LiveActive security incident?Get immediate response
CVE Record

CVE-2021-47642: video: fbdev: nvidiafb: Use strscpy() to prevent buffer overflow

In the Linux kernel, the following vulnerability has been resolved: video: fbdev: nvidiafb: Use strscpy() to prevent buffer overflow Coverity complains of a possible buffer overflow. However, given the 'static' scope of nvidia_setup_i2c_bus() it looks like that can't happen after examiniing the call sites. CID 19036 (#1 of 1): Copy into fixed size buffer (STRING_OVERFLOW) 1. fixed_size_dest: You might overrun the 48-character fixed-size string chan->adapter.name by copying name without checking the length. 2. parameter_as_source: Note: This defect has an elevated risk because the source argument is a parameter of the current function. 89 strcpy(chan->adapter.name, name); Fix this warning by using strscpy() which will silence the warning and prevent any future buffer overflows should the names used to identify the channel become much longer.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysislow

Security readout for executives and security teams

Plain-English summary

CVE-2021-47642 is a Linux kernel issue in the legacy nvidiafb framebuffer driver. A fixed-size name buffer used an unsafe string copy. The kernel note says current call sites appeared not to make overflow reachable, but the fix prevents future overflow risk.

Executive priority

Low urgency based on current evidence. Include it in normal kernel patch management, with faster handling for systems that depend on legacy framebuffer drivers or have strict kernel hardening requirements.

Technical view

In video/fbdev/nvidiafb, nvidia_setup_i2c_bus() copied a caller-provided name into chan->adapter.name, a 48-character buffer, using strcpy(). Stable kernel fixes replace it with strscpy(). The CVE record provides no CVSS, CWE, exploitability details, or confirmed reachable attack path.

Likely exposure

Exposure is mainly Linux systems using affected kernel versions or downstream builds containing the vulnerable nvidiafb code before the referenced stable fixes. Practical exposure appears limited, because the source notes static call sites did not appear to permit overflow at the time.

Exploitation context

The source bundle does not report active exploitation, and KEV is false. It also does not provide a proof of concept or attacker prerequisites. Treat this as a hardening fix unless vendor guidance says otherwise.

Researcher notes

The key uncertainty is reachability. The upstream description explicitly says existing static call sites looked safe, while the code pattern was still unsafe. Research should focus on downstream modifications, driver configuration, and whether untrusted input can influence the copied name.

Mitigation direction

  • Update to a Linux kernel containing the referenced stable nvidiafb fixes.
  • Use distribution kernel packages or backports rather than hand-applying patches.
  • Check vendor advisories for supported mitigations if patching is delayed.
  • Track this in routine kernel maintenance unless nvidiafb is mission-critical.

Validation and detection

  • Inventory Linux kernel versions across servers, workstations, and appliances.
  • Check whether the running kernel includes the referenced stable commit or downstream backport.
  • Confirm whether nvidiafb is built, packaged, or loaded in relevant kernels.
  • Review distribution security notes for CVE-2021-47642 package status.
Prepared
Confidence
medium
Sources
11

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2021-47642 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
0ADP providers
10Source links

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2, 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2, 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2, 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2, 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2, 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2, 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2, 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2, 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2unaffected
LinuxLinux2.6.12, 0, 4.9.311, 4.14.276, 4.19.238, 5.4.189, 5.10.110, 5.15.33, 5.16.19, 5.17.2, 5.18affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.