CVE-2021-47259

Name of the Vulnerable Software and Affected Versions Linux kernel versions 4.13 through 5.10

Description The issue is related to a use-after-free in the nfs4 init client() function. KASAN reports a use-after-free when attempting to mount two different exports through two different NICs that belong to the same server. This could potentially impact the confidentiality, integrity, and availability of protected information. The problem seems to have arisen due to a change in the refcounting of the clp pointer, making the call to nfs put client() the last one.

Recommendations For Linux kernel versions 4.13 through 5.10, consider updating to a newer version that includes the fix for the use-after-free in nfs4 init client(). As a temporary workaround, consider disabling the nfs4 init client() function until a patch is available. Restrict access to the vulnerable NFS module to minimize the risk of exploitation. Avoid using the nfs4 init client() function in scenarios where it could be exploited until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.