CVE-2021-47671

can: etas_es58x: es58x_rx_err_msg(): fix memory leak in error path

Severity Score

3.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved: can: etas_es58x: es58x_rx_err_msg(): fix memory leak in error path In es58x_rx_err_msg(), if can->do_set_mode() fails, the function
directly returns without calling netif_rx(skb). This means that the
skb previously allocated by alloc_can_err_skb() is not freed. In other
terms, this is a memory leak. This patch simply removes the return statement in the error branch and
let the function continue. Issue was found with GCC -fanalyzer, please follow the link below for
details.

In the Linux kernel, the following vulnerability has been resolved: can: etas_es58x: es58x_rx_err_msg(): fix memory leak in error path In es58x_rx_err_msg(), if can->do_set_mode() fails, the function directly returns without calling netif_rx(skb). This means that the skb previously allocated by alloc_can_err_skb() is not freed. In other terms, this is a memory leak. This patch simply removes the return statement in the error branch and let the function continue. Issue was found with GCC -fanalyzer, please follow the link below for details.

The SUSE Linux Enterprise 15 SP5 RT kernel was updated to receive various security bug fixes.

*Credits: N/A

CVSS Scores

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

Low

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

Single

Confidentiality

None

Integrity

None

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2025-04-16 CVE Reserved
2025-04-17 CVE Published
2025-05-04 CVE Updated
2025-06-24 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-401: Missing Release of Memory after Effective Lifetime

CAPEC

References (6)

URL	Tag	Source
https://git.kernel.org/stable/c/8537257874e949a59c834cecfd5a063e11b64b0b	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/4f389e1276a5389c92cef860c9fde8e1c802a871	2021-11-17
https://git.kernel.org/stable/c/7eb0881aec26099089f12ae850aebd93190b1dfe	2021-11-18
https://git.kernel.org/stable/c/d9447f768bc8c60623e4bb3ce65b8f4654d33a50	2021-11-06

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2021-47671	2023-05-09
https://bugzilla.redhat.com/show_bug.cgi?id=2360784	2023-05-09

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.13 < 5.14.19 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.13 < 5.14.19"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.13 < 5.15.3 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.13 < 5.15.3"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.13 < 5.16 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.13 < 5.16"		en		Affected