{"id":"CVE-2021-47506","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: fix use-after-free due to delegation race\n\nA delegation break could arrive as soon as we've called vfs_setlease.  A\ndelegation break runs a callback which immediately (in\nnfsd4_cb_recall_prepare) adds the delegation to del_recall_lru.  If we\nthen exit nfs4_set_delegation without hashing the delegation, it will be\nfreed as soon as the callback is done with it, without ever being\nremoved from del_recall_lru.\n\nSymptoms show up later as use-after-free or list corruption warnings,\nusually in the laundromat thread.\n\nI suspect aba2072f4523 \"nfsd: grant read delegations to clients holding\nwrites\" made this bug easier to hit, but I looked as far back as v3.0\nand it looks to me it already had the same problem.  So I'm not sure\nwhere the bug was introduced; it may have been there from the beginning.","modified":"2026-03-15T22:43:15.498385Z","published":"2024-05-24T15:15:11.197Z","related":["SUSE-SU-2024:1979-1","SUSE-SU-2024:1983-1","SUSE-SU-2024:2008-1","SUSE-SU-2024:2010-1","SUSE-SU-2024:2011-1","SUSE-SU-2024:2019-1","SUSE-SU-2024:2183-1","SUSE-SU-2024:2184-1","SUSE-SU-2024:2185-1","SUSE-SU-2024:2189-1","SUSE-SU-2024:2190-1","SUSE-SU-2024:2923-1","SUSE-SU-2024:2948-1"],"references":[{"type":"FIX","url":"https://git.kernel.org/stable/c/04a8d07f3d58308b92630045560799a3faa3ebce"},{"type":"FIX","url":"https://git.kernel.org/stable/c/148c816f10fd11df27ca6a9b3238cdd42fa72cd3"},{"type":"FIX","url":"https://git.kernel.org/stable/c/2becaa990b93cbd2928292c0b669d3abb6cf06d4"},{"type":"FIX","url":"https://git.kernel.org/stable/c/33645d3e22720cac1e4548f8fef57bf0649536ee"},{"type":"FIX","url":"https://git.kernel.org/stable/c/348714018139c39533c55661a0c7c990671396b4"},{"type":"FIX","url":"https://git.kernel.org/stable/c/548ec0805c399c65ed66c6641be467f717833ab5"},{"type":"FIX","url":"https://git.kernel.org/stable/c/e0759696de6851d7536efddfdd2dfed4c4df1f09"},{"type":"FIX","url":"https://git.kernel.org/stable/c/eeb0711801f5e19ef654371b627682aed3b11373"}],"affected":[{"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"fixed":"4.4.296"}]},{"events":[{"introduced":"4.5"},{"fixed":"4.9.294"}]},{"events":[{"introduced":"4.10"},{"fixed":"4.14.259"}]},{"events":[{"introduced":"4.15"},{"fixed":"4.19.222"}]},{"events":[{"introduced":"4.20"},{"fixed":"5.4.168"}]},{"events":[{"introduced":"5.5"},{"fixed":"5.10.85"}]},{"events":[{"introduced":"5.11"},{"fixed":"5.15.8"}]},{"events":[{"introduced":"0"},{"last_affected":"5.15-rc1"}]},{"events":[{"introduced":"0"},{"last_affected":"5.15-rc2"}]},{"events":[{"introduced":"0"},{"last_affected":"5.15-rc3"}]},{"events":[{"introduced":"0"},{"last_affected":"5.15-rc4"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-47506.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}