CVE-2021-47642: video: fbdev: nvidiafb: Use strscpy() to prevent buffer overflow
In the Linux kernel, the following vulnerability has been resolved:
video: fbdev: nvidiafb: Use strscpy() to prevent buffer overflow
Coverity complains of a possible buffer overflow. However,
given the 'static' scope of nvidia_setup_i2c_bus() it looks
like that can't happen after examiniing the call sites.
CID 19036 (#1 of 1): Copy into fixed size buffer (STRING_OVERFLOW)
1. fixed_size_dest: You might overrun the 48-character fixed-size string
chan->adapter.name by copying name without checking the length.
2. parameter_as_source: Note: This defect has an elevated risk because the
source argument is a parameter of the current function.
89 strcpy(chan->adapter.name, name);
Fix this warning by using strscpy() which will silence the warning and
prevent any future buffer overflows should the names used to identify the
channel become much longer.
Security readout for executives and security teams
Plain-English summary
CVE-2021-47642 is a Linux kernel issue in the legacy nvidiafb framebuffer driver. A fixed-size name buffer used an unsafe string copy. The kernel note says current call sites appeared not to make overflow reachable, but the fix prevents future overflow risk.
Executive priority
Low urgency based on current evidence. Include it in normal kernel patch management, with faster handling for systems that depend on legacy framebuffer drivers or have strict kernel hardening requirements.
Technical view
In video/fbdev/nvidiafb, nvidia_setup_i2c_bus() copied a caller-provided name into chan->adapter.name, a 48-character buffer, using strcpy(). Stable kernel fixes replace it with strscpy(). The CVE record provides no CVSS, CWE, exploitability details, or confirmed reachable attack path.
Likely exposure
Exposure is mainly Linux systems using affected kernel versions or downstream builds containing the vulnerable nvidiafb code before the referenced stable fixes. Practical exposure appears limited, because the source notes static call sites did not appear to permit overflow at the time.
Exploitation context
The source bundle does not report active exploitation, and KEV is false. It also does not provide a proof of concept or attacker prerequisites. Treat this as a hardening fix unless vendor guidance says otherwise.
Researcher notes
The key uncertainty is reachability. The upstream description explicitly says existing static call sites looked safe, while the code pattern was still unsafe. Research should focus on downstream modifications, driver configuration, and whether untrusted input can influence the copied name.
Mitigation direction
Update to a Linux kernel containing the referenced stable nvidiafb fixes.
Use distribution kernel packages or backports rather than hand-applying patches.
Check vendor advisories for supported mitigations if patching is delayed.
Track this in routine kernel maintenance unless nvidiafb is mission-critical.
Validation and detection
Inventory Linux kernel versions across servers, workstations, and appliances.
Check whether the running kernel includes the referenced stable commit or downstream backport.
Confirm whether nvidiafb is built, packaged, or loaded in relevant kernels.
Review distribution security notes for CVE-2021-47642 package status.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2021-47642 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
0CVSS vectors
3Timeline events
0ADP providers
10Source links
Vulnerability timeline
Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.
CVE reservedCVE Program
The CVE ID was reserved by the assigning CNA.
CVE publishedCVE Program
The CVE record was published.
Feb 26, 2025, 01:54 UTC (UTC+00:00)
CVE updatedCVE Program
The CVE record metadata indicates this as the latest update time.