{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-22T03:04:37.910","vulnerabilities":[{"cve":{"id":"CVE-2021-47505","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2024-05-24T15:15:11.000","lastModified":"2025-01-10T18:00:30.987","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\naio: fix use-after-free due to missing POLLFREE handling\n\nsignalfd_poll() and binder_poll() are special in that they use a\nwaitqueue whose lifetime is the current task, rather than the struct\nfile as is normally the case.  This is okay for blocking polls, since a\nblocking poll occurs within one task; however, non-blocking polls\nrequire another solution.  This solution is for the queue to be cleared\nbefore it is freed, by sending a POLLFREE notification to all waiters.\n\nUnfortunately, only eventpoll handles POLLFREE.  A second type of\nnon-blocking poll, aio poll, was added in kernel v4.18, and it doesn't\nhandle POLLFREE.  This allows a use-after-free to occur if a signalfd or\nbinder fd is polled with aio poll, and the waitqueue gets freed.\n\nFix this by making aio poll handle POLLFREE.\n\nA patch by Ramji Jiyani <ramjiyani@google.com>\n(https://lore.kernel.org/r/20211027011834.2497484-1-ramjiyani@google.com)\ntried to do this by making aio_poll_wake() always complete the request\ninline if POLLFREE is seen.  However, that solution had two bugs.\nFirst, it introduced a deadlock, as it unconditionally locked the aio\ncontext while holding the waitqueue lock, which inverts the normal\nlocking order.  Second, it didn't consider that POLLFREE notifications\nare missed while the request has been temporarily de-queued.\n\nThe second problem was solved by my previous patch.  This patch then\nproperly fixes the use-after-free by handling POLLFREE in a\ndeadlock-free way.  It does this by taking advantage of the fact that\nfreeing of the waitqueue is RCU-delayed, similar to what eventpoll does."},{"lang":"es","value":"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: aio: corrige el use-after-free debido a la falta de manejo de POLLFREE. signalfd_poll() y binder_poll() son especiales porque usan una cola de espera cuya duración es la tarea actual, en lugar de la struct archivo como es normalmente el caso. Esto está bien para bloquear encuestas, ya que una encuesta de bloqueo ocurre dentro de una tarea; sin embargo, las encuestas sin bloqueo requieren otra solución. Esta solución consiste en despejar la cola antes de liberarla, enviando una notificación POLLFREE a todos los camareros. Desafortunadamente, sólo eventpoll maneja POLLFREE. Un segundo tipo de encuesta sin bloqueo, aio poll, se agregó en el kernel v4.18 y no maneja POLLFREE. Esto permite que se produzca un use-after-free si se sondea un signalfd o un binder fd con aio poll y se libera la cola de espera. Solucione este problema haciendo que la encuesta de aio se maneje POLLFREE. Un parche de Ramji Jiyani  (https://lore.kernel.org/r/20211027011834.2497484-1-ramjiyani@google.com) intentó hacer esto haciendo que aio_poll_wake() siempre completara la solicitud en línea si Se ve POLLFREE. Sin embargo, esa solución tenía dos errores. Primero, introdujo un punto muerto, ya que bloqueó incondicionalmente el contexto aio mientras mantenía el bloqueo de la cola de espera, lo que invierte el orden de bloqueo normal. En segundo lugar, no consideró que las notificaciones de POLLFREE se pierdan mientras la solicitud ha sido retirada temporalmente de la cola. El segundo problema lo resolvió mi parche anterior. Luego, este parche corrige adecuadamente el use-after-free al manejar POLLFREE sin interbloqueos. Lo hace aprovechando el hecho de que la liberación de la cola de espera tiene un retraso de RCU, similar a lo que hace eventpoll."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-416"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.18","versionEndExcluding":"4.19.221","matchCriteriaId":"2063CE6C-8929-4035-8896-B8ED72601F98"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.20","versionEndExcluding":"5.4.165","matchCriteriaId":"B1DD3148-41FC-42AC-96A5-F63D774A97A3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.5","versionEndExcluding":"5.10.85","matchCriteriaId":"D9668578-08F7-4694-A86F-FCE448387A79"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.11","versionEndExcluding":"5.15.8","matchCriteriaId":"6664ACE2-F748-4AE5-B98B-58803B0B2C3E"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:5.16:rc1:*:*:*:*:*:*","matchCriteriaId":"357AA433-37E8-4323-BFB2-3038D6E4B414"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:5.16:rc2:*:*:*:*:*:*","matchCriteriaId":"A73429BA-C2D9-4D0C-A75F-06A1CA8B3983"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:5.16:rc3:*:*:*:*:*:*","matchCriteriaId":"F621B5E3-E99D-49E7-90B9-EC3B77C95383"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:5.16:rc4:*:*:*:*:*:*","matchCriteriaId":"F7BFDCAA-1650-49AA-8462-407DD593F94F"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/321fba81ec034f88aea4898993c1bf15605c023f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/4105e6a128e8a98455dfc9e6dbb2ab0c33c4497f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/47ffefd88abfffe8a040bcc1dd0554d4ea6f7689","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/50252e4b5e989ce64555c7aef7516bdefc2fea72","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/60d311f9e6381d779d7d53371f87285698ecee24","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/321fba81ec034f88aea4898993c1bf15605c023f","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/4105e6a128e8a98455dfc9e6dbb2ab0c33c4497f","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/47ffefd88abfffe8a040bcc1dd0554d4ea6f7689","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/50252e4b5e989ce64555c7aef7516bdefc2fea72","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/60d311f9e6381d779d7d53371f87285698ecee24","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]}]}}]}