{
  "affected": [
    {
      "database_specific": {
        "unresolved_ranges": [
          {
            "events": [
              {
                "introduced": "5.9"
              },
              {
                "fixed": "5.10.54"
              }
            ]
          },
          {
            "events": [
              {
                "introduced": "5.11"
              },
              {
                "fixed": "5.13.6"
              }
            ]
          },
          {
            "events": [
              {
                "introduced": "0"
              },
              {
                "last_affected": "5.14-rc1"
              }
            ]
          },
          {
            "events": [
              {
                "introduced": "0"
              },
              {
                "last_affected": "5.14-rc2"
              }
            ]
          }
        ]
      }
    }
  ],
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nxdp, net: Fix use-after-free in bpf_xdp_link_release\n\nThe problem occurs between dev_get_by_index() and dev_xdp_attach_link().\nAt this point, dev_xdp_uninstall() is called. Then xdp link will not be\ndetached automatically when dev is released. But link-\u003edev already\npoints to dev, when xdp link is released, dev will still be accessed,\nbut dev has been released.\n\ndev_get_by_index()        |\nlink-\u003edev = dev           |\n                          |      rtnl_lock()\n                          |      unregister_netdevice_many()\n                          |          dev_xdp_uninstall()\n                          |      rtnl_unlock()\nrtnl_lock();              |\ndev_xdp_attach_link()     |\nrtnl_unlock();            |\n                          |      netdev_run_todo() // dev released\nbpf_xdp_link_release()    |\n    /* access dev.        |\n       use-after-free */  |\n\n[   45.966867] BUG: KASAN: use-after-free in bpf_xdp_link_release+0x3b8/0x3d0\n[   45.967619] Read of size 8 at addr ffff00000f9980c8 by task a.out/732\n[   45.968297]\n[   45.968502] CPU: 1 PID: 732 Comm: a.out Not tainted 5.13.0+ #22\n[   45.969222] Hardware name: linux,dummy-virt (DT)\n[   45.969795] Call trace:\n[   45.970106]  dump_backtrace+0x0/0x4c8\n[   45.970564]  show_stack+0x30/0x40\n[   45.970981]  dump_stack_lvl+0x120/0x18c\n[   45.971470]  print_address_description.constprop.0+0x74/0x30c\n[   45.972182]  kasan_report+0x1e8/0x200\n[   45.972659]  __asan_report_load8_noabort+0x2c/0x50\n[   45.973273]  bpf_xdp_link_release+0x3b8/0x3d0\n[   45.973834]  bpf_link_free+0xd0/0x188\n[   45.974315]  bpf_link_put+0x1d0/0x218\n[   45.974790]  bpf_link_release+0x3c/0x58\n[   45.975291]  __fput+0x20c/0x7e8\n[   45.975706]  ____fput+0x24/0x30\n[   45.976117]  task_work_run+0x104/0x258\n[   45.976609]  do_notify_resume+0x894/0xaf8\n[   45.977121]  work_pending+0xc/0x328\n[   45.977575]\n[   45.977775] The buggy address belongs to the page:\n[   45.978369] page:fffffc00003e6600 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4f998\n[   45.979522] flags: 0x7fffe0000000000(node=0|zone=0|lastcpupid=0x3ffff)\n[   45.980349] raw: 07fffe0000000000 fffffc00003e6708 ffff0000dac3c010 0000000000000000\n[   45.981309] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000\n[   45.982259] page dumped because: kasan: bad access detected\n[   45.982948]\n[   45.983153] Memory state around the buggy address:\n[   45.983753]  ffff00000f997f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n[   45.984645]  ffff00000f998000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n[   45.985533] \u003effff00000f998080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n[   45.986419]                                               ^\n[   45.987112]  ffff00000f998100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n[   45.988006]  ffff00000f998180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n[   45.988895] ==================================================================\n[   45.989773] Disabling lock debugging due to kernel taint\n[   45.990552] Kernel panic - not syncing: panic_on_warn set ...\n[   45.991166] CPU: 1 PID: 732 Comm: a.out Tainted: G    B             5.13.0+ #22\n[   45.991929] Hardware name: linux,dummy-virt (DT)\n[   45.992448] Call trace:\n[   45.992753]  dump_backtrace+0x0/0x4c8\n[   45.993208]  show_stack+0x30/0x40\n[   45.993627]  dump_stack_lvl+0x120/0x18c\n[   45.994113]  dump_stack+0x1c/0x34\n[   45.994530]  panic+0x3a4/0x7d8\n[   45.994930]  end_report+0x194/0x198\n[   45.995380]  kasan_report+0x134/0x200\n[   45.995850]  __asan_report_load8_noabort+0x2c/0x50\n[   45.996453]  bpf_xdp_link_release+0x3b8/0x3d0\n[   45.997007]  bpf_link_free+0xd0/0x188\n[   45.997474]  bpf_link_put+0x1d0/0x218\n[   45.997942]  bpf_link_release+0x3c/0x58\n[   45.998429]  __fput+0x20c/0x7e8\n[   45.998833]  ____fput+0x24/0x30\n[   45.999247]  task_work_run+0x104/0x258\n[   45.999731]  do_notify_resume+0x894/0xaf8\n[   46.000236]  work_pending\n---truncated---",
  "id": "CVE-2021-47299",
  "modified": "2026-03-13T21:52:46.580301437Z",
  "published": "2024-05-21T15:15:17.743Z",
  "references": [
    {
      "type": "FIX",
      "url": "https://git.kernel.org/stable/c/5acc7d3e8d342858405fbbc671221f676b547ce7"
    },
    {
      "type": "FIX",
      "url": "https://git.kernel.org/stable/c/a7537dc73e69ad9c0b67ad24ad3ebee954ed0af6"
    },
    {
      "type": "FIX",
      "url": "https://git.kernel.org/stable/c/ca9ba1de8f09976b45ccc8e655c51c6201992139"
    }
  ],
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}