{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2021-47636","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-02-26T01:48:21.519Z","datePublished":"2025-02-26T01:54:10.206Z","dateUpdated":"2025-10-01T19:57:08.785Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2025-05-04T07:15:15.334Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nubifs: Fix read out-of-bounds in ubifs_wbuf_write_nolock()\n\nFunction ubifs_wbuf_write_nolock() may access buf out of bounds in\nfollowing process:\n\nubifs_wbuf_write_nolock():\n  aligned_len = ALIGN(len, 8);   // Assume len = 4089, aligned_len = 4096\n  if (aligned_len <= wbuf->avail) ... // Not satisfy\n  if (wbuf->used) {\n    ubifs_leb_write()  // Fill some data in avail wbuf\n    len -= wbuf->avail;   // len is still not 8-bytes aligned\n    aligned_len -= wbuf->avail;\n  }\n  n = aligned_len >> c->max_write_shift;\n  if (n) {\n    n <<= c->max_write_shift;\n    err = ubifs_leb_write(c, wbuf->lnum, buf + written,\n                          wbuf->offs, n);\n    // n > len, read out of bounds less than 8(n-len) bytes\n  }\n\n, which can be catched by KASAN:\n  =========================================================\n  BUG: KASAN: slab-out-of-bounds in ecc_sw_hamming_calculate+0x1dc/0x7d0\n  Read of size 4 at addr ffff888105594ff8 by task kworker/u8:4/128\n  Workqueue: writeback wb_workfn (flush-ubifs_0_0)\n  Call Trace:\n    kasan_report.cold+0x81/0x165\n    nand_write_page_swecc+0xa9/0x160\n    ubifs_leb_write+0xf2/0x1b0 [ubifs]\n    ubifs_wbuf_write_nolock+0x421/0x12c0 [ubifs]\n    write_head+0xdc/0x1c0 [ubifs]\n    ubifs_jnl_write_inode+0x627/0x960 [ubifs]\n    wb_workfn+0x8af/0xb80\n\nFunction ubifs_wbuf_write_nolock() accepts that parameter 'len' is not 8\nbytes aligned, the 'len' represents the true length of buf (which is\nallocated in 'ubifs_jnl_xxx', eg. ubifs_jnl_write_inode), so\nubifs_wbuf_write_nolock() must handle the length read from 'buf' carefully\nto write leb safely.\n\nFetch a reproducer in [Link]."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/ubifs/io.c"],"versions":[{"version":"1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d","lessThan":"5343575aa11c5d7044107d59d43f84aec01312b0","status":"affected","versionType":"git"},{"version":"1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d","lessThan":"b80ccbec0e4804436c382d7dd60e943c386ed83a","status":"affected","versionType":"git"},{"version":"1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d","lessThan":"07a209fadee7b53b46858538e1177597273862e4","status":"affected","versionType":"git"},{"version":"1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d","lessThan":"a7054aaf1909cf40489c0ec1b728fdcf79c751a6","status":"affected","versionType":"git"},{"version":"1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d","lessThan":"e09fa5318d51f522e1af4fbaf8f74999355980c8","status":"affected","versionType":"git"},{"version":"1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d","lessThan":"3b7fb89135a20587d57f8877c02e25003e9edbdf","status":"affected","versionType":"git"},{"version":"1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d","lessThan":"4f2262a334641e05f645364d5ade1f565c85f20b","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/ubifs/io.c"],"versions":[{"version":"2.6.27","status":"affected"},{"version":"0","lessThan":"2.6.27","status":"unaffected","versionType":"semver"},{"version":"4.19.238","lessThanOrEqual":"4.19.*","status":"unaffected","versionType":"semver"},{"version":"5.4.189","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.110","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.33","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"5.16.19","lessThanOrEqual":"5.16.*","status":"unaffected","versionType":"semver"},{"version":"5.17.2","lessThanOrEqual":"5.17.*","status":"unaffected","versionType":"semver"},{"version":"5.18","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.27","versionEndExcluding":"4.19.238"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.27","versionEndExcluding":"5.4.189"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.27","versionEndExcluding":"5.10.110"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.27","versionEndExcluding":"5.15.33"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.27","versionEndExcluding":"5.16.19"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.27","versionEndExcluding":"5.17.2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.27","versionEndExcluding":"5.18"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/5343575aa11c5d7044107d59d43f84aec01312b0"},{"url":"https://git.kernel.org/stable/c/b80ccbec0e4804436c382d7dd60e943c386ed83a"},{"url":"https://git.kernel.org/stable/c/07a209fadee7b53b46858538e1177597273862e4"},{"url":"https://git.kernel.org/stable/c/a7054aaf1909cf40489c0ec1b728fdcf79c751a6"},{"url":"https://git.kernel.org/stable/c/e09fa5318d51f522e1af4fbaf8f74999355980c8"},{"url":"https://git.kernel.org/stable/c/3b7fb89135a20587d57f8877c02e25003e9edbdf"},{"url":"https://git.kernel.org/stable/c/4f2262a334641e05f645364d5ade1f565c85f20b"}],"title":"ubifs: Fix read out-of-bounds in ubifs_wbuf_write_nolock()","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"metrics":[{"cvssV3_1":{"scope":"UNCHANGED","version":"3.1","baseScore":7.1,"attackVector":"LOCAL","baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H","integrityImpact":"NONE","userInteraction":"NONE","attackComplexity":"LOW","availabilityImpact":"HIGH","privilegesRequired":"LOW","confidentialityImpact":"HIGH"}},{"other":{"type":"ssvc","content":{"id":"CVE-2021-47636","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"version":"2.0.3","timestamp":"2025-10-01T19:50:54.449259Z"}}}],"problemTypes":[{"descriptions":[{"lang":"en","type":"CWE","cweId":"CWE-125","description":"CWE-125 Out-of-bounds Read"}]}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-10-01T19:57:08.785Z"}}]}}