CVE-2021-47506 in Linuxinfo

Summary

by MITRE • 05/24/2024

In the Linux kernel, the following vulnerability has been resolved:

nfsd: fix use-after-free due to delegation race

A delegation break could arrive as soon as we've called vfs_setlease. A delegation break runs a callback which immediately (in nfsd4_cb_recall_prepare) adds the delegation to del_recall_lru. If we then exit nfs4_set_delegation without hashing the delegation, it will be freed as soon as the callback is done with it, without ever being removed from del_recall_lru.

Symptoms show up later as use-after-free or list corruption warnings, usually in the laundromat thread.

I suspect aba2072f4523 "nfsd: grant read delegations to clients holding writes" made this bug easier to hit, but I looked as far back as v3.0 and it looks to me it already had the same problem. So I'm not sure where the bug was introduced; it may have been there from the beginning.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 05/13/2025

The vulnerability CVE-2021-47506 represents a critical use-after-free condition in the Linux kernel's Network File System daemon implementation that stems from a race condition during delegation handling. This flaw specifically affects the nfsd component responsible for managing NFS server operations and occurs when a delegation break event coincides with the execution of vfs_setlease function. The issue manifests when a delegation break callback executes immediately after nfsd4_cb_recall_prepare adds the delegation to the del_recall_lru list, creating a timing window where the delegation object may be freed before it can be properly hashed into the system's delegation structures.

The technical implementation of this vulnerability involves a complex interaction between multiple kernel subsystems including the NFS server implementation, lease management, and callback processing mechanisms. When a delegation break occurs during the nfs4_set_delegation execution flow, the system fails to properly hash the delegation object into the kernel's internal data structures before the callback completes. This creates a scenario where the delegation object exists in the del_recall_lru list but is not properly tracked elsewhere, leading to a situation where the memory allocated for the delegation can be freed prematurely. The subsequent use-after-free conditions typically appear as memory corruption warnings or list corruption errors, particularly in the laundromat thread which handles periodic cleanup operations in the NFS server implementation.

The operational impact of this vulnerability extends beyond simple memory corruption, as it can potentially enable privilege escalation or denial-of-service conditions within NFS server environments. Attackers could exploit this race condition to cause system instability or potentially gain elevated privileges by manipulating the timing of delegation break events. The vulnerability affects all Linux kernel versions since at least v3.0, indicating it has been present in production systems for many years, making it particularly concerning for long-running NFS server deployments. The issue is classified under CWE-416 as a Use-After-Free vulnerability, which represents one of the most dangerous classes of memory safety issues in kernel space code.

Mitigation strategies for CVE-2021-47506 require immediate kernel updates to patched versions that address the race condition in delegation handling. System administrators should prioritize applying the relevant kernel security patches from their distribution vendors, as the vulnerability can be exploited to compromise NFS server integrity and potentially escalate privileges. The fix implemented in the patched kernel versions ensures proper synchronization and hashing of delegation objects before callbacks execute, preventing the premature freeing of delegation resources. Organizations running NFS services should also consider monitoring for unusual system behavior or memory corruption warnings that might indicate exploitation attempts, and should implement network segmentation to limit exposure of NFS servers to untrusted networks. This vulnerability aligns with ATT&CK technique T1068 which involves exploiting legitimate credentials and privileges, as the memory corruption could potentially be leveraged to gain additional system access.

Reservation

05/22/2024

Disclosure

05/24/2024

Moderation

accepted

CPE

ready

EPSS

0.00260

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!