CVE-2021-47171 in Linuxinfo

Summary

by MITRE • 03/25/2024

In the Linux kernel, the following vulnerability has been resolved:

net: usb: fix memory leak in smsc75xx_bind

Syzbot reported memory leak in smsc75xx_bind(). The problem was is non-freed memory in case of errors after memory allocation.

backtrace: [] kmalloc include/linux/slab.h:556 [inline]
[] kzalloc include/linux/slab.h:686 [inline]
[] smsc75xx_bind+0x7a/0x334 drivers/net/usb/smsc75xx.c:1460
[] usbnet_probe+0x3b6/0xc30 drivers/net/usb/usbnet.c:1728

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 08/11/2025

The vulnerability CVE-2021-47171 represents a memory leak in the Linux kernel's USB networking driver subsystem, specifically within the smsc75xx_bind function of the smsc75xx driver. This issue affects devices that utilize the SMSC75xx series USB ethernet controllers which are commonly found in various USB-to-ethernet adapters and networking hardware. The vulnerability was identified through automated fuzzing and testing conducted by the syzbot system, which is a kernel fuzzer designed to detect memory corruption and resource management issues in the Linux kernel.

The technical flaw occurs within the smsc75xx_bind function located in drivers/net/usb/smsc75xx.c at line 1460. When the driver attempts to bind a USB network device, it allocates memory using kmalloc or kzalloc functions to initialize the driver data structures. However, in error conditions that occur after memory allocation, the allocated memory is not properly freed before the function returns with an error status. This creates a memory leak where kernel heap memory becomes permanently unavailable for reuse, potentially leading to memory exhaustion over time, especially in systems where multiple USB network devices are frequently connected and disconnected.

The operational impact of this vulnerability extends beyond simple memory waste, as it can lead to system instability and performance degradation in embedded systems or servers that rely heavily on USB networking capabilities. The memory leak accumulates with each failed device binding attempt, and in high-traffic environments where USB devices are frequently enumerated, this can result in progressive memory consumption that may eventually cause system crashes or resource exhaustion. The vulnerability affects the usbnet subsystem which is fundamental to USB ethernet device support in Linux, making it a critical issue for embedded systems, IoT devices, and server environments that utilize USB networking hardware.

This memory leak vulnerability maps to CWE-401: "Improper Release of Memory Before Removing Last Reference" and aligns with ATT&CK technique T1490: "Inhibit System Recovery" as it can contribute to system instability through resource exhaustion. The issue demonstrates poor error handling practices in kernel space memory management where proper cleanup routines are not executed in error paths, violating fundamental principles of robust kernel programming. The vulnerability is particularly concerning in embedded and IoT environments where memory resources are limited and system stability is paramount. Mitigation strategies include applying the kernel patch that ensures proper memory cleanup in error conditions, implementing monitoring for memory usage patterns in affected systems, and potentially isolating USB networking operations to prevent cascading failures. The fix typically involves adding proper error handling paths that free allocated memory before returning error codes, ensuring that all allocated resources are properly released regardless of the execution path taken by the driver.

Reservation

03/25/2024

Disclosure

03/25/2024

Moderation

accepted

CPE

ready

EPSS

0.00241

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!