[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-DEBIAN-CVE-2021-47069":6},{"stargazers_count":4,"fetched_at":5},7,"2026-06-04T08:53:30.047Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":11,"aliases":12,"duplicate_of":9,"upstream":13,"downstream":16,"duplicates":17,"related":18,"reserved_at":9,"published_at":19,"modified_at":20,"state":9,"summary":21,"references_raw":23,"kevs":30,"epss":9,"epss_history":31,"metrics":32,"affected":38},"DEBIAN-CVE-2021-47069","In the Linux kernel, the following vulnerability has been resolved:  ipc/mqueue, msg, sem: avoid relying on a stack reference past its expiry  do_mq_timedreceive calls wq_sleep with a stack local address.  The sender (do_mq_timedsend) uses this address to later call pipelined_send.  This leads to a very hard to trigger race where a do_mq_timedreceive call might return and leave do_mq_timedsend to rely on an invalid address, causing the following crash:    RIP: 0010:wake_q_add_safe+0x13/0x60   Call Trace:    __x64_sys_mq_timedsend+0x2a9/0x490    do_syscall_64+0x80/0x680    entry_SYSCALL_64_after_hwframe+0x44/0xa9   RIP: 0033:0x7f5928e40343  The race occurs as:  1. do_mq_timedreceive calls wq_sleep with the address of `struct    ext_wait_queue` on function stack (aliased as `ewq_addr` here) - it    holds a valid `struct ext_wait_queue *` as long as the stack has not    been overwritten.  2. `ewq_addr` gets added to info->e_wait_q[RECV].list in wq_add, and    do_mq_timedsend receives it via wq_get_first_waiter(info, RECV) to call    __pipelined_op.  3. Sender calls __pipelined_op::smp_store_release(&this->state,    STATE_READY).  Here is where the race window begins.  (`this` is    `ewq_addr`.)  4. If the receiver wakes up now in do_mq_timedreceive::wq_sleep, it    will see `state == STATE_READY` and break.  5. do_mq_timedreceive returns, and `ewq_addr` is no longer guaranteed    to be a `struct ext_wait_queue *` since it was on do_mq_timedreceive's    stack.  (Although the address may not get overwritten until another    function happens to touch it, which means it can persist around for an    indefinite time.)  6. do_mq_timedsend::__pipelined_op() still believes `ewq_addr` is a    `struct ext_wait_queue *`, and uses it to find a task_struct to pass to    the wake_q_add_safe call.  In the lucky case where nothing has    overwritten `ewq_addr` yet, `ewq_addr->task` is the right task_struct.    In the unlucky case, __pipelined_op::wake_q_add_safe gets handed a    bogus address as the receiver's task_struct causing the crash.  do_mq_timedsend::__pipelined_op() should not dereference `this` after setting STATE_READY, as the receiver counterpart is now free to return. Change __pipelined_op to call wake_q_add_safe on the receiver's task_struct returned by get_task_struct, instead of dereferencing `this` which sits on the receiver's stack.  As Manfred pointed out, the race potentially also exists in ipc/msg.c::expunge_all and ipc/sem.c::wake_up_sem_queue_prepare.  Fix those in the same way.",null,[],[],[],[14],{"_key":15},"CVE-2021-47069",[],[],[],"2024-03-01T22:15:46.857Z","2026-04-28T20:23:17.487625Z",{"cisa_kev":22,"cisa_ransomware":22,"cisa_vendor":9,"epss_severity":9,"epss_score":9,"severity":9,"severity_score":9,"severity_version":9,"severity_source":9,"severity_vector":9,"severity_status":9},false,[24],{"url":25,"sources":26,"tags":28},"https://security-tracker.debian.org/tracker/CVE-2021-47069",[27],"osv_debian",[29],"Advisory",[],[],[33],{"source":27,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":34,"cvss_v4_0":9},{"baseScore":4,"baseSeverity":9,"vectorString":35,"impactScore":36,"exploitabilityScore":37},"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",9.8,2.6,[39],{"ecosystem":40,"name":41,"vendor":42,"product":41,"cpe_part":9,"purl_type":43,"purl_namespace":42,"purl_name":41,"source":9,"versions":44},"Debian","linux","debian","deb",[45,51,52,53],{"version":46,"is_range":47,"range_type":48,"version_start":9,"version_start_type":9,"version_end":49,"version_end_type":50,"fixed_in":9},"lt5_10_40_1",true,"ecosystem","5.10.40-1","excluding",{"version":46,"is_range":47,"range_type":48,"version_start":9,"version_start_type":9,"version_end":49,"version_end_type":50,"fixed_in":9},{"version":46,"is_range":47,"range_type":48,"version_start":9,"version_start_type":9,"version_end":49,"version_end_type":50,"fixed_in":9},{"version":46,"is_range":47,"range_type":48,"version_start":9,"version_start_type":9,"version_end":49,"version_end_type":50,"fixed_in":9}]