{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2021-47561", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-05-24T15:11:00.727Z", "datePublished": "2024-05-24T15:12:50.061Z", "dateUpdated": "2025-05-04T07:13:36.305Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-04T07:13:36.305Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: virtio: disable timeout handling\n\nIf a timeout is hit, it can result is incorrect data on the I2C bus\nand/or memory corruptions in the guest since the device can still be\noperating on the buffers it was given while the guest has freed them.\n\nHere is, for example, the start of a slub_debug splat which was\ntriggered on the next transfer after one transfer was forced to timeout\nby setting a breakpoint in the backend (rust-vmm/vhost-device):\n\n BUG kmalloc-1k (Not tainted): Poison overwritten\n First byte 0x1 instead of 0x6b\n Allocated in virtio_i2c_xfer+0x65/0x35c age=350 cpu=0 pid=29\n \t__kmalloc+0xc2/0x1c9\n \tvirtio_i2c_xfer+0x65/0x35c\n \t__i2c_transfer+0x429/0x57d\n \ti2c_transfer+0x115/0x134\n \ti2cdev_ioctl_rdwr+0x16a/0x1de\n \ti2cdev_ioctl+0x247/0x2ed\n \tvfs_ioctl+0x21/0x30\n \tsys_ioctl+0xb18/0xb41\n Freed in virtio_i2c_xfer+0x32e/0x35c age=244 cpu=0 pid=29\n \tkfree+0x1bd/0x1cc\n \tvirtio_i2c_xfer+0x32e/0x35c\n \t__i2c_transfer+0x429/0x57d\n \ti2c_transfer+0x115/0x134\n \ti2cdev_ioctl_rdwr+0x16a/0x1de\n \ti2cdev_ioctl+0x247/0x2ed\n \tvfs_ioctl+0x21/0x30\n \tsys_ioctl+0xb18/0xb41\n\nThere is no simple fix for this (the driver would have to always create\nbounce buffers and hold on to them until the device eventually returns\nthe buffers), so just disable the timeout support for now."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/i2c/busses/i2c-virtio.c"], "versions": [{"version": "3cfc88380413d20f777dc6648a38f683962e52bf", "lessThan": "cc432b0727ce404cc13e8f6b5ce29f412c3f9f1f", "status": "affected", "versionType": "git"}, {"version": "3cfc88380413d20f777dc6648a38f683962e52bf", "lessThan": "84e1d0bf1d7121759622dabf8fbef4c99ad597c5", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/i2c/busses/i2c-virtio.c"], "versions": [{"version": "5.15", "status": "affected"}, {"version": "0", "lessThan": "5.15", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.6", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.16", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "5.15.6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "5.16"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/cc432b0727ce404cc13e8f6b5ce29f412c3f9f1f"}, {"url": "https://git.kernel.org/stable/c/84e1d0bf1d7121759622dabf8fbef4c99ad597c5"}], "title": "i2c: virtio: disable timeout handling", "x_generator": {"engine": "bippy-1.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-06-10T18:51:06.665618Z", "id": "CVE-2021-47561", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-10T18:51:14.257Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T05:39:59.771Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/cc432b0727ce404cc13e8f6b5ce29f412c3f9f1f", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/84e1d0bf1d7121759622dabf8fbef4c99ad597c5", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/cc432b0727ce404cc13e8f6b5ce29f412c3f9f1f", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/84e1d0bf1d7121759622dabf8fbef4c99ad597c5", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T05:39:59.771Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2021-47561", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-06-10T18:51:06.665618Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-10T18:51:11.207Z"}}], "cna": {"title": "i2c: virtio: disable timeout handling", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "3cfc88380413d20f777dc6648a38f683962e52bf", "lessThan": "cc432b0727ce404cc13e8f6b5ce29f412c3f9f1f", "versionType": "git"}, {"status": "affected", "version": "3cfc88380413d20f777dc6648a38f683962e52bf", "lessThan": "84e1d0bf1d7121759622dabf8fbef4c99ad597c5", "versionType": "git"}], "programFiles": ["drivers/i2c/busses/i2c-virtio.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "5.15"}, {"status": "unaffected", "version": "0", "lessThan": "5.15", "versionType": "semver"}, {"status": "unaffected", "version": "5.15.6", "versionType": "semver", "lessThanOrEqual": "5.15.*"}, {"status": "unaffected", "version": "5.16", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["drivers/i2c/busses/i2c-virtio.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/cc432b0727ce404cc13e8f6b5ce29f412c3f9f1f"}, {"url": "https://git.kernel.org/stable/c/84e1d0bf1d7121759622dabf8fbef4c99ad597c5"}], "x_generator": {"engine": "bippy-1.2.0"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: virtio: disable timeout handling\n\nIf a timeout is hit, it can result is incorrect data on the I2C bus\nand/or memory corruptions in the guest since the device can still be\noperating on the buffers it was given while the guest has freed them.\n\nHere is, for example, the start of a slub_debug splat which was\ntriggered on the next transfer after one transfer was forced to timeout\nby setting a breakpoint in the backend (rust-vmm/vhost-device):\n\n BUG kmalloc-1k (Not tainted): Poison overwritten\n First byte 0x1 instead of 0x6b\n Allocated in virtio_i2c_xfer+0x65/0x35c age=350 cpu=0 pid=29\n \t__kmalloc+0xc2/0x1c9\n \tvirtio_i2c_xfer+0x65/0x35c\n \t__i2c_transfer+0x429/0x57d\n \ti2c_transfer+0x115/0x134\n \ti2cdev_ioctl_rdwr+0x16a/0x1de\n \ti2cdev_ioctl+0x247/0x2ed\n \tvfs_ioctl+0x21/0x30\n \tsys_ioctl+0xb18/0xb41\n Freed in virtio_i2c_xfer+0x32e/0x35c age=244 cpu=0 pid=29\n \tkfree+0x1bd/0x1cc\n \tvirtio_i2c_xfer+0x32e/0x35c\n \t__i2c_transfer+0x429/0x57d\n \ti2c_transfer+0x115/0x134\n \ti2cdev_ioctl_rdwr+0x16a/0x1de\n \ti2cdev_ioctl+0x247/0x2ed\n \tvfs_ioctl+0x21/0x30\n \tsys_ioctl+0xb18/0xb41\n\nThere is no simple fix for this (the driver would have to always create\nbounce buffers and hold on to them until the device eventually returns\nthe buffers), so just disable the timeout support for now."}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.15.6", "versionStartIncluding": "5.15"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.16", "versionStartIncluding": "5.15"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-04T07:13:36.305Z"}}}, "cveMetadata": {"cveId": "CVE-2021-47561", "state": "PUBLISHED", "dateUpdated": "2025-05-04T07:13:36.305Z", "dateReserved": "2024-05-24T15:11:00.727Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-05-24T15:12:50.061Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: virtio: disable timeout handling\n\nIf a timeout is hit, it can result is incorrect data on the I2C bus\nand/or memory corruptions in the guest since the device can still be\noperating on the buffers it was given while the guest has freed them.\n\nHere is, for example, the start of a slub_debug splat which was\ntriggered on the next transfer after one transfer was forced to timeout\nby setting a breakpoint in the backend (rust-vmm/vhost-device):\n\n BUG kmalloc-1k (Not tainted): Poison overwritten\n First byte 0x1 instead of 0x6b\n Allocated in virtio_i2c_xfer+0x65/0x35c age=350 cpu=0 pid=29\n \t__kmalloc+0xc2/0x1c9\n \tvirtio_i2c_xfer+0x65/0x35c\n \t__i2c_transfer+0x429/0x57d\n \ti2c_transfer+0x115/0x134\n \ti2cdev_ioctl_rdwr+0x16a/0x1de\n \ti2cdev_ioctl+0x247/0x2ed\n \tvfs_ioctl+0x21/0x30\n \tsys_ioctl+0xb18/0xb41\n Freed in virtio_i2c_xfer+0x32e/0x35c age=244 cpu=0 pid=29\n \tkfree+0x1bd/0x1cc\n \tvirtio_i2c_xfer+0x32e/0x35c\n \t__i2c_transfer+0x429/0x57d\n \ti2c_transfer+0x115/0x134\n \ti2cdev_ioctl_rdwr+0x16a/0x1de\n \ti2cdev_ioctl+0x247/0x2ed\n \tvfs_ioctl+0x21/0x30\n \tsys_ioctl+0xb18/0xb41\n\nThere is no simple fix for this (the driver would have to always create\nbounce buffers and hold on to them until the device eventually returns\nthe buffers), so just disable the timeout support for now."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: i2c: virtio: deshabilita el manejo del tiempo de espera Si se alcanza un tiempo de espera, puede resultar en datos incorrectos en el bus I2C y/o da\u00f1os en la memoria del invitado, ya que el dispositivo a\u00fan puede estar funcionando. en los buffers que se le dieron mientras el hu\u00e9sped los liber\u00f3. Aqu\u00ed est\u00e1, por ejemplo, el inicio de un splat slub_debug que se activ\u00f3 en la siguiente transferencia despu\u00e9s de que se oblig\u00f3 a que una transferencia expirara estableciendo un punto de interrupci\u00f3n en el backend (rust-vmm/vhost-device): ERROR kmalloc-1k (No contaminado ): Veneno sobrescrito Primer byte 0x1 en lugar de 0x6b Asignado en virtio_i2c_xfer+0x65/0x35c age=350 cpu=0 pid=29 __kmalloc+0xc2/0x1c9 virtio_i2c_xfer+0x65/0x35c __i2c_transfer+0x429/0x57d 0x115/0x134 i2cdev_ioctl_rdwr+0x16a/ 0x1de i2cdev_ioctl+0x247/0x2ed vfs_ioctl+0x21/0x30 sys_ioctl+0xb18/0xb41 Liberado en virtio_i2c_xfer+0x32e/0x35c edad=244 cpu=0 pid=29 kfree+0x1bd/0x1cc x32e/0x35c __i2c_transfer+0x429/0x57d i2c_transfer+0x115 /0x134 i2cdev_ioctl_rdwr+0x16a/0x1de i2cdev_ioctl+0x247/0x2ed vfs_ioctl+0x21/0x30 sys_ioctl+0xb18/0xb41 No existe una soluci\u00f3n sencilla para esto (el controlador siempre tendr\u00eda que crear b\u00faferes de rebote y conservarlos hasta que el dispositivo finalmente devuelva el b\u00faferes), as\u00ed que simplemente deshabilite el soporte de tiempo de espera por ahora."}], "id": "CVE-2021-47561", "lastModified": "2024-11-21T06:36:33.640", "metrics": {}, "published": "2024-05-24T15:15:20.690", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/84e1d0bf1d7121759622dabf8fbef4c99ad597c5"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/cc432b0727ce404cc13e8f6b5ce29f412c3f9f1f"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://git.kernel.org/stable/c/84e1d0bf1d7121759622dabf8fbef4c99ad597c5"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://git.kernel.org/stable/c/cc432b0727ce404cc13e8f6b5ce29f412c3f9f1f"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: i2c: virtio: disable timeout handling", "id": "2283388", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2283388"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.2", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:H", "status": "draft"}, "cwe": "CWE-119", "details": ["In the Linux kernel, the following vulnerability has been resolved:\ni2c: virtio: disable timeout handling\nIf a timeout is hit, it can result is incorrect data on the I2C bus\nand/or memory corruptions in the guest since the device can still be\noperating on the buffers it was given while the guest has freed them.\nHere is, for example, the start of a slub_debug splat which was\ntriggered on the next transfer after one transfer was forced to timeout\nby setting a breakpoint in the backend (rust-vmm/vhost-device):\nBUG kmalloc-1k (Not tainted): Poison overwritten\nFirst byte 0x1 instead of 0x6b\nAllocated in virtio_i2c_xfer+0x65/0x35c age=350 cpu=0 pid=29\n__kmalloc+0xc2/0x1c9\nvirtio_i2c_xfer+0x65/0x35c\n__i2c_transfer+0x429/0x57d\ni2c_transfer+0x115/0x134\ni2cdev_ioctl_rdwr+0x16a/0x1de\ni2cdev_ioctl+0x247/0x2ed\nvfs_ioctl+0x21/0x30\nsys_ioctl+0xb18/0xb41\nFreed in virtio_i2c_xfer+0x32e/0x35c age=244 cpu=0 pid=29\nkfree+0x1bd/0x1cc\nvirtio_i2c_xfer+0x32e/0x35c\n__i2c_transfer+0x429/0x57d\ni2c_transfer+0x115/0x134\ni2cdev_ioctl_rdwr+0x16a/0x1de\ni2cdev_ioctl+0x247/0x2ed\nvfs_ioctl+0x21/0x30\nsys_ioctl+0xb18/0xb41\nThere is no simple fix for this (the driver would have to always create\nbounce buffers and hold on to them until the device eventually returns\nthe buffers), so just disable the timeout support for now.", "A vulnerability was found in the Linux kernel's i2c virtio driver, where timeout handling was improperly managed. If a timeout occurs, the device may continue to process buffers that the guest has already freed, leading to potential data corruption on the I2C bus."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2021-47561", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Will not fix", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-05-24T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-47561\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-47561\nhttps://lore.kernel.org/linux-cve-announce/2024052451-CVE-2021-47561-4a07@gregkh/T"], "threat_severity": "Moderate"}

{"created": "2025-07-12T22:09:48.494950+00:00", "updated": "2025-07-12T22:09:48.495003+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}