CVE-2021-47010: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: net: Only allow init netns to set default tcp cong to a restricted algo tcp_set_default_congestion_control() is netns-safe in that it writes to &net->ipv4.tcp_congestion_control, but it also sets ca->flags |= TCP_CONG_NON_RESTRICTED which is not namespaced. This has the unintended side-effect of changing the global net.ipv4.tcp_allowed_congestion_control sysctl, despite the fact that it is read-only: 97684f0970f6 ("net: Make tcp_allowed_congestion_control readonly in non-init netns") Resolve this netns "leak" by only allowing the init netns to set the default algorithm to one that is restricted. This restriction could be removed if tcp_allowed_congestion_control were namespace-ified in the future. This bug was uncovered with https://github.com/JonathonReinhart/linux-netns-sysctl-verify
AI Analysis
Technical Summary
CVE-2021-47010 is a high-severity vulnerability in the Linux kernel related to the handling of TCP congestion control algorithms within network namespaces (netns). The vulnerability arises because the function tcp_set_default_congestion_control() modifies a global flag (ca->flags |= TCP_CONG_NON_RESTRICTED) that is not namespaced, despite the rest of the operation being netns-safe. This leads to an unintended side effect where the global sysctl parameter net.ipv4.tcp_allowed_congestion_control, which is supposed to be read-only in non-init network namespaces, can be indirectly altered. The root cause is that the flag modification affects global kernel state, breaking the isolation guarantees of network namespaces. This could allow a non-init network namespace to influence TCP congestion control settings globally, potentially impacting all network namespaces on the system. The vulnerability was discovered through analysis with the linux-netns-sysctl-verify tool. The fix implemented restricts the ability to set the default TCP congestion control algorithm to only the init network namespace, preventing other namespaces from making changes that affect global kernel state. The vulnerability is classified under CWE-400 (Uncontrolled Resource Consumption), indicating potential for resource exhaustion or denial of service. The CVSS v3.1 score is 7.8 (high), reflecting that the vulnerability requires local privileges with low complexity, no user interaction, and can impact confidentiality, integrity, and availability of the system. No known exploits are reported in the wild yet. The affected versions correspond to specific Linux kernel commits identified by hash, indicating this is a recent and specific kernel code issue.
Potential Impact
For European organizations, this vulnerability poses a significant risk particularly to environments that utilize Linux containers, virtualized network functions, or multi-tenant network namespaces for isolation. Since the flaw allows a non-init network namespace to alter global TCP congestion control settings, it could lead to denial of service or degraded network performance across all namespaces on a host. This could disrupt critical services, especially in cloud providers, telecom infrastructure, and enterprises relying on Linux-based network virtualization. Confidentiality and integrity could also be impacted if attackers leverage this to degrade or manipulate network traffic flows. The vulnerability requires local privileges, so attackers would need some level of access to the host system, but once exploited, the scope affects the entire system's network stack. Given the widespread use of Linux in European data centers, cloud platforms, and embedded systems, the impact could be broad. The lack of known exploits reduces immediate risk but does not eliminate the threat, especially in high-value targets where attackers may develop exploits. The vulnerability's presence in kernel versions used by major Linux distributions common in Europe (Debian, Ubuntu, Red Hat, SUSE) increases exposure.
Mitigation Recommendations
1. Apply the official Linux kernel patches that restrict setting the default TCP congestion control algorithm to the init network namespace only. Ensure all Linux hosts, especially those running containerized or virtualized network environments, are updated promptly. 2. Audit and restrict local user privileges to minimize the risk of unauthorized local access that could exploit this vulnerability. 3. Monitor network namespaces and sysctl parameters related to TCP congestion control for unexpected changes, using kernel auditing tools or custom scripts. 4. For environments using containers or network namespaces extensively, implement strict namespace isolation policies and consider additional runtime security tools that detect anomalous sysctl modifications. 5. Coordinate with Linux distribution vendors for backported patches if using long-term support kernels and deploy those updates in a timely manner. 6. Review and harden network stack configurations to limit the impact of congestion control manipulation, such as enforcing allowed algorithms via configuration management. 7. Maintain comprehensive logging and alerting on kernel parameter changes and privilege escalations to detect potential exploitation attempts early.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2021-47010: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: net: Only allow init netns to set default tcp cong to a restricted algo tcp_set_default_congestion_control() is netns-safe in that it writes to &net->ipv4.tcp_congestion_control, but it also sets ca->flags |= TCP_CONG_NON_RESTRICTED which is not namespaced. This has the unintended side-effect of changing the global net.ipv4.tcp_allowed_congestion_control sysctl, despite the fact that it is read-only: 97684f0970f6 ("net: Make tcp_allowed_congestion_control readonly in non-init netns") Resolve this netns "leak" by only allowing the init netns to set the default algorithm to one that is restricted. This restriction could be removed if tcp_allowed_congestion_control were namespace-ified in the future. This bug was uncovered with https://github.com/JonathonReinhart/linux-netns-sysctl-verify
AI-Powered Analysis
Technical Analysis
CVE-2021-47010 is a high-severity vulnerability in the Linux kernel related to the handling of TCP congestion control algorithms within network namespaces (netns). The vulnerability arises because the function tcp_set_default_congestion_control() modifies a global flag (ca->flags |= TCP_CONG_NON_RESTRICTED) that is not namespaced, despite the rest of the operation being netns-safe. This leads to an unintended side effect where the global sysctl parameter net.ipv4.tcp_allowed_congestion_control, which is supposed to be read-only in non-init network namespaces, can be indirectly altered. The root cause is that the flag modification affects global kernel state, breaking the isolation guarantees of network namespaces. This could allow a non-init network namespace to influence TCP congestion control settings globally, potentially impacting all network namespaces on the system. The vulnerability was discovered through analysis with the linux-netns-sysctl-verify tool. The fix implemented restricts the ability to set the default TCP congestion control algorithm to only the init network namespace, preventing other namespaces from making changes that affect global kernel state. The vulnerability is classified under CWE-400 (Uncontrolled Resource Consumption), indicating potential for resource exhaustion or denial of service. The CVSS v3.1 score is 7.8 (high), reflecting that the vulnerability requires local privileges with low complexity, no user interaction, and can impact confidentiality, integrity, and availability of the system. No known exploits are reported in the wild yet. The affected versions correspond to specific Linux kernel commits identified by hash, indicating this is a recent and specific kernel code issue.
Potential Impact
For European organizations, this vulnerability poses a significant risk particularly to environments that utilize Linux containers, virtualized network functions, or multi-tenant network namespaces for isolation. Since the flaw allows a non-init network namespace to alter global TCP congestion control settings, it could lead to denial of service or degraded network performance across all namespaces on a host. This could disrupt critical services, especially in cloud providers, telecom infrastructure, and enterprises relying on Linux-based network virtualization. Confidentiality and integrity could also be impacted if attackers leverage this to degrade or manipulate network traffic flows. The vulnerability requires local privileges, so attackers would need some level of access to the host system, but once exploited, the scope affects the entire system's network stack. Given the widespread use of Linux in European data centers, cloud platforms, and embedded systems, the impact could be broad. The lack of known exploits reduces immediate risk but does not eliminate the threat, especially in high-value targets where attackers may develop exploits. The vulnerability's presence in kernel versions used by major Linux distributions common in Europe (Debian, Ubuntu, Red Hat, SUSE) increases exposure.
Mitigation Recommendations
1. Apply the official Linux kernel patches that restrict setting the default TCP congestion control algorithm to the init network namespace only. Ensure all Linux hosts, especially those running containerized or virtualized network environments, are updated promptly. 2. Audit and restrict local user privileges to minimize the risk of unauthorized local access that could exploit this vulnerability. 3. Monitor network namespaces and sysctl parameters related to TCP congestion control for unexpected changes, using kernel auditing tools or custom scripts. 4. For environments using containers or network namespaces extensively, implement strict namespace isolation policies and consider additional runtime security tools that detect anomalous sysctl modifications. 5. Coordinate with Linux distribution vendors for backported patches if using long-term support kernels and deploy those updates in a timely manner. 6. Review and harden network stack configurations to limit the impact of congestion control manipulation, such as enforcing allowed algorithms via configuration management. 7. Maintain comprehensive logging and alerting on kernel parameter changes and privilege escalations to detect potential exploitation attempts early.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-27T18:42:55.953Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9834c4522896dcbe9a4c
Added to database: 5/21/2025, 9:09:08 AM
Last enriched: 7/3/2025, 5:42:39 AM
Last updated: 8/1/2025, 12:14:11 AM
Views: 13
Related Threats
CVE-2025-8927: Improper Restriction of Excessive Authentication Attempts in mtons mblog
MediumCVE-2025-43988: n/a
CriticalCVE-2025-8926: SQL Injection in SourceCodester COVID 19 Testing Management System
MediumCVE-2025-43986: n/a
CriticalCVE-2025-43982: n/a
CriticalActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.