CVE-2021-46912: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: net: Make tcp_allowed_congestion_control readonly in non-init netns Currently, tcp_allowed_congestion_control is global and writable; writing to it in any net namespace will leak into all other net namespaces. tcp_available_congestion_control and tcp_allowed_congestion_control are the only sysctls in ipv4_net_table (the per-netns sysctl table) with a NULL data pointer; their handlers (proc_tcp_available_congestion_control and proc_allowed_congestion_control) have no other way of referencing a struct net. Thus, they operate globally. Because ipv4_net_table does not use designated initializers, there is no easy way to fix up this one "bad" table entry. However, the data pointer updating logic shouldn't be applied to NULL pointers anyway, so we instead force these entries to be read-only. These sysctls used to exist in ipv4_table (init-net only), but they were moved to the per-net ipv4_net_table, presumably without realizing that tcp_allowed_congestion_control was writable and thus introduced a leak. Because the intent of that commit was only to know (i.e. read) "which congestion algorithms are available or allowed", this read-only solution should be sufficient. The logic added in recent commit 31c4d2f160eb: ("net: Ensure net namespace isolation of sysctls") does not and cannot check for NULL data pointers, because other table entries (e.g. /proc/sys/net/netfilter/nf_log/) have .data=NULL but use other methods (.extra2) to access the struct net.
AI Analysis
Technical Summary
CVE-2021-46912 is a vulnerability in the Linux kernel related to the handling of the tcp_allowed_congestion_control sysctl parameter within network namespaces (netns). In Linux, network namespaces provide isolation of network resources for containers or virtualized environments. The vulnerability arises because tcp_allowed_congestion_control is implemented as a global writable variable rather than being properly isolated per network namespace. This means that writing to tcp_allowed_congestion_control in one network namespace inadvertently affects all other namespaces, breaking the intended isolation. The root cause is that tcp_allowed_congestion_control and tcp_available_congestion_control are the only sysctls in the ipv4_net_table (the per-netns sysctl table) with a NULL data pointer, and their handlers do not reference a struct net, causing them to operate globally. Attempts to fix this by updating the data pointer logic fail because the data pointer is NULL, and the ipv4_net_table does not use designated initializers to easily fix this entry. The vulnerability was introduced when these sysctls were moved from the init-net ipv4_table to the per-net ipv4_net_table without realizing tcp_allowed_congestion_control was writable, thus creating a leak across namespaces. The fix implemented forces these sysctls to be read-only, preventing writes that would leak across namespaces. This approach aligns with the original intent of these sysctls, which is to read which congestion control algorithms are available or allowed, not to modify them. The vulnerability could allow a malicious user or container with write access to tcp_allowed_congestion_control in one namespace to affect the TCP congestion control behavior in other namespaces, potentially impacting network performance or behavior across isolated environments. No known exploits in the wild have been reported, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability poses a risk primarily in environments that use Linux containers or virtualized network namespaces extensively, such as cloud service providers, data centers, and enterprises deploying microservices architectures. The ability to write to tcp_allowed_congestion_control globally from a single namespace could allow an attacker with limited privileges in one container or namespace to influence TCP congestion control algorithms in other containers or namespaces. This could degrade network performance, cause denial of service conditions, or disrupt network traffic management policies. While it does not directly lead to privilege escalation or data leakage, the impact on network reliability and isolation can be significant, especially in multi-tenant environments common in European cloud infrastructures. Organizations relying on strict network namespace isolation for security and performance guarantees may find this vulnerability undermines those guarantees. Additionally, critical infrastructure operators using Linux-based systems with network namespaces could experience network instability or unexpected behavior, affecting service availability.
Mitigation Recommendations
European organizations should ensure that their Linux kernel versions are updated to include the patch that makes tcp_allowed_congestion_control read-only in non-init network namespaces. Since the vulnerability stems from writable global state leaking across namespaces, applying the upstream kernel fix or vendor-provided patches is the most effective mitigation. Administrators should audit their container and virtualization environments to identify any use of tcp_allowed_congestion_control sysctl writes and restrict such operations to trusted users only. Network namespace isolation policies should be reviewed and enforced to prevent unauthorized modifications. For environments where kernel updates are delayed, consider implementing compensating controls such as limiting container capabilities (e.g., dropping CAP_NET_ADMIN) to prevent sysctl modifications. Monitoring network performance and congestion control behavior anomalies can help detect exploitation attempts. Finally, coordinate with Linux distribution vendors and cloud providers to ensure timely patch deployment and validation in production environments.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2021-46912: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: net: Make tcp_allowed_congestion_control readonly in non-init netns Currently, tcp_allowed_congestion_control is global and writable; writing to it in any net namespace will leak into all other net namespaces. tcp_available_congestion_control and tcp_allowed_congestion_control are the only sysctls in ipv4_net_table (the per-netns sysctl table) with a NULL data pointer; their handlers (proc_tcp_available_congestion_control and proc_allowed_congestion_control) have no other way of referencing a struct net. Thus, they operate globally. Because ipv4_net_table does not use designated initializers, there is no easy way to fix up this one "bad" table entry. However, the data pointer updating logic shouldn't be applied to NULL pointers anyway, so we instead force these entries to be read-only. These sysctls used to exist in ipv4_table (init-net only), but they were moved to the per-net ipv4_net_table, presumably without realizing that tcp_allowed_congestion_control was writable and thus introduced a leak. Because the intent of that commit was only to know (i.e. read) "which congestion algorithms are available or allowed", this read-only solution should be sufficient. The logic added in recent commit 31c4d2f160eb: ("net: Ensure net namespace isolation of sysctls") does not and cannot check for NULL data pointers, because other table entries (e.g. /proc/sys/net/netfilter/nf_log/) have .data=NULL but use other methods (.extra2) to access the struct net.
AI-Powered Analysis
Technical Analysis
CVE-2021-46912 is a vulnerability in the Linux kernel related to the handling of the tcp_allowed_congestion_control sysctl parameter within network namespaces (netns). In Linux, network namespaces provide isolation of network resources for containers or virtualized environments. The vulnerability arises because tcp_allowed_congestion_control is implemented as a global writable variable rather than being properly isolated per network namespace. This means that writing to tcp_allowed_congestion_control in one network namespace inadvertently affects all other namespaces, breaking the intended isolation. The root cause is that tcp_allowed_congestion_control and tcp_available_congestion_control are the only sysctls in the ipv4_net_table (the per-netns sysctl table) with a NULL data pointer, and their handlers do not reference a struct net, causing them to operate globally. Attempts to fix this by updating the data pointer logic fail because the data pointer is NULL, and the ipv4_net_table does not use designated initializers to easily fix this entry. The vulnerability was introduced when these sysctls were moved from the init-net ipv4_table to the per-net ipv4_net_table without realizing tcp_allowed_congestion_control was writable, thus creating a leak across namespaces. The fix implemented forces these sysctls to be read-only, preventing writes that would leak across namespaces. This approach aligns with the original intent of these sysctls, which is to read which congestion control algorithms are available or allowed, not to modify them. The vulnerability could allow a malicious user or container with write access to tcp_allowed_congestion_control in one namespace to affect the TCP congestion control behavior in other namespaces, potentially impacting network performance or behavior across isolated environments. No known exploits in the wild have been reported, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability poses a risk primarily in environments that use Linux containers or virtualized network namespaces extensively, such as cloud service providers, data centers, and enterprises deploying microservices architectures. The ability to write to tcp_allowed_congestion_control globally from a single namespace could allow an attacker with limited privileges in one container or namespace to influence TCP congestion control algorithms in other containers or namespaces. This could degrade network performance, cause denial of service conditions, or disrupt network traffic management policies. While it does not directly lead to privilege escalation or data leakage, the impact on network reliability and isolation can be significant, especially in multi-tenant environments common in European cloud infrastructures. Organizations relying on strict network namespace isolation for security and performance guarantees may find this vulnerability undermines those guarantees. Additionally, critical infrastructure operators using Linux-based systems with network namespaces could experience network instability or unexpected behavior, affecting service availability.
Mitigation Recommendations
European organizations should ensure that their Linux kernel versions are updated to include the patch that makes tcp_allowed_congestion_control read-only in non-init network namespaces. Since the vulnerability stems from writable global state leaking across namespaces, applying the upstream kernel fix or vendor-provided patches is the most effective mitigation. Administrators should audit their container and virtualization environments to identify any use of tcp_allowed_congestion_control sysctl writes and restrict such operations to trusted users only. Network namespace isolation policies should be reviewed and enforced to prevent unauthorized modifications. For environments where kernel updates are delayed, consider implementing compensating controls such as limiting container capabilities (e.g., dropping CAP_NET_ADMIN) to prevent sysctl modifications. Monitoring network performance and congestion control behavior anomalies can help detect exploitation attempts. Finally, coordinate with Linux distribution vendors and cloud providers to ensure timely patch deployment and validation in production environments.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-25T13:45:52.718Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9835c4522896dcbea687
Added to database: 5/21/2025, 9:09:09 AM
Last enriched: 6/26/2025, 10:07:21 AM
Last updated: 8/4/2025, 10:40:08 PM
Views: 15
Related Threats
CVE-2025-8838: Improper Authentication in WinterChenS my-site
MediumCVE-2025-8837: Use After Free in JasPer
MediumCVE-2025-8661: Vulnerability in Broadcom Symantec PGP Encryption
MediumCVE-2025-8836: Reachable Assertion in JasPer
MediumCVE-2025-8747: CWE-502 Deserialization of Untrusted Data in Google Keras
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.