Linux Kernel
CVE-2021-47107
HIGH
Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
NFSD: Fix READDIR buffer overflow
If a client sends a READDIR count argument that is too small (say, zero), then the buffer size calculation in the new init_dirlist helper functions results in an underflow, allowing the XDR stream functions to write beyond the actual buffer.
This calculation has always been suspect. NFSD has never sanity- checked the READDIR count argument, but the old entry encoders managed the problem correctly.
With the commits below, entry encoding changed, exposing the underflow to the pointer arithmetic in xdr_reserve_space().
Modern NFS clients attempt to retrieve as much data as possible for each READDIR request. Also, we have no unit tests that exercise the behavior of READDIR at the lower bound of @count values. Thus this case was missed during testing.
AnalysisAI
Buffer overflow in the Linux kernel NFS server (NFSD) READDIR handler allows a malicious NFS client to trigger an out-of-bounds write by sending a crafted READDIR request with an undersized count argument. The flaw stems from an integer underflow in the init_dirlist buffer size calculation introduced when entry encoders were refactored, and affects Linux kernel 5.16 release candidates (rc1-rc6). Publicly available exploit code exists, though EPSS scores exploitation probability at only 0.02%.
Technical ContextAI
The vulnerability resides in the kernel-mode NFS server subsystem (fs/nfsd) which implements the NFSv2/v3/v4 file-sharing protocols using XDR (External Data Representation) encoding. The READDIR RPC operation lets clients enumerate directory entries, with a 'count' argument specifying the maximum reply payload size. The newly introduced init_dirlist helper computes available buffer space via unsigned arithmetic; when the client supplies a tiny or zero count, the subtraction underflows to a very large unsigned value, which xdr_reserve_space() then trusts when performing pointer arithmetic. This is a classic CWE-120 buffer copy without size checking, but rooted in an integer underflow precondition that bypasses subsequent bounds logic. CPE data confirms only Linux kernel 5.16-rc1 through 5.16-rc6 are listed as affected, indicating the bug was introduced during the 5.16 development cycle and fixed before final release.
RemediationAI
Upgrade to Linux kernel 5.16 final or any subsequent stable release, all of which contain the fix that adds proper sanity checking of the READDIR count argument in init_dirlist. Distribution-shipped kernels from major vendors (RHEL, SUSE, Ubuntu, Debian) were never affected because they did not ship 5.16 release candidates to end users; anyone running a 5.16-rc build should rebuild from a current mainline tree (git.kernel.org). As a compensating control for systems that cannot be patched immediately, disable the in-kernel NFS server (systemctl disable --now nfs-server) if NFS export is not required, or restrict access to the NFS ports (TCP/UDP 2049, 111, plus mountd) at the network layer via firewall rules to trusted client subnets only - the trade-off being loss of NFS service or reduced reachability for legitimate clients. Switching to a user-space NFS server (nfs-ganesha) would also avoid the kernel code path but introduces operational complexity and performance differences.
Share
External POC / Exploit Code
Leaving vuln.today