CVE-2021-46954 is a vulnerability identified in the Linux kernel's network scheduling subsystem, specifically within the sch_frag module responsible for fragmenting IPv4 packets. The flaw arises when the 'act_mirred' action attempts to fragment IPv4 packets that were previously reassembled using the 'act_ct' action. The vulnerability manifests as a stack out-of-bounds (OOB) read during packet fragmentation, detected by Kernel Address Sanitizer (KASAN) as an illegal memory access. The root cause is a misuse of a temporary variable: sch_fragment() uses a temporary struct dst_entry pointer for IPv4 packets, which is later incorrectly cast and accessed as a struct rtable pointer. This leads to out-of-bounds reads on the kernel stack when accessing members like rt_mtu_locked. The issue is triggered in the call chain involving ip_do_fragment(), ip_skb_dst_mtu(), ip_dst_mtu_maybe_forward(), and ip_mtu_locked(). The bug can cause kernel crashes or undefined behavior due to invalid memory access. The vulnerability affects Linux kernel versions around 5.12.0-rc6 and potentially others using similar code paths. The problem was fixed by changing the temporary variable usage in sch_fragment() for IPv4 packets to prevent the incorrect pointer casting and subsequent OOB read, aligning it with the approach used for IPv6 packets. No known exploits are reported in the wild, and no CVSS score has been assigned yet.

For European organizations, this vulnerability poses a risk primarily to systems running vulnerable Linux kernel versions, especially those involved in network packet processing such as routers, firewalls, and servers handling heavy network traffic. Exploitation could lead to kernel crashes (denial of service) or potentially enable attackers to leak sensitive kernel memory contents, which could aid in privilege escalation or further attacks. Critical infrastructure, cloud service providers, and enterprises relying on Linux-based network appliances or virtualized environments (e.g., KVM) could experience service disruptions or compromise. Given the kernel-level nature of the flaw, the impact on confidentiality, integrity, and availability is significant if exploited. However, exploitation requires crafted network traffic and possibly specific kernel configurations, limiting the attack surface somewhat. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits over time.

European organizations should prioritize updating Linux kernels to versions where this vulnerability is patched. Kernel updates from trusted vendors or distributions (e.g., Red Hat, Debian, Ubuntu) should be applied promptly. For environments where immediate patching is not feasible, network administrators should consider limiting or monitoring traffic that triggers 'act_mirred' and 'act_ct' actions, especially fragmentation of IPv4 packets. Employing kernel hardening techniques such as enabling KASAN in testing environments can help detect similar issues early. Additionally, organizations should audit their network packet filtering and mirroring configurations to minimize unnecessary packet fragmentation and reassembly. Monitoring kernel logs for KASAN reports or unusual crashes related to network packet processing can provide early warning signs. Finally, maintaining strict network segmentation and applying intrusion detection systems to detect anomalous packet patterns can reduce exploitation likelihood.