CVE-2021-46969 (GCVE-0-2021-46969)

Vulnerability from cvelistv5 – Published: 2024-02-27 18:47 – Updated: 2026-05-11 13:45
VLAI?
Title
bus: mhi: core: Fix invalid error returning in mhi_queue
Summary
In the Linux kernel, the following vulnerability has been resolved: bus: mhi: core: Fix invalid error returning in mhi_queue mhi_queue returns an error when the doorbell is not accessible in the current state. This can happen when the device is in non M0 state, like M3, and needs to be waken-up prior ringing the DB. This case is managed earlier by triggering an asynchronous M3 exit via controller resume/suspend callbacks, that in turn will cause M0 transition and DB update. So, since it's not an error but just delaying of doorbell update, there is no reason to return an error. This also fixes a use after free error for skb case, indeed a caller queuing skb will try to free the skb if the queueing fails, but in that case queueing has been done.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: a8f75cb348fd52e7a5cf25991cdf9c89fb0cfd41 , < a99b661c3187365f81026d89b1133a76cd2652b3 (git)
Affected: a8f75cb348fd52e7a5cf25991cdf9c89fb0cfd41 , < 0ecc1c70dcd32c0f081b173a1a5d89952686f271 (git)
Create a notification for this product.
Linux Linux Affected: 5.12
Unaffected: 0 , < 5.12 (semver)
Unaffected: 5.12.3 , ≤ 5.12.* (semver)
Unaffected: 5.13 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T05:17:42.873Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/a99b661c3187365f81026d89b1133a76cd2652b3"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/0ecc1c70dcd32c0f081b173a1a5d89952686f271"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2021-46969",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-10T16:01:28.491057Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-11T17:33:45.299Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/bus/mhi/core/main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a99b661c3187365f81026d89b1133a76cd2652b3",
              "status": "affected",
              "version": "a8f75cb348fd52e7a5cf25991cdf9c89fb0cfd41",
              "versionType": "git"
            },
            {
              "lessThan": "0ecc1c70dcd32c0f081b173a1a5d89952686f271",
              "status": "affected",
              "version": "a8f75cb348fd52e7a5cf25991cdf9c89fb0cfd41",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/bus/mhi/core/main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.12"
            },
            {
              "lessThan": "5.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.12.*",
              "status": "unaffected",
              "version": "5.12.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "5.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.12.3",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.13",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbus: mhi: core: Fix invalid error returning in mhi_queue\n\nmhi_queue returns an error when the doorbell is not accessible in\nthe current state. This can happen when the device is in non M0\nstate, like M3, and needs to be waken-up prior ringing the DB. This\ncase is managed earlier by triggering an asynchronous M3 exit via\ncontroller resume/suspend callbacks, that in turn will cause M0\ntransition and DB update.\n\nSo, since it\u0027s not an error but just delaying of doorbell update, there\nis no reason to return an error.\n\nThis also fixes a use after free error for skb case, indeed a caller\nqueuing skb will try to free the skb if the queueing fails, but in\nthat case queueing has been done."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T13:45:25.967Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a99b661c3187365f81026d89b1133a76cd2652b3"
        },
        {
          "url": "https://git.kernel.org/stable/c/0ecc1c70dcd32c0f081b173a1a5d89952686f271"
        }
      ],
      "title": "bus: mhi: core: Fix invalid error returning in mhi_queue",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2021-46969",
    "datePublished": "2024-02-27T18:47:05.463Z",
    "dateReserved": "2024-02-27T18:42:55.943Z",
    "dateUpdated": "2026-05-11T13:45:25.967Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2021-46969",
      "date": "2026-05-22",
      "epss": "0.0002",
      "percentile": "0.05969"
    },
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"5.12\", \"versionEndExcluding\": \"5.12.3\", \"matchCriteriaId\": \"F9D6B2DE-7E4A-4B3B-9AEE-3A2C5F23DA32\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbus: mhi: core: Fix invalid error returning in mhi_queue\\n\\nmhi_queue returns an error when the doorbell is not accessible in\\nthe current state. This can happen when the device is in non M0\\nstate, like M3, and needs to be waken-up prior ringing the DB. This\\ncase is managed earlier by triggering an asynchronous M3 exit via\\ncontroller resume/suspend callbacks, that in turn will cause M0\\ntransition and DB update.\\n\\nSo, since it\u0027s not an error but just delaying of doorbell update, there\\nis no reason to return an error.\\n\\nThis also fixes a use after free error for skb case, indeed a caller\\nqueuing skb will try to free the skb if the queueing fails, but in\\nthat case queueing has been done.\"}, {\"lang\": \"es\", \"value\": \"En el kernel de Linux, se resolvi\\u00f3 la siguiente vulnerabilidad: bus: mhi: core: corrige el error no v\\u00e1lido que regresa en mhi_queue mhi_queue devuelve un error cuando no se puede acceder al timbre en el estado actual. Esto puede suceder cuando el dispositivo no est\\u00e1 en un estado M0, como M3, y es necesario activarlo antes de llamar a la base de datos. Este caso se gestiona anteriormente activando una salida asincr\\u00f3nica de M3 a trav\\u00e9s de devoluciones de llamada de reanudaci\\u00f3n/suspensi\\u00f3n del controlador, que a su vez provocar\\u00e1 la transici\\u00f3n de M0 y la actualizaci\\u00f3n de la base de datos. Entonces, dado que no es un error sino simplemente un retraso en la actualizaci\\u00f3n del timbre, no hay raz\\u00f3n para devolver un error. Esto tambi\\u00e9n corrige un error de uso despu\\u00e9s de la liberaci\\u00f3n para el caso de skb; de hecho, una persona que llama al skb en cola intentar\\u00e1 liberar el skb si la cola falla, pero en ese caso la cola ya se realiz\\u00f3.\"}]",
      "id": "CVE-2021-46969",
      "lastModified": "2025-01-08T17:19:50.777",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 7.8, \"baseSeverity\": \"HIGH\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 1.8, \"impactScore\": 5.9}]}",
      "published": "2024-02-27T19:04:07.260",
      "references": "[{\"url\": \"https://git.kernel.org/stable/c/0ecc1c70dcd32c0f081b173a1a5d89952686f271\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"tags\": [\"Patch\"]}, {\"url\": \"https://git.kernel.org/stable/c/a99b661c3187365f81026d89b1133a76cd2652b3\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"tags\": [\"Patch\"]}, {\"url\": \"https://git.kernel.org/stable/c/0ecc1c70dcd32c0f081b173a1a5d89952686f271\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\"]}, {\"url\": \"https://git.kernel.org/stable/c/a99b661c3187365f81026d89b1133a76cd2652b3\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\"]}]",
      "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "vulnStatus": "Analyzed",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-416\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-46969\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-02-27T19:04:07.260\",\"lastModified\":\"2025-01-08T17:19:50.777\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbus: mhi: core: Fix invalid error returning in mhi_queue\\n\\nmhi_queue returns an error when the doorbell is not accessible in\\nthe current state. This can happen when the device is in non M0\\nstate, like M3, and needs to be waken-up prior ringing the DB. This\\ncase is managed earlier by triggering an asynchronous M3 exit via\\ncontroller resume/suspend callbacks, that in turn will cause M0\\ntransition and DB update.\\n\\nSo, since it\u0027s not an error but just delaying of doorbell update, there\\nis no reason to return an error.\\n\\nThis also fixes a use after free error for skb case, indeed a caller\\nqueuing skb will try to free the skb if the queueing fails, but in\\nthat case queueing has been done.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: bus: mhi: core: corrige el error no v\u00e1lido que regresa en mhi_queue mhi_queue devuelve un error cuando no se puede acceder al timbre en el estado actual. Esto puede suceder cuando el dispositivo no est\u00e1 en un estado M0, como M3, y es necesario activarlo antes de llamar a la base de datos. Este caso se gestiona anteriormente activando una salida asincr\u00f3nica de M3 a trav\u00e9s de devoluciones de llamada de reanudaci\u00f3n/suspensi\u00f3n del controlador, que a su vez provocar\u00e1 la transici\u00f3n de M0 y la actualizaci\u00f3n de la base de datos. Entonces, dado que no es un error sino simplemente un retraso en la actualizaci\u00f3n del timbre, no hay raz\u00f3n para devolver un error. Esto tambi\u00e9n corrige un error de uso despu\u00e9s de la liberaci\u00f3n para el caso de skb; de hecho, una persona que llama al skb en cola intentar\u00e1 liberar el skb si la cola falla, pero en ese caso la cola ya se realiz\u00f3.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-416\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.12\",\"versionEndExcluding\":\"5.12.3\",\"matchCriteriaId\":\"F9D6B2DE-7E4A-4B3B-9AEE-3A2C5F23DA32\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/0ecc1c70dcd32c0f081b173a1a5d89952686f271\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/a99b661c3187365f81026d89b1133a76cd2652b3\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/0ecc1c70dcd32c0f081b173a1a5d89952686f271\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/a99b661c3187365f81026d89b1133a76cd2652b3\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://git.kernel.org/stable/c/a99b661c3187365f81026d89b1133a76cd2652b3\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/0ecc1c70dcd32c0f081b173a1a5d89952686f271\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-04T05:17:42.873Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2021-46969\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-09-10T16:01:28.491057Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-09-11T12:42:18.501Z\"}}], \"cna\": {\"title\": \"bus: mhi: core: Fix invalid error returning in mhi_queue\", \"affected\": [{\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"a8f75cb348fd52e7a5cf25991cdf9c89fb0cfd41\", \"lessThan\": \"a99b661c3187365f81026d89b1133a76cd2652b3\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"a8f75cb348fd52e7a5cf25991cdf9c89fb0cfd41\", \"lessThan\": \"0ecc1c70dcd32c0f081b173a1a5d89952686f271\", \"versionType\": \"git\"}], \"programFiles\": [\"drivers/bus/mhi/core/main.c\"], \"defaultStatus\": \"unaffected\"}, {\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"5.12\"}, {\"status\": \"unaffected\", \"version\": \"0\", \"lessThan\": \"5.12\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"5.12.3\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.12.*\"}, {\"status\": \"unaffected\", \"version\": \"5.13\", \"versionType\": \"original_commit_for_fix\", \"lessThanOrEqual\": \"*\"}], \"programFiles\": [\"drivers/bus/mhi/core/main.c\"], \"defaultStatus\": \"affected\"}], \"references\": [{\"url\": \"https://git.kernel.org/stable/c/a99b661c3187365f81026d89b1133a76cd2652b3\"}, {\"url\": \"https://git.kernel.org/stable/c/0ecc1c70dcd32c0f081b173a1a5d89952686f271\"}], \"x_generator\": {\"engine\": \"bippy-1.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbus: mhi: core: Fix invalid error returning in mhi_queue\\n\\nmhi_queue returns an error when the doorbell is not accessible in\\nthe current state. This can happen when the device is in non M0\\nstate, like M3, and needs to be waken-up prior ringing the DB. This\\ncase is managed earlier by triggering an asynchronous M3 exit via\\ncontroller resume/suspend callbacks, that in turn will cause M0\\ntransition and DB update.\\n\\nSo, since it\u0027s not an error but just delaying of doorbell update, there\\nis no reason to return an error.\\n\\nThis also fixes a use after free error for skb case, indeed a caller\\nqueuing skb will try to free the skb if the queueing fails, but in\\nthat case queueing has been done.\"}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.12.3\", \"versionStartIncluding\": \"5.12\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.13\", \"versionStartIncluding\": \"5.12\"}], \"operator\": \"OR\"}]}], \"providerMetadata\": {\"orgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"shortName\": \"Linux\", \"dateUpdated\": \"2026-05-11T13:45:25.967Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2021-46969\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-11T13:45:25.967Z\", \"dateReserved\": \"2024-02-27T18:42:55.943Z\", \"assignerOrgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"datePublished\": \"2024-02-27T18:47:05.463Z\", \"assignerShortName\": \"Linux\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.