CVE-2021-47636

Advisory lineage Upstream: 0 Downstream: 6

Downstream

DEBIAN-CVE-2021-47636 SUSE-SU-2025:1027-1 SUSE-SU-2025:1176-1 SUSE-SU-2025:1183-1 SUSE-SU-2025:1241-1 UBUNTU-CVE-2021-47636

Modified

Published: 26 Feb 2025, 01:54

Last modified:11 May 2026, 13:58

Vulnerability Summary

Overall Risk (default)

medium

28/100

CVSS Score

7.1 HIGH

v3.1 (cve.org)

EPSS Score

0.01% LOW

0% probability -0.02%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

26 Feb 2025, 01:54

Published

Vulnerability first disclosed

11 May 2026, 13:58

Last Modified

Vulnerability information updated

Description

In the Linux kernel, the following vulnerability has been resolved: ubifs: Fix read out-of-bounds in ubifs_wbuf_write_nolock() Function ubifs_wbuf_write_nolock() may access buf out of bounds in following process: ubifs_wbuf_write_nolock(): aligned_len = ALIGN(len, 8); // Assume len = 4089, aligned_len = 4096 if (aligned_len <= wbuf->avail) ... // Not satisfy if (wbuf->used) { ubifs_leb_write() // Fill some data in avail wbuf len -= wbuf->avail; // len is still not 8-bytes aligned aligned_len -= wbuf->avail; } n = aligned_len >> c->max_write_shift; if (n) { n <<= c->max_write_shift; err = ubifs_leb_write(c, wbuf->lnum, buf + written, wbuf->offs, n); // n > len, read out of bounds less than 8(n-len) bytes } , which can be catched by KASAN: ========================================================= BUG: KASAN: slab-out-of-bounds in ecc_sw_hamming_calculate+0x1dc/0x7d0 Read of size 4 at addr ffff888105594ff8 by task kworker/u8:4/128 Workqueue: writeback wb_workfn (flush-ubifs_0_0) Call Trace: kasan_report.cold+0x81/0x165 nand_write_page_swecc+0xa9/0x160 ubifs_leb_write+0xf2/0x1b0 [ubifs] ubifs_wbuf_write_nolock+0x421/0x12c0 [ubifs] write_head+0xdc/0x1c0 [ubifs] ubifs_jnl_write_inode+0x627/0x960 [ubifs] wb_workfn+0x8af/0xb80 Function ubifs_wbuf_write_nolock() accepts that parameter 'len' is not 8 bytes aligned, the 'len' represents the true length of buf (which is allocated in 'ubifs_jnl_xxx', eg. ubifs_jnl_write_inode), so ubifs_wbuf_write_nolock() must handle the length read from 'buf' carefully to write leb safely. Fetch a reproducer in [Link].

CVSS Metrics

v3.1•HIGH•Score: 7.1CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

EPSS Trends

Current EPSS score: 0.01%• Percentile: 3%

Techniques & Countermeasures

CWE-125•Out-of-bounds Read
The product reads data past the end, or before the beginning, of the intended buffer.

Affected Systems

linux•linux
≥ 1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d, < 5343575aa11c5d7044107d59d43f84aec01312b0 | ≥ 1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d, < b80ccbec0e4804436c382d7dd60e943c386ed83a | ≥ 1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d, < 07a209fadee7b53b46858538e1177597273862e4 | ≥ 1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d, < a7054aaf1909cf40489c0ec1b728fdcf79c751a6 | ≥ 1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d, < e09fa5318d51f522e1af4fbaf8f74999355980c8 | ≥ 1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d, < 3b7fb89135a20587d57f8877c02e25003e9edbdf | ≥ 1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d, < 4f2262a334641e05f645364d5ade1f565c85f20b | 2.6.27
linux•linux_kernel
≥ 2.6.27, < 4.19.238 | ≥ 4.20, < 5.4.189 | ≥ 5.5, < 5.10.110 | ≥ 5.11, < 5.15.33 | ≥ 5.16, < 5.16.19 | ≥ 5.17, < 5.17.2