CVE-2021-47248 - OpenCVE

In the Linux kernel, the following vulnerability has been resolved: udp: fix race between close() and udp_abort() Kaustubh reported and diagnosed a panic in udp_lib_lookup(). The root cause is udp_abort() racing with close(). Both racing functions acquire the socket lock, but udp{v6}_destroy_sock() release it before performing destructive actions. We can't easily extend the socket lock scope to avoid the race, instead use the SOCK_DEAD flag to prevent udp_abort from doing any action when the critical race happens. Diagnosed-and-tested-by: Kaustubh Pandey <kapandey@codeaurora.org>

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

References

Link	Providers
https://git.kernel.org/stable/c/2f73448041bd0682d4b552cfd314ace66107f1ad
https://git.kernel.org/stable/c/5a88477c1c85e4baa51e91f2d40f2166235daa56
https://git.kernel.org/stable/c/65310b0aff86980a011c7c7bfa487a333d4ca241
https://git.kernel.org/stable/c/8729ec8a2238152a4afc212a331a6cd2c61aeeac
https://git.kernel.org/stable/c/a0882f68f54f7a8b6308261acee9bd4faab5a69e
https://git.kernel.org/stable/c/a8b897c7bcd47f4147d066e22cc01d1026d7640e
https://git.kernel.org/stable/c/e3c36c773aed0fef8b1d3d555b43393ec564400f
https://lore.kernel.org/linux-cve-announce/2024052143-CVE-2021-47248-2609@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2021-47248
https://www.cve.org/CVERecord?id=CVE-2021-47248

History

No history.

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2024-05-21T14:19:45.588Z

Updated: 2024-08-04T05:32:07.937Z

Reserved: 2024-04-10T18:59:19.536Z

Link: CVE-2021-47248

Vulnrichment

Updated: 2024-08-04T05:32:07.937Z

NVD

Status : Awaiting Analysis

Published: 2024-05-21T15:15:13.780

Modified: 2024-05-21T16:54:26.047

Link: CVE-2021-47248

Redhat

Severity : Moderate

Publid Date: 2024-05-21T00:00:00Z

Links: CVE-2021-47248 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2021-47248", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-04-10T18:59:19.536Z", "datePublished": "2024-05-21T14:19:45.588Z", "dateUpdated": "2024-08-04T05:32:07.937Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-05-29T05:04:38.979Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nudp: fix race between close() and udp_abort()\n\nKaustubh reported and diagnosed a panic in udp_lib_lookup().\nThe root cause is udp_abort() racing with close(). Both\nracing functions acquire the socket lock, but udp{v6}_destroy_sock()\nrelease it before performing destructive actions.\n\nWe can't easily extend the socket lock scope to avoid the race,\ninstead use the SOCK_DEAD flag to prevent udp_abort from doing\nany action when the critical race happens.\n\nDiagnosed-and-tested-by: Kaustubh Pandey <kapandey@codeaurora.org>"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/ipv4/udp.c", "net/ipv6/udp.c"], "versions": [{"version": "5d77dca82839", "lessThan": "e3c36c773aed", "status": "affected", "versionType": "git"}, {"version": "5d77dca82839", "lessThan": "a0882f68f54f", "status": "affected", "versionType": "git"}, {"version": "5d77dca82839", "lessThan": "2f73448041bd", "status": "affected", "versionType": "git"}, {"version": "5d77dca82839", "lessThan": "5a88477c1c85", "status": "affected", "versionType": "git"}, {"version": "5d77dca82839", "lessThan": "8729ec8a2238", "status": "affected", "versionType": "git"}, {"version": "5d77dca82839", "lessThan": "65310b0aff86", "status": "affected", "versionType": "git"}, {"version": "5d77dca82839", "lessThan": "a8b897c7bcd4", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/ipv4/udp.c", "net/ipv6/udp.c"], "versions": [{"version": "4.9", "status": "affected"}, {"version": "0", "lessThan": "4.9", "status": "unaffected", "versionType": "custom"}, {"version": "4.9.274", "lessThanOrEqual": "4.9.*", "status": "unaffected", "versionType": "custom"}, {"version": "4.14.238", "lessThanOrEqual": "4.14.*", "status": "unaffected", "versionType": "custom"}, {"version": "4.19.196", "lessThanOrEqual": "4.19.*", "status": "unaffected", "versionType": "custom"}, {"version": "5.4.128", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "custom"}, {"version": "5.10.46", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "custom"}, {"version": "5.12.13", "lessThanOrEqual": "5.12.*", "status": "unaffected", "versionType": "custom"}, {"version": "5.13", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/e3c36c773aed0fef8b1d3d555b43393ec564400f"}, {"url": "https://git.kernel.org/stable/c/a0882f68f54f7a8b6308261acee9bd4faab5a69e"}, {"url": "https://git.kernel.org/stable/c/2f73448041bd0682d4b552cfd314ace66107f1ad"}, {"url": "https://git.kernel.org/stable/c/5a88477c1c85e4baa51e91f2d40f2166235daa56"}, {"url": "https://git.kernel.org/stable/c/8729ec8a2238152a4afc212a331a6cd2c61aeeac"}, {"url": "https://git.kernel.org/stable/c/65310b0aff86980a011c7c7bfa487a333d4ca241"}, {"url": "https://git.kernel.org/stable/c/a8b897c7bcd47f4147d066e22cc01d1026d7640e"}], "title": "udp: fix race between close() and udp_abort()", "x_generator": {"engine": "bippy-a5840b7849dd"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2021-47248", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-23T18:04:43.420239Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:13:24.395Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T05:32:07.937Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/e3c36c773aed0fef8b1d3d555b43393ec564400f", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/a0882f68f54f7a8b6308261acee9bd4faab5a69e", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/2f73448041bd0682d4b552cfd314ace66107f1ad", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/5a88477c1c85e4baa51e91f2d40f2166235daa56", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/8729ec8a2238152a4afc212a331a6cd2c61aeeac", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/65310b0aff86980a011c7c7bfa487a333d4ca241", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/a8b897c7bcd47f4147d066e22cc01d1026d7640e", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/e3c36c773aed0fef8b1d3d555b43393ec564400f", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/a0882f68f54f7a8b6308261acee9bd4faab5a69e", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/2f73448041bd0682d4b552cfd314ace66107f1ad", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/5a88477c1c85e4baa51e91f2d40f2166235daa56", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/8729ec8a2238152a4afc212a331a6cd2c61aeeac", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/65310b0aff86980a011c7c7bfa487a333d4ca241", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/a8b897c7bcd47f4147d066e22cc01d1026d7640e", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T05:32:07.937Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2021-47248", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-23T18:04:43.420239Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-23T18:04:47.404Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"title": "udp: fix race between close() and udp_abort()", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "5d77dca82839", "lessThan": "e3c36c773aed", "versionType": "git"}, {"status": "affected", "version": "5d77dca82839", "lessThan": "a0882f68f54f", "versionType": "git"}, {"status": "affected", "version": "5d77dca82839", "lessThan": "2f73448041bd", "versionType": "git"}, {"status": "affected", "version": "5d77dca82839", "lessThan": "5a88477c1c85", "versionType": "git"}, {"status": "affected", "version": "5d77dca82839", "lessThan": "8729ec8a2238", "versionType": "git"}, {"status": "affected", "version": "5d77dca82839", "lessThan": "65310b0aff86", "versionType": "git"}, {"status": "affected", "version": "5d77dca82839", "lessThan": "a8b897c7bcd4", "versionType": "git"}], "programFiles": ["net/ipv4/udp.c", "net/ipv6/udp.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "4.9"}, {"status": "unaffected", "version": "0", "lessThan": "4.9", "versionType": "custom"}, {"status": "unaffected", "version": "4.9.274", "versionType": "custom", "lessThanOrEqual": "4.9.*"}, {"status": "unaffected", "version": "4.14.238", "versionType": "custom", "lessThanOrEqual": "4.14.*"}, {"status": "unaffected", "version": "4.19.196", "versionType": "custom", "lessThanOrEqual": "4.19.*"}, {"status": "unaffected", "version": "5.4.128", "versionType": "custom", "lessThanOrEqual": "5.4.*"}, {"status": "unaffected", "version": "5.10.46", "versionType": "custom", "lessThanOrEqual": "5.10.*"}, {"status": "unaffected", "version": "5.12.13", "versionType": "custom", "lessThanOrEqual": "5.12.*"}, {"status": "unaffected", "version": "5.13", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["net/ipv4/udp.c", "net/ipv6/udp.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/e3c36c773aed0fef8b1d3d555b43393ec564400f"}, {"url": "https://git.kernel.org/stable/c/a0882f68f54f7a8b6308261acee9bd4faab5a69e"}, {"url": "https://git.kernel.org/stable/c/2f73448041bd0682d4b552cfd314ace66107f1ad"}, {"url": "https://git.kernel.org/stable/c/5a88477c1c85e4baa51e91f2d40f2166235daa56"}, {"url": "https://git.kernel.org/stable/c/8729ec8a2238152a4afc212a331a6cd2c61aeeac"}, {"url": "https://git.kernel.org/stable/c/65310b0aff86980a011c7c7bfa487a333d4ca241"}, {"url": "https://git.kernel.org/stable/c/a8b897c7bcd47f4147d066e22cc01d1026d7640e"}], "x_generator": {"engine": "bippy-a5840b7849dd"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nudp: fix race between close() and udp_abort()\n\nKaustubh reported and diagnosed a panic in udp_lib_lookup().\nThe root cause is udp_abort() racing with close(). Both\nracing functions acquire the socket lock, but udp{v6}_destroy_sock()\nrelease it before performing destructive actions.\n\nWe can't easily extend the socket lock scope to avoid the race,\ninstead use the SOCK_DEAD flag to prevent udp_abort from doing\nany action when the critical race happens.\n\nDiagnosed-and-tested-by: Kaustubh Pandey <kapandey@codeaurora.org>"}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-05-29T05:04:38.979Z"}}}, "cveMetadata": {"cveId": "CVE-2021-47248", "state": "PUBLISHED", "dateUpdated": "2024-08-04T05:32:07.937Z", "dateReserved": "2024-04-10T18:59:19.536Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-05-21T14:19:45.588Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nudp: fix race between close() and udp_abort()\n\nKaustubh reported and diagnosed a panic in udp_lib_lookup().\nThe root cause is udp_abort() racing with close(). Both\nracing functions acquire the socket lock, but udp{v6}_destroy_sock()\nrelease it before performing destructive actions.\n\nWe can't easily extend the socket lock scope to avoid the race,\ninstead use the SOCK_DEAD flag to prevent udp_abort from doing\nany action when the critical race happens.\n\nDiagnosed-and-tested-by: Kaustubh Pandey <kapandey@codeaurora.org>"}, {"lang": "es", "value": " En el kernel de Linux se ha resuelto la siguiente vulnerabilidad: udp: corrige la ejecuci\u00f3n entre close() y udp_abort(). Kaustubh inform\u00f3 y diagnostic\u00f3 un p\u00e1nico en udp_lib_lookup(). La causa principal es que udp_abort() compite con close(). Ambas funciones de ejecuci\u00f3n adquieren el bloqueo del socket, pero udp{v6}_destroy_sock() lo libera antes de realizar acciones destructivas. No podemos extender f\u00e1cilmente el alcance del bloqueo del socket para evitar la ejecuci\u00f3n; en su lugar, usamos el indicador SOCK_DEAD para evitar que udp_abort realice alguna acci\u00f3n cuando ocurre la ejecuci\u00f3n cr\u00edtica. Diagnosticado y probado por: Kaustubh Pandey "}], "id": "CVE-2021-47248", "lastModified": "2024-05-21T16:54:26.047", "metrics": {}, "published": "2024-05-21T15:15:13.780", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/2f73448041bd0682d4b552cfd314ace66107f1ad"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/5a88477c1c85e4baa51e91f2d40f2166235daa56"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/65310b0aff86980a011c7c7bfa487a333d4ca241"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/8729ec8a2238152a4afc212a331a6cd2c61aeeac"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/a0882f68f54f7a8b6308261acee9bd4faab5a69e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/a8b897c7bcd47f4147d066e22cc01d1026d7640e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/e3c36c773aed0fef8b1d3d555b43393ec564400f"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: udp: fix race between close() and udp_abort()", "id": "2282564", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2282564"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.8", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H", "status": "draft"}, "cwe": "CWE-362", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nudp: fix race between close() and udp_abort()\nKaustubh reported and diagnosed a panic in udp_lib_lookup().\nThe root cause is udp_abort() racing with close(). Both\nracing functions acquire the socket lock, but udp{v6}_destroy_sock()\nrelease it before performing destructive actions.\nWe can't easily extend the socket lock scope to avoid the race,\ninstead use the SOCK_DEAD flag to prevent udp_abort from doing\nany action when the critical race happens.\nDiagnosed-and-tested-by: Kaustubh Pandey <kapandey@codeaurora.org>", "A vulnerability was found in the Linux kernel's UDP implementation, where a race condition exists between the close() and udp_abort() functions. This race can cause a system panic during socket operations, leading to unexpected crashes"], "mitigation": {"lang": "en:us", "value": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible."}, "name": "CVE-2021-47248", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-05-21T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-47248\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-47248\nhttps://lore.kernel.org/linux-cve-announce/2024052143-CVE-2021-47248-2609@gregkh/T"], "statement": "This vulnerability is rated as a moderate severity because this issue results in system crashes under specific conditions and exploitation requires precise timing.", "threat_severity": "Moderate", "upstream_fix": "kernel 4.9.274, kernel 4.14.238, kernel 4.19.196, kernel 5.4.128, kernel 5.10.46, kernel 5.12.13, kernel 5.13"}