CVE-2021-47111 in Linux
Summary
by MITRE • 03/15/2024
In the Linux kernel, the following vulnerability has been resolved:
xen-netback: take a reference to the RX task thread
Do this in order to prevent the task from being freed if the thread returns (which can be triggered by the frontend) before the call to kthread_stop done as part of the backend tear down. Not taking the reference will lead to a use-after-free in that scenario. Such reference was taken before but dropped as part of the rework done in 2ac061ce97f4.
Reintroduce the reference taking and add a comment this time explaining why it's needed.
This is XSA-374 / CVE-2021-28691.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 08/09/2025
The vulnerability described in CVE-2021-47111 represents a critical use-after-free condition within the Linux kernel's Xen netback driver component. This issue specifically affects the virtual network backend implementation that facilitates communication between Xen virtual machines and their host systems. The flaw manifests when the network backend attempts to clean up resources during shutdown operations, creating a window where memory corruption can occur due to improper reference management. The vulnerability impacts systems running Linux kernels with Xen virtualization support, particularly those utilizing the netback driver for network communication between guest and host environments.
The technical root cause stems from improper reference counting within the RX task thread management logic. During the rework of the xen-netback driver codebase, a critical reference counting mechanism was inadvertently removed as part of commit 2ac061ce97f4. This removal created a scenario where the kernel thread responsible for receiving network packets could be freed prematurely while the backend shutdown sequence was still in progress. When the frontend system triggers the thread to return or terminate, but the backend teardown process has not yet completed its cleanup operations, the freed memory location becomes available for reuse. Subsequent access to this memory location results in undefined behavior and potential exploitation opportunities, as the system attempts to dereference pointers to already freed memory structures.
The operational impact of this vulnerability extends beyond simple system instability, presenting significant security risks within virtualized environments. Attackers with access to a compromised guest virtual machine could potentially exploit this use-after-free condition to escalate privileges or achieve arbitrary code execution within the host system. This represents a classic privilege escalation vector through virtualization layer manipulation, where guest-to-host exploitation becomes possible due to improper memory management in the hypervisor backend components. The vulnerability affects systems where Xen virtualization is implemented, particularly those running Linux kernels that include the affected netback driver code, making it relevant to cloud environments, virtual desktop infrastructures, and any system utilizing Xen-based virtualization technologies.
Mitigation strategies for this vulnerability require immediate kernel updates to patched versions that reintroduce the necessary reference counting mechanism. System administrators should prioritize applying security patches from their respective Linux distributions, as the fix involves restoring the reference taking operation that was previously removed during code rework. The solution implements proper reference management to ensure the RX task thread remains valid throughout the complete shutdown sequence, preventing premature deallocation of memory resources. Additionally, monitoring systems should be configured to detect unusual thread termination patterns or memory access violations that might indicate exploitation attempts. Organizations should also consider implementing network segmentation and access controls to limit potential attack surfaces, while maintaining regular vulnerability assessments of their virtualization infrastructure to identify similar issues that might exist in other kernel subsystems. This vulnerability aligns with CWE-416, which addresses use-after-free conditions, and represents a potential entry point for attackers following ATT&CK tactics related to privilege escalation and host compromise within virtualized environments.