CVE-2021-47456: can: peak_pci: peak_pci_remove(): fix UAF
In the Linux kernel, the following vulnerability has been resolved:
can: peakpci: peakpciremove(): fix UAF
The Linux kernel CVE team has assigned CVE-2021-47456 to this issue.
Upstream advisory: https://lore.kernel.org/linux-cve-announce/2024052244-CVE-2021-47456-dc47@gregkh/T
Other sources
In the Linux kernel, the following vulnerability has been resolved:
can: peakpci: peakpciremove(): fix UAF
When remove the module peekpci, referencing 'chan' again after releasing 'dev' will cause UAF.
Fix this by releasing 'dev' later.
The following log reveals it:
[ 35.961814 ] BUG: KASAN: use-after-free in peakpciremove+0x16f/0x270 [peakpci] [ 35.963414 ] Read of size 8 at addr ffff888136998ee8 by task modprobe/5537 [ 35.965513 ] Call Trace: [ 35.965718 ] dumpstacklvl+0xa8/0xd1 [ 35.966028 ] printaddressdescription+0x87/0x3b0 [ 35.966420 ] kasanreport+0x172/0x1c0 [ 35.966725 ] ? peakpciremove+0x16f/0x270 [peakpci] [ 35.967137 ] ? traceirqenablercuidle+0x10/0x170 [ 35.967529 ] ? peakpciremove+0x16f/0x270 [peakpci] [ 35.967945 ] asanreportload8noabort+0x14/0x20 [ 35.968346 ] peakpciremove+0x16f/0x270 [peakpci] [ 35.968752 ] pcideviceremove+0xa9/0x250
— NVD
Affected Software
Remediation
Event History
Frequently Asked Questions
What is the severity of CVE-2021-47456?
CVE-2021-47456 has been classified as having a medium severity level.
How do I fix CVE-2021-47456?
To mitigate CVE-2021-47456, upgrade to the patched kernel versions provided in the advisory.
Which versions of the Linux kernel are affected by CVE-2021-47456?
CVE-2021-47456 affects various versions of the Linux kernel prior to 4.4.290, 4.9.288, 4.14.253, 4.19.214, 5.4.156, 5.10.76, 5.14.15, and 5.15.
What type of vulnerability is CVE-2021-47456?
CVE-2021-47456 is a use-after-free (UAF) vulnerability in the Linux kernel.
Who maintains the security updates for CVE-2021-47456?
The Linux kernel CVE team is responsible for maintaining security updates related to CVE-2021-47456.