdev_ioctl Hulk Robot reported a KASAN report about use-after-free: ================================================================== BUG: KASAN: use-after-free in __list_del_entry_valid+0x13d/0x160 Read of size 8 at addr ffff888035e37d98 by task ubiattach/1385 [...] Call Trace: klist_dec_and_del+0xa7/0x4a0 klist_put+0xc7/0x1a0 device_del+0x4d4/0xed0 cdev_device_del+0x1a/0x80 ubi_attach_mtd_dev+0x2951/0x34b0 [ubi] ctrl_cdev_ioctl+0x286/0x2f0 [ubi] Allocated by task 1414: device_add+0x60a/0x18b0 cdev_device_add+0x103/0x170 ubi_create_volume+0x1118/0x1a10 [ubi] ubi_cdev_ioctl+0xb7f/0x1ba0 [ubi] Freed by task 1385: cdev_device_del+0x1a/0x80 ubi_remove_volume+0x438/0x6c0 [ubi] ubi_cdev_ioctl+0xbf4/0x1ba0 [ubi] [...] ================================================================== The lock held by ctrl_cdev_ioctl is ubi_devices_mutex, but the lock held by ubi_cdev_ioctl is ubi->device_mutex. Therefore, the two locks can be concurrent. ctrl_cdev_ioctl contains two operations: ubi_attach and ubi_detach. ubi_detach is bug-free because it uses reference counting to prevent concurrency. However, uif_init and uif_close in ubi_attach may race with ubi_cdev_ioctl. uif_init will race with ubi_cdev_ioctl as in the following stack. cpu1 cpu2 cpu3 _______________________|________________________|______________________ ctrl_cdev_ioctl ubi_attach_mtd_dev uif_init ubi_cdev_ioctl ubi_create_volume cdev_device_add ubi_add_volume // sysfs exist kill_volumes ubi_cdev_ioctl ubi_remove_volume cdev_device_del // first free ubi_free_volume cdev_del // double free cdev_device_del And uif_close will race with ubi_cdev_ioctl as in the following stack. cpu1 cpu2 cpu3 _______________________|________________________|______________________ ctrl_cdev_ioctl ubi_attach_mtd_dev uif_init ubi_cdev_ioctl ubi_create_volume cdev_device_add ubi_debugfs_init_dev //error goto out_uif; uif_close kill_volumes ubi_cdev_ioctl ubi_remove_volume cdev_device_del // first free ubi_free_volume // double free The cause of this problem is that commit 714fb87e8bc0 make device "available" before it becomes accessible via sysfs. Therefore, we roll back the modification. We will fix the race condition between ubi device creation and udev by removing ubi_get_device in vol_attribute_show and dev_attribute_show.This avoids accessing uninitialized ubi_devices[ubi_num]. ubi_get_device is used to prevent devices from being deleted during sysfs execution. However, now kernfs ensures that devices will not be deleted before all reference counting are released. The key process is shown in the following stack. device_del device_remove_attrs device_remove_groups sysfs_remove_groups sysfs_remove_group remove_files kernfs_remove_by_name kernfs_remove_by_name_ns __kernfs_remove kernfs_drain

HighCVSS 7.8Not KEV-listedUpdated
Glexia's TakeAutomated analysishigh

Security readout for executives and security teams

Plain-English summary

CVE-2021-47634 is a Linux kernel UBI storage-management bug that can cause use-after-free behavior during concurrent UBI device and volume operations. The CVSS score is high because a local authenticated actor could potentially impact confidentiality, integrity, and availability. Exposure is mainly relevant to Linux systems using UBI/MTD flash storage.

Executive priority

Prioritize patching for embedded, appliance, and Linux systems that use UBI flash management or allow local multi-user access. The urgency is high for exposed fleets, but the provided sources do not show active exploitation or remote attackability.

Technical view

The issue is a race between ctrl_cdev_ioctl and ubi_cdev_ioctl using different locks, allowing UBI attach paths to race with volume create/remove paths. The source describes KASAN use-after-free and double-free scenarios involving cdev_device_add, cdev_device_del, uif_init, uif_close, and kill_volumes.

Likely exposure

Likely exposure is Linux systems with affected kernels and active UBI/MTD functionality, especially embedded or flash-backed devices. Systems without UBI support or access to UBI character devices are less likely to be exposed. The provided data does not identify affected distributions or appliances.

Exploitation context

The CVSS vector is local, low complexity, low privileges, and no user interaction. The bundle states KEV is false and provides no cited evidence of active exploitation. Treat this as a local kernel memory-safety vulnerability requiring patch verification rather than a confirmed internet-scale exploitation event.

Researcher notes

Focus validation on the UBI ioctl locking race and whether the stable fix removing the unsafe availability behavior is present. The affected-version data in the bundle is commit- and release-oriented, so vendor backport confirmation is essential before declaring a system vulnerable or fixed.

Mitigation direction

  • Update to a kernel release or vendor package containing the referenced stable fixes.
  • Check Linux distribution or device-vendor advisories for backported fixes.
  • Restrict unnecessary local access to UBI character devices where operationally feasible.
  • Disable unused UBI/MTD functionality only if vendor guidance and system role allow it.

Validation and detection

  • Inventory kernel versions across Linux and embedded fleets.
  • Identify systems using UBI/MTD or exposing UBI character devices.
  • Confirm the vendor kernel includes one of the referenced stable fixes or an equivalent backport.
  • Review vendor advisories for affected package names and fixed build numbers.
Prepared
Confidence
medium
Sources
10

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · low confidence lookup

CWE-416: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2021-47634 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
High
CVSS
7.8 (3.1)
Known Exploited
No
Published

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
3Timeline events
1ADP providers
9Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: total

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
7.8CVSS 3.1HighCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H1.85.9CISA-ADP

Vulnerability scoring details

Base CVSS 3.1 score

7.8High
CVSS 3.1 vector shape for CVE-2021-47634Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
cvssV3_1other:ssvc
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinux714fb87e8bc05ff78255afc0dca981e8c5242785, 714fb87e8bc05ff78255afc0dca981e8c5242785, 714fb87e8bc05ff78255afc0dca981e8c5242785, 714fb87e8bc05ff78255afc0dca981e8c5242785, 714fb87e8bc05ff78255afc0dca981e8c5242785, 714fb87e8bc05ff78255afc0dca981e8c5242785, 714fb87e8bc05ff78255afc0dca981e8c5242785, 714fb87e8bc05ff78255afc0dca981e8c5242785, 016820bde3f0895d09fcad370415085ba0d1bd4a, 12f567db822241090b90c5645ea9146f6cf8fa42, 31b0fca8ab9b9786fe6e5027c4a8587b47db5abf, 6117840dec60344167038f9511c3770d4c096eaa, bd7d3de27e7e1acce2e276074a498a82e0834663, cdf25333b42fb889f086ef65d0734d0dbdc49f4e, ae32d1b98ba29408df87c0ed47877ca0f248eae7, 4056337b1e81a1b137aa562133dc5430cd2fd19e, f3db4c640b32485105554e0bfd16bbde585f6fb0unaffected
LinuxLinux4.8, 0, 4.14.276, 4.19.238, 5.4.189, 5.10.110, 5.15.33, 5.16.19, 5.17.2, 5.18affected
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-416 · source CWE mapping

Use After Free

Use After Free represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.