[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-DEBIAN-CVE-2021-47118":6},{"stargazers_count":4,"fetched_at":5},7,"2026-06-04T08:53:30.047Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":11,"aliases":12,"duplicate_of":9,"upstream":13,"downstream":16,"duplicates":17,"related":18,"reserved_at":9,"published_at":19,"modified_at":20,"state":9,"summary":21,"references_raw":23,"kevs":30,"epss":9,"epss_history":31,"metrics":32,"affected":39},"DEBIAN-CVE-2021-47118","In the Linux kernel, the following vulnerability has been resolved:  pid: take a reference when initializing `cad_pid`  During boot, kernel_init_freeable() initializes `cad_pid` to the init task's struct pid.  Later on, we may change `cad_pid` via a sysctl, and when this happens proc_do_cad_pid() will increment the refcount on the new pid via get_pid(), and will decrement the refcount on the old pid via put_pid().  As we never called get_pid() when we initialized `cad_pid`, we decrement a reference we never incremented, can therefore free the init task's struct pid early.  As there can be dangling references to the struct pid, we can later encounter a use-after-free (e.g.  when delivering signals).  This was spotted when fuzzing v5.13-rc3 with Syzkaller, but seems to have been around since the conversion of `cad_pid` to struct pid in commit 9ec52099e4b8 (\"[PATCH] replace cad_pid by a struct pid\") from the pre-KASAN stone age of v2.6.19.  Fix this by getting a reference to the init task's struct pid when we assign it to `cad_pid`.  Full KASAN splat below.     ==================================================================    BUG: KASAN: use-after-free in ns_of_pid include/linux/pid.h:153 [inline]    BUG: KASAN: use-after-free in task_active_pid_ns+0xc0/0xc8 kernel/pid.c:509    Read of size 4 at addr ffff23794dda0004 by task syz-executor.0/273     CPU: 1 PID: 273 Comm: syz-executor.0 Not tainted 5.12.0-00001-g9aef892b2d15 #1    Hardware name: linux,dummy-virt (DT)    Call trace:     ns_of_pid include/linux/pid.h:153 [inline]     task_active_pid_ns+0xc0/0xc8 kernel/pid.c:509     do_notify_parent+0x308/0xe60 kernel/signal.c:1950     exit_notify kernel/exit.c:682 [inline]     do_exit+0x2334/0x2bd0 kernel/exit.c:845     do_group_exit+0x108/0x2c8 kernel/exit.c:922     get_signal+0x4e4/0x2a88 kernel/signal.c:2781     do_signal arch/arm64/kernel/signal.c:882 [inline]     do_notify_resume+0x300/0x970 arch/arm64/kernel/signal.c:936     work_pending+0xc/0x2dc     Allocated by task 0:     slab_post_alloc_hook+0x50/0x5c0 mm/slab.h:516     slab_alloc_node mm/slub.c:2907 [inline]     slab_alloc mm/slub.c:2915 [inline]     kmem_cache_alloc+0x1f4/0x4c0 mm/slub.c:2920     alloc_pid+0xdc/0xc00 kernel/pid.c:180     copy_process+0x2794/0x5e18 kernel/fork.c:2129     kernel_clone+0x194/0x13c8 kernel/fork.c:2500     kernel_thread+0xd4/0x110 kernel/fork.c:2552     rest_init+0x44/0x4a0 init/main.c:687     arch_call_rest_init+0x1c/0x28     start_kernel+0x520/0x554 init/main.c:1064     0x0     Freed by task 270:     slab_free_hook mm/slub.c:1562 [inline]     slab_free_freelist_hook+0x98/0x260 mm/slub.c:1600     slab_free mm/slub.c:3161 [inline]     kmem_cache_free+0x224/0x8e0 mm/slub.c:3177     put_pid.part.4+0xe0/0x1a8 kernel/pid.c:114     put_pid+0x30/0x48 kernel/pid.c:109     proc_do_cad_pid+0x190/0x1b0 kernel/sysctl.c:1401     proc_sys_call_handler+0x338/0x4b0 fs/proc/proc_sysctl.c:591     proc_sys_write+0x34/0x48 fs/proc/proc_sysctl.c:617     call_write_iter include/linux/fs.h:1977 [inline]     new_sync_write+0x3ac/0x510 fs/read_write.c:518     vfs_write fs/read_write.c:605 [inline]     vfs_write+0x9c4/0x1018 fs/read_write.c:585     ksys_write+0x124/0x240 fs/read_write.c:658     __do_sys_write fs/read_write.c:670 [inline]     __se_sys_write fs/read_write.c:667 [inline]     __arm64_sys_write+0x78/0xb0 fs/read_write.c:667     __invoke_syscall arch/arm64/kernel/syscall.c:37 [inline]     invoke_syscall arch/arm64/kernel/syscall.c:49 [inline]     el0_svc_common.constprop.1+0x16c/0x388 arch/arm64/kernel/syscall.c:129     do_el0_svc+0xf8/0x150 arch/arm64/kernel/syscall.c:168     el0_svc+0x28/0x38 arch/arm64/kernel/entry-common.c:416     el0_sync_handler+0x134/0x180 arch/arm64/kernel/entry-common.c:432     el0_sync+0x154/0x180 arch/arm64/kernel/entry.S:701     The buggy address belongs to the object at ffff23794dda0000     which belongs to the cache pid of size 224    The buggy address is located 4 bytes inside of     224-byte region [ff ---truncated---",null,[],[],[],[14],{"_key":15},"CVE-2021-47118",[],[],[],"2024-03-15T21:15:06.943Z","2026-04-28T20:23:19.396487Z",{"cisa_kev":22,"cisa_ransomware":22,"cisa_vendor":9,"epss_severity":9,"epss_score":9,"severity":9,"severity_score":9,"severity_version":9,"severity_source":9,"severity_vector":9,"severity_status":9},false,[24],{"url":25,"sources":26,"tags":28},"https://security-tracker.debian.org/tracker/CVE-2021-47118",[27],"osv_debian",[29],"Advisory",[],[],[33],{"source":27,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":34,"cvss_v4_0":9},{"baseScore":35,"baseSeverity":9,"vectorString":36,"impactScore":37,"exploitabilityScore":38},7.8,"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",9.8,4.6,[40],{"ecosystem":41,"name":42,"vendor":43,"product":42,"cpe_part":9,"purl_type":44,"purl_namespace":43,"purl_name":42,"source":9,"versions":45},"Debian","linux","debian","deb",[46,52,53,54],{"version":47,"is_range":48,"range_type":49,"version_start":9,"version_start_type":9,"version_end":50,"version_end_type":51,"fixed_in":9},"lt5_10_46_1",true,"ecosystem","5.10.46-1","excluding",{"version":47,"is_range":48,"range_type":49,"version_start":9,"version_start_type":9,"version_end":50,"version_end_type":51,"fixed_in":9},{"version":47,"is_range":48,"range_type":49,"version_start":9,"version_start_type":9,"version_end":50,"version_end_type":51,"fixed_in":9},{"version":47,"is_range":48,"range_type":49,"version_start":9,"version_start_type":9,"version_end":50,"version_end_type":51,"fixed_in":9}]