CVE-2021-46913 is a vulnerability identified in the Linux kernel's netfilter nftables subsystem, specifically related to the handling of connlimit expressions within set elements. The issue arises because the memcpy() function is improperly used when cloning set element expression templates for connlimit, instead of using the correct nft_expr_clone() function. This improper cloning leads to corruption or invalid memory references when the connlimit garbage collector attempts to traverse the copied list head, resulting in kernel crashes (as evidenced by the kernel panic and stack trace logs). The vulnerability affects the nf_conncount and nf_tables kernel modules, which are responsible for connection counting and packet filtering respectively. The root cause is a logic error in the kernel code that mishandles the cloning of expression templates, leading to use-after-free or invalid pointer dereferences during garbage collection of connection limit expressions. Although no known exploits are reported in the wild, the vulnerability can cause denial of service (DoS) conditions by crashing the kernel, potentially impacting system availability. The affected Linux kernel versions are not explicitly detailed beyond a hash, but the vulnerability is relevant to systems using nftables with connlimit expressions. No CVSS score has been assigned yet, and no patches or exploit code are currently publicly available. The vulnerability was published on 2024-02-27 and is recognized by CISA as enriched data, indicating its importance for security monitoring and mitigation.

For European organizations, this vulnerability poses a risk primarily to the availability and stability of Linux-based systems that utilize nftables with connlimit expressions for network filtering and connection limiting. Many European enterprises, government agencies, and critical infrastructure providers rely on Linux servers and network appliances for firewalling and traffic control. An attacker able to trigger this vulnerability could cause kernel panics leading to system crashes and service interruptions, resulting in denial of service. This could disrupt business operations, especially for organizations running critical network services or hosting public-facing applications. While there is no evidence of privilege escalation or data confidentiality compromise, the loss of availability could have cascading effects on dependent services and compliance with regulatory uptime requirements. Additionally, the complexity of the vulnerability means that accidental misconfiguration or malformed traffic could inadvertently trigger the issue, increasing operational risk. The lack of known exploits reduces immediate threat but does not eliminate the risk of future exploitation once details become widely known.

European organizations should prioritize updating their Linux kernels to versions where this vulnerability is fixed once patches are released by the Linux kernel maintainers. Until patches are available, administrators should audit and potentially disable the use of connlimit expressions within nftables sets, especially in environments where stability and uptime are critical. Network administrators should monitor kernel logs for signs of nftables-related crashes or anomalies. Implementing strict input validation and filtering at perimeter devices can reduce the risk of malicious or malformed packets triggering the vulnerability. Additionally, organizations should employ robust system monitoring and automated reboot procedures to minimize downtime in case of kernel panics. For environments where immediate patching is not feasible, consider isolating vulnerable systems behind additional network layers or using alternative firewalling mechanisms that do not rely on the affected nftables features. Finally, maintain close communication with Linux distribution vendors and security advisories to apply updates promptly.