PT-2024-11358 · Linux+2 · Linux Kernel+2

Dan Carpenter

·

Published

2021-09-14

·

Updated

2024-12-26

·

CVE-2021-47361

CVSS v3.1

7.8

High

VectorAV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)
Description The issue concerns error handling in the mcb alloc bus() function. There are two bugs:
  1. If ida simple get() fails, the code calls put device(carrier) without previously calling get device(carrier), potentially leading to a use after free.
  2. After device initialize(), put device() should be used to release the bus, freeing internal resources tied to the device and calling mcb free bus() to free the rest.
Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Use After Free

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-416

Related Identifiers

BDU:2025-07460
CVE-2021-47361
OESA-2024-1692
OPENSUSE-SU-2024_2189-1
SUSE-SU-2024:1979-1
SUSE-SU-2024:1983-1
SUSE-SU-2024:2008-1
SUSE-SU-2024:2011-1
SUSE-SU-2024:2019-1
SUSE-SU-2024:2184-1
SUSE-SU-2024:2189-1
SUSE-SU-2024:2190-1

Affected Products

Astra Linux
Linux Kernel
Suse