UBUNTU-CVE-2021-47636

Advisory lineage Upstream: 1 Downstream: 0

Upstream

CVE-2021-47636

Published: 26 Feb 2025, 06:37

Last modified:03 Jun 2026, 13:34

Vulnerability Summary

Overall Risk (default)

medium

28/100

CVSS Score

7.1 HIGH

3.1 (osv_ubuntu)

EPSS Score

No data

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

26 Feb 2025, 06:37

Published

Vulnerability first disclosed

03 Jun 2026, 13:34

Last Modified

Vulnerability information updated

Description

In the Linux kernel, the following vulnerability has been resolved: ubifs: Fix read out-of-bounds in ubifs_wbuf_write_nolock() Function ubifs_wbuf_write_nolock() may access buf out of bounds in following process: ubifs_wbuf_write_nolock(): aligned_len = ALIGN(len, 8); // Assume len = 4089, aligned_len = 4096 if (aligned_len <= wbuf->avail) ... // Not satisfy if (wbuf->used) { ubifs_leb_write() // Fill some data in avail wbuf len -= wbuf->avail; // len is still not 8-bytes aligned aligned_len -= wbuf->avail; } n = aligned_len >> c->max_write_shift; if (n) { n <<= c->max_write_shift; err = ubifs_leb_write(c, wbuf->lnum, buf + written, wbuf->offs, n); // n > len, read out of bounds less than 8(n-len) bytes } , which can be catched by KASAN: ========================================================= BUG: KASAN: slab-out-of-bounds in ecc_sw_hamming_calculate+0x1dc/0x7d0 Read of size 4 at addr ffff888105594ff8 by task kworker/u8:4/128 Workqueue: writeback wb_workfn (flush-ubifs_0_0) Call Trace: kasan_report.cold+0x81/0x165 nand_write_page_swecc+0xa9/0x160 ubifs_leb_write+0xf2/0x1b0 [ubifs] ubifs_wbuf_write_nolock+0x421/0x12c0 [ubifs] write_head+0xdc/0x1c0 [ubifs] ubifs_jnl_write_inode+0x627/0x960 [ubifs] wb_workfn+0x8af/0xb80 Function ubifs_wbuf_write_nolock() accepts that parameter 'len' is not 8 bytes aligned, the 'len' represents the true length of buf (which is allocated in 'ubifs_jnl_xxx', eg. ubifs_jnl_write_inode), so ubifs_wbuf_write_nolock() must handle the length read from 'buf' carefully to write leb safely. Fetch a reproducer in [Link].

CVSS Metrics

v3.1•HIGH•Score: 7.1CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

Affected Systems

ubuntu•linux
all | < 5.4.0-117.132 | < 5.15.0-37.39
ubuntu•linux-allwinner-5.19
all
ubuntu•linux-aws
all | < 5.4.0-1078.84 | < 5.15.0-1011.14
ubuntu•linux-aws-5.0
all
ubuntu•linux-aws-5.11
all
ubuntu•linux-aws-5.13
all
ubuntu•linux-aws-5.19
all
ubuntu•linux-aws-5.3
all
ubuntu•linux-aws-5.4
< 5.4.0-1078.84~18.04.1
ubuntu•linux-aws-5.8
all
ubuntu•linux-aws-6.2
all
ubuntu•linux-aws-6.5
all
ubuntu•linux-aws-fips
all | < 5.4.0-1078.84+fips1
ubuntu•linux-aws-hwe
all
ubuntu•linux-azure
all | all | < 5.4.0-1083.87 | < 5.15.0-1010.12
ubuntu•linux-azure-4.15
all
ubuntu•linux-azure-5.11
all
ubuntu•linux-azure-5.13
all
ubuntu•linux-azure-5.15
< 5.15.0-1008.9~20.04.1
ubuntu•linux-azure-5.19
all
ubuntu•linux-azure-5.3
all
ubuntu•linux-azure-5.4
< 5.4.0-1083.87~18.04.1
ubuntu•linux-azure-5.8
all
ubuntu•linux-azure-6.2
all
ubuntu•linux-azure-6.5
all
ubuntu•linux-azure-edge
all
ubuntu•linux-azure-fde
all
ubuntu•linux-azure-fde-5.19
all
ubuntu•linux-azure-fde-6.2
all
ubuntu•linux-azure-fips
all | < 5.4.0-1083.87+fips1
ubuntu•linux-bluefield
< 5.4.0-1040.44 | all
ubuntu•linux-fips
all | < 5.4.0-1054.61
ubuntu•linux-gcp
all | all | < 5.4.0-1078.84 | < 5.15.0-1008.12
ubuntu•linux-gcp-4.15
all
ubuntu•linux-gcp-5.11
all
ubuntu•linux-gcp-5.13
all
ubuntu•linux-gcp-5.19
all
ubuntu•linux-gcp-5.3
all
ubuntu•linux-gcp-5.4
< 5.4.0-1078.84~18.04.1
ubuntu•linux-gcp-5.8
all
ubuntu•linux-gcp-6.2
all
ubuntu•linux-gcp-6.5
all
ubuntu•linux-gcp-fips
all | < 5.4.0-1078.84+fips1
ubuntu•linux-gke
all | < 5.15.0-1008.10
ubuntu•linux-gke-4.15
all
ubuntu•linux-gke-5.15
all
ubuntu•linux-gke-5.4
all
ubuntu•linux-gkeop
all
ubuntu•linux-gkeop-5.15
all
ubuntu•linux-gkeop-5.4
all

Showing first 50 affected entries in server-rendered view.