CVE-2021-46915: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_limit: avoid possible divide error in nft_limit_init div_u64() divides u64 by u32. nft_limit_init() wants to divide u64 by u64, use the appropriate math function (div64_u64) divide error: 0000 [#1] PREEMPT SMP KASAN CPU: 1 PID: 8390 Comm: syz-executor188 Not tainted 5.12.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:div_u64_rem include/linux/math64.h:28 [inline] RIP: 0010:div_u64 include/linux/math64.h:127 [inline] RIP: 0010:nft_limit_init+0x2a2/0x5e0 net/netfilter/nft_limit.c:85 Code: ef 4c 01 eb 41 0f 92 c7 48 89 de e8 38 a5 22 fa 4d 85 ff 0f 85 97 02 00 00 e8 ea 9e 22 fa 4c 0f af f3 45 89 ed 31 d2 4c 89 f0 <49> f7 f5 49 89 c6 e8 d3 9e 22 fa 48 8d 7d 48 48 b8 00 00 00 00 00 RSP: 0018:ffffc90009447198 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000200000000000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff875152e6 RDI: 0000000000000003 RBP: ffff888020f80908 R08: 0000200000000000 R09: 0000000000000000 R10: ffffffff875152d8 R11: 0000000000000000 R12: ffffc90009447270 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 FS: 000000000097a300(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000200001c4 CR3: 0000000026a52000 CR4: 00000000001506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: nf_tables_newexpr net/netfilter/nf_tables_api.c:2675 [inline] nft_expr_init+0x145/0x2d0 net/netfilter/nf_tables_api.c:2713 nft_set_elem_expr_alloc+0x27/0x280 net/netfilter/nf_tables_api.c:5160 nf_tables_newset+0x1997/0x3150 net/netfilter/nf_tables_api.c:4321 nfnetlink_rcv_batch+0x85a/0x21b0 net/netfilter/nfnetlink.c:456 nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:580 [inline] nfnetlink_rcv+0x3af/0x420 net/netfilter/nfnetlink.c:598 netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline] netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1338 netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1927 sock_sendmsg_nosec net/socket.c:654 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:674 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2350 ___sys_sendmsg+0xf3/0x170 net/socket.c:2404 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2433 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xae
AI Analysis
Technical Summary
CVE-2021-46915 is a vulnerability identified in the Linux kernel's netfilter subsystem, specifically within the nft_limit module. The issue arises from an incorrect mathematical operation in the nft_limit_init() function, where a 64-bit unsigned integer (u64) is divided by another 64-bit unsigned integer using a function designed to divide a u64 by a 32-bit unsigned integer (div_u64()), instead of the correct function div64_u64() that handles u64 by u64 division. This improper division can lead to a divide error, causing kernel faults such as crashes or panics. The vulnerability was observed in kernel version 5.12.0-rc4, with the error trace indicating a failure in the division operation during initialization of nft_limit expressions. The netfilter nft_limit module is responsible for limiting the rate of packets processed by nftables, a packet filtering framework used for firewall and network traffic control. A divide error in this context can cause denial of service (DoS) conditions by crashing the kernel or triggering kernel address sanitizer (KASAN) faults. The vulnerability does not appear to have known exploits in the wild at the time of publication, and no CVSS score has been assigned. However, the flaw stems from a fundamental arithmetic error in kernel code that can be triggered during netfilter configuration or operation, potentially by local or remote actors with the ability to manipulate nftables rules or netlink messages. The vulnerability affects Linux kernel versions containing the faulty code, as identified by the commit hashes provided. The fix involves replacing the incorrect division function with the appropriate div64_u64() to safely handle 64-bit division operations.
Potential Impact
For European organizations, the impact of CVE-2021-46915 could be significant, particularly for those relying heavily on Linux-based infrastructure for networking, servers, and cloud environments. The vulnerability can lead to kernel crashes or system instability, resulting in denial of service conditions. This can disrupt critical services, including web hosting, internal applications, and network security controls. Organizations using nftables for firewalling and traffic shaping are especially at risk, as exploitation could be triggered by malformed netfilter configurations or crafted netlink messages. While exploitation requires the ability to interact with netfilter configurations, this may be possible for privileged users or through compromised systems. The disruption caused by kernel panics can lead to downtime, loss of productivity, and potential cascading failures in networked systems. Additionally, the instability could be leveraged as part of a broader attack chain to facilitate privilege escalation or lateral movement if combined with other vulnerabilities. Given the widespread use of Linux in European data centers, cloud providers, and enterprise environments, the vulnerability poses a tangible risk to availability and operational continuity.
Mitigation Recommendations
European organizations should take the following specific mitigation steps: 1) Immediately identify and inventory Linux systems running vulnerable kernel versions, focusing on those using nftables and netfilter subsystems. 2) Apply the official Linux kernel patches or upgrade to a kernel version where the div64_u64() fix has been implemented. Since no patch links are provided, organizations should monitor official Linux kernel repositories and vendor advisories for updates. 3) Restrict access to netfilter configuration interfaces and netlink sockets to trusted administrators only, minimizing the risk of unauthorized rule manipulation. 4) Implement strict access controls and monitoring on systems that allow nftables rule changes, including audit logging of netlink messages and nft commands. 5) Employ kernel hardening techniques such as enabling Kernel Address Sanitizer (KASAN) in testing environments to detect similar faults proactively. 6) For cloud environments, coordinate with providers to ensure underlying host kernels are patched and that tenant VMs are protected. 7) Conduct thorough testing of nftables configurations after patching to ensure stability and correct operation. 8) Maintain up-to-date incident response plans to quickly address potential DoS events caused by kernel crashes.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Ireland, Italy, Spain, Poland
CVE-2021-46915: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_limit: avoid possible divide error in nft_limit_init div_u64() divides u64 by u32. nft_limit_init() wants to divide u64 by u64, use the appropriate math function (div64_u64) divide error: 0000 [#1] PREEMPT SMP KASAN CPU: 1 PID: 8390 Comm: syz-executor188 Not tainted 5.12.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:div_u64_rem include/linux/math64.h:28 [inline] RIP: 0010:div_u64 include/linux/math64.h:127 [inline] RIP: 0010:nft_limit_init+0x2a2/0x5e0 net/netfilter/nft_limit.c:85 Code: ef 4c 01 eb 41 0f 92 c7 48 89 de e8 38 a5 22 fa 4d 85 ff 0f 85 97 02 00 00 e8 ea 9e 22 fa 4c 0f af f3 45 89 ed 31 d2 4c 89 f0 <49> f7 f5 49 89 c6 e8 d3 9e 22 fa 48 8d 7d 48 48 b8 00 00 00 00 00 RSP: 0018:ffffc90009447198 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000200000000000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff875152e6 RDI: 0000000000000003 RBP: ffff888020f80908 R08: 0000200000000000 R09: 0000000000000000 R10: ffffffff875152d8 R11: 0000000000000000 R12: ffffc90009447270 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 FS: 000000000097a300(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000200001c4 CR3: 0000000026a52000 CR4: 00000000001506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: nf_tables_newexpr net/netfilter/nf_tables_api.c:2675 [inline] nft_expr_init+0x145/0x2d0 net/netfilter/nf_tables_api.c:2713 nft_set_elem_expr_alloc+0x27/0x280 net/netfilter/nf_tables_api.c:5160 nf_tables_newset+0x1997/0x3150 net/netfilter/nf_tables_api.c:4321 nfnetlink_rcv_batch+0x85a/0x21b0 net/netfilter/nfnetlink.c:456 nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:580 [inline] nfnetlink_rcv+0x3af/0x420 net/netfilter/nfnetlink.c:598 netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline] netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1338 netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1927 sock_sendmsg_nosec net/socket.c:654 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:674 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2350 ___sys_sendmsg+0xf3/0x170 net/socket.c:2404 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2433 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xae
AI-Powered Analysis
Technical Analysis
CVE-2021-46915 is a vulnerability identified in the Linux kernel's netfilter subsystem, specifically within the nft_limit module. The issue arises from an incorrect mathematical operation in the nft_limit_init() function, where a 64-bit unsigned integer (u64) is divided by another 64-bit unsigned integer using a function designed to divide a u64 by a 32-bit unsigned integer (div_u64()), instead of the correct function div64_u64() that handles u64 by u64 division. This improper division can lead to a divide error, causing kernel faults such as crashes or panics. The vulnerability was observed in kernel version 5.12.0-rc4, with the error trace indicating a failure in the division operation during initialization of nft_limit expressions. The netfilter nft_limit module is responsible for limiting the rate of packets processed by nftables, a packet filtering framework used for firewall and network traffic control. A divide error in this context can cause denial of service (DoS) conditions by crashing the kernel or triggering kernel address sanitizer (KASAN) faults. The vulnerability does not appear to have known exploits in the wild at the time of publication, and no CVSS score has been assigned. However, the flaw stems from a fundamental arithmetic error in kernel code that can be triggered during netfilter configuration or operation, potentially by local or remote actors with the ability to manipulate nftables rules or netlink messages. The vulnerability affects Linux kernel versions containing the faulty code, as identified by the commit hashes provided. The fix involves replacing the incorrect division function with the appropriate div64_u64() to safely handle 64-bit division operations.
Potential Impact
For European organizations, the impact of CVE-2021-46915 could be significant, particularly for those relying heavily on Linux-based infrastructure for networking, servers, and cloud environments. The vulnerability can lead to kernel crashes or system instability, resulting in denial of service conditions. This can disrupt critical services, including web hosting, internal applications, and network security controls. Organizations using nftables for firewalling and traffic shaping are especially at risk, as exploitation could be triggered by malformed netfilter configurations or crafted netlink messages. While exploitation requires the ability to interact with netfilter configurations, this may be possible for privileged users or through compromised systems. The disruption caused by kernel panics can lead to downtime, loss of productivity, and potential cascading failures in networked systems. Additionally, the instability could be leveraged as part of a broader attack chain to facilitate privilege escalation or lateral movement if combined with other vulnerabilities. Given the widespread use of Linux in European data centers, cloud providers, and enterprise environments, the vulnerability poses a tangible risk to availability and operational continuity.
Mitigation Recommendations
European organizations should take the following specific mitigation steps: 1) Immediately identify and inventory Linux systems running vulnerable kernel versions, focusing on those using nftables and netfilter subsystems. 2) Apply the official Linux kernel patches or upgrade to a kernel version where the div64_u64() fix has been implemented. Since no patch links are provided, organizations should monitor official Linux kernel repositories and vendor advisories for updates. 3) Restrict access to netfilter configuration interfaces and netlink sockets to trusted administrators only, minimizing the risk of unauthorized rule manipulation. 4) Implement strict access controls and monitoring on systems that allow nftables rule changes, including audit logging of netlink messages and nft commands. 5) Employ kernel hardening techniques such as enabling Kernel Address Sanitizer (KASAN) in testing environments to detect similar faults proactively. 6) For cloud environments, coordinate with providers to ensure underlying host kernels are patched and that tenant VMs are protected. 7) Conduct thorough testing of nftables configurations after patching to ensure stability and correct operation. 8) Maintain up-to-date incident response plans to quickly address potential DoS events caused by kernel crashes.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-25T13:45:52.718Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9835c4522896dcbea6a6
Added to database: 5/21/2025, 9:09:09 AM
Last enriched: 6/26/2025, 10:06:30 AM
Last updated: 8/5/2025, 6:45:24 AM
Views: 13
Related Threats
CVE-2025-8859: Unrestricted Upload in code-projects eBlog Site
MediumCVE-2025-8865: CWE-476 NULL Pointer Dereference in YugabyteDB Inc YugabyteDB
MediumCVE-2025-8852: Information Exposure Through Error Message in WuKongOpenSource WukongCRM
MediumCVE-2025-8864: CWE-532 Insertion of Sensitive Information into Log File in YugabyteDB Inc YugabyteDB Anywhere
MediumCVE-2025-8851: Stack-based Buffer Overflow in LibTIFF
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.