CVE-2021-47671: 
Linux Kernel vulnerability analysis and mitigation

A memory leak vulnerability (CVE-2021-47671) was discovered in the Linux kernel's CAN bus driver for ETAS ES58X devices. The vulnerability was disclosed on April 17, 2025, affecting Linux kernel versions from 5.13 to 5.14.19 and 5.15 to 5.15.3. The issue occurs in the es58xrxerrmsg() function where memory allocated by alloccanerrskb() is not properly freed when can->dosetmode() fails (NVD).

The vulnerability stems from a coding error in the es58xrxerrmsg() function within the ETAS ES58X CAN bus driver. When can->dosetmode() fails, the function returns immediately without calling netifrx(skb), leaving the previously allocated skb memory unreleased. The issue was initially discovered using GCC's -fanalyzer tool. The vulnerability has been assigned a CVSS v3.1 base score of 3.3 (LOW) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L (NVD).

The vulnerability results in a memory leak in the Linux kernel, which could lead to gradual system resource depletion over time. While the impact is relatively low, as indicated by the CVSS score of 3.3, continuous exploitation could potentially affect system performance and stability (NVD).

The vulnerability has been patched by removing the return statement in the error branch and allowing the function to continue execution normally. Users should upgrade to Linux kernel versions 5.14.19 or 5.15.3 or later, which contain the fix (NVD).