CVE-2021-47652: video: fbdev: smscufx: Fix null-ptr-deref in ufx_usb_probe()
In the Linux kernel, the following vulnerability has been resolved:
video: fbdev: smscufx: Fix null-ptr-deref in ufx_usb_probe()
I got a null-ptr-deref report:
BUG: kernel NULL pointer dereference, address: 0000000000000000
...
RIP: 0010:fb_destroy_modelist+0x38/0x100
...
Call Trace:
ufx_usb_probe.cold+0x2b5/0xac1 [smscufx]
usb_probe_interface+0x1aa/0x3c0 [usbcore]
really_probe+0x167/0x460
...
ret_from_fork+0x1f/0x30
If fb_alloc_cmap() fails in ufx_usb_probe(), fb_destroy_modelist() will
be called to destroy modelist in the error handling path. But modelist
has not been initialized yet, so it will result in null-ptr-deref.
Initialize modelist before calling fb_alloc_cmap() to fix this bug.
Security readout for executives and security teams
Plain-English summary
CVE-2021-47652 is a Linux kernel crash issue in the smscufx framebuffer driver. If a specific allocation fails during USB device probing, cleanup can dereference an uninitialized list and crash the kernel. The main business impact is local denial of service, not data theft or remote compromise based on the provided sources.
Executive priority
Treat this as a moderate availability risk. It is not evidenced as remotely exploitable or actively abused, but affected multi-user Linux systems should be patched through normal kernel maintenance because a local crash can disrupt business services.
Technical view
The flaw is a CWE-476 null pointer dereference in ufx_usb_probe(). When fb_alloc_cmap() fails, the error path calls fb_destroy_modelist() before modelist is initialized. The fix initializes modelist before fb_alloc_cmap(). CVSS 3.1 is 5.5: local access, low complexity, low privileges, no user interaction, high availability impact.
Likely exposure
Exposure appears limited to Linux systems running affected kernel versions with the smscufx driver present or usable. The provided data lists Linux kernels including 3.2, 4.9.311, 4.14.276, 4.19.238, 5.4.189, 5.10.110, 5.15.33, 5.16.19, 5.17.2, and 5.18 as affected.
Exploitation context
The source bundle does not show active exploitation, and KEV status is false. The CVSS vector indicates local, low-privilege exploitation with availability impact only. No evidence in the provided sources supports remote exploitation, privilege escalation, data disclosure, or integrity impact.
Researcher notes
Focus review on smscufx probe error handling and vendor backports of the modelist initialization fix. Evidence is limited to the CVE record, CVSS vector, affected version data, and upstream stable commits; the bundle does not include exploit proof or operational telemetry.
Mitigation direction
Update to a vendor kernel containing the upstream smscufx ufx_usb_probe fix.
Check distribution advisories for backported fixes before relying on version numbers alone.
Prioritize systems where untrusted local users can access affected Linux hosts.
If smscufx is unnecessary, follow vendor guidance to reduce driver availability.
Validation and detection
Inventory Linux kernel versions across servers, endpoints, and appliances.
Check whether the smscufx driver is built, packaged, loaded, or available.
Confirm vendor kernel changelogs include the referenced upstream fix.
Retest after patching to verify the remediated kernel is running.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-476: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-476 · source CWE mapping
NULL Pointer Dereference
NULL Pointer Dereference represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.