CVE-2021-47425 in Linux
Summary
by MITRE • 05/21/2024
In the Linux kernel, the following vulnerability has been resolved:
i2c: acpi: fix resource leak in reconfiguration device addition
acpi_i2c_find_adapter_by_handle() calls bus_find_device() which takes a reference on the adapter which is never released which will result in a reference count leak and render the adapter unremovable. Make sure to put the adapter after creating the client in the same manner that we do for OF.
[wsa: fixed title]
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 09/23/2025
The vulnerability identified as CVE-2021-47425 represents a critical resource management flaw within the Linux kernel's i2c acpi subsystem that can lead to persistent reference count leaks and system instability. This issue specifically affects the acpi_i2c_find_adapter_by_handle() function which is responsible for locating I2C adapters through ACPI handle lookups during device reconfiguration scenarios. The flaw manifests when the function invokes bus_find_device() to locate the appropriate adapter but fails to properly release the reference count that was acquired during this operation. This oversight creates a scenario where adapter references remain in memory indefinitely, preventing proper cleanup and removal of the adapter from the system. The vulnerability impacts the kernel's ability to manage I2C device resources effectively, potentially leading to resource exhaustion and system performance degradation over time.
The technical implementation of this vulnerability stems from improper reference counting practices within the kernel's device management framework. When acpi_i2c_find_adapter_by_handle() calls bus_find_device(), it correctly acquires a reference to the adapter device but fails to balance this reference with a corresponding put_device() call. This pattern differs from the established practice used in the device tree (OF) subsystem where proper reference management is maintained through consistent pairing of get and put operations. The inconsistency creates a resource leak where adapter objects remain in memory even when they should be eligible for garbage collection. This behavior directly violates fundamental kernel memory management principles and can result in the accumulation of unreleased device references that persist throughout the system's operational lifetime.
The operational impact of CVE-2021-47425 extends beyond simple resource consumption to potentially compromise system stability and device management capabilities. As the reference count leak accumulates, the system's ability to dynamically reconfigure I2C devices becomes increasingly impaired, particularly during hot-plug scenarios or system updates. Affected systems may experience gradual performance degradation as memory resources become consumed by unreleased adapter references. The vulnerability specifically impacts systems that rely on ACPI-based I2C device management, which includes a wide range of modern laptops, servers, and embedded systems that utilize ACPI for hardware configuration. The inability to properly remove adapters from the system can lead to device conflicts, failed device initialization, and potential system crashes during device reconfiguration events. This vulnerability aligns with CWE-404, which specifically addresses improper resource management and memory leaks in software systems.
Mitigation strategies for this vulnerability require kernel-level patches that implement proper reference counting mechanisms consistent with the established OF subsystem practices. The fix involves ensuring that every reference acquired through bus_find_device() is properly released using put_device() before the function returns, maintaining consistency with how device references are managed elsewhere in the kernel. System administrators should prioritize applying the relevant kernel updates that contain this fix, particularly on systems that frequently perform I2C device reconfiguration or operate in environments where hot-plug device management is common. Organizations should monitor their kernel versions and ensure they are running patched releases that address this specific reference counting issue. The vulnerability demonstrates the importance of maintaining consistent resource management practices across kernel subsystems and highlights the critical need for thorough code review processes that examine reference counting patterns. This fix serves as a reminder of the fundamental importance of balanced resource acquisition and release in kernel space operations, aligning with ATT&CK technique T1547.001 for privilege escalation through kernel-level resource manipulation. The resolution of this vulnerability ensures proper device lifecycle management and prevents the accumulation of stale device references that could impact system stability and device management capabilities over extended periods of operation.