CVE-2021-47036: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: udp: skip L4 aggregation for UDP tunnel packets If NETIF_F_GRO_FRAGLIST or NETIF_F_GRO_UDP_FWD are enabled, and there are UDP tunnels available in the system, udp_gro_receive() could end-up doing L4 aggregation (either SKB_GSO_UDP_L4 or SKB_GSO_FRAGLIST) at the outer UDP tunnel level for packets effectively carrying and UDP tunnel header. That could cause inner protocol corruption. If e.g. the relevant packets carry a vxlan header, different vxlan ids will be ignored/ aggregated to the same GSO packet. Inner headers will be ignored, too, so that e.g. TCP over vxlan push packets will be held in the GRO engine till the next flush, etc. Just skip the SKB_GSO_UDP_L4 and SKB_GSO_FRAGLIST code path if the current packet could land in a UDP tunnel, and let udp_gro_receive() do GRO via udp_sk(sk)->gro_receive. The check implemented in this patch is broader than what is strictly needed, as the existing UDP tunnel could be e.g. configured on top of a different device: we could end-up skipping GRO at-all for some packets. Anyhow, that is a very thin corner case and covering it will add quite a bit of complexity. v1 -> v2: - hopefully clarify the commit message
AI Analysis
Technical Summary
CVE-2021-47036 is a vulnerability identified in the Linux kernel related to the handling of UDP tunnel packets during Generic Receive Offload (GRO) processing. GRO is a performance optimization technique used in network stacks to aggregate multiple incoming packets into a larger single packet before passing it up the network stack, reducing CPU overhead. This vulnerability arises when certain GRO features, specifically NETIF_F_GRO_FRAGLIST or NETIF_F_GRO_UDP_FWD, are enabled on a system that uses UDP tunnels such as VXLAN. The function udp_gro_receive() may incorrectly perform Layer 4 (L4) aggregation on packets that encapsulate UDP tunnel headers. This improper aggregation can cause corruption of the inner protocol headers because packets carrying different VXLAN IDs or other tunnel identifiers may be aggregated together, ignoring their distinct inner headers. As a result, protocols encapsulated within the UDP tunnel (e.g., TCP over VXLAN) may experience delays or corruption, as packets are held improperly in the GRO engine until the next flush. The patch for this vulnerability modifies the kernel to skip the problematic L4 aggregation code paths (SKB_GSO_UDP_L4 and SKB_GSO_FRAGLIST) when packets are identified as potentially belonging to UDP tunnels, instead delegating GRO processing to udp_sk(sk)->gro_receive. This fix is broader than strictly necessary, potentially skipping GRO for some packets unnecessarily, but this trade-off avoids complexity and prevents the inner protocol corruption. No known exploits are reported in the wild, and the vulnerability primarily affects Linux kernel versions containing the specified commit hashes. The issue is subtle and relates to network performance and packet integrity rather than direct remote code execution or privilege escalation.
Potential Impact
For European organizations, the impact of CVE-2021-47036 centers on network reliability and data integrity in environments using Linux-based systems with UDP tunneling technologies such as VXLAN, commonly used in data centers and cloud infrastructures for network virtualization. Corruption or improper aggregation of tunneled packets can lead to degraded network performance, increased latency, and potential data transmission errors within virtualized network overlays. This could affect critical services relying on stable and efficient network communication, including cloud services, virtual desktop infrastructure (VDI), and multi-tenant environments. While this vulnerability does not directly expose systems to remote code execution or data breaches, the disruption of inner protocol integrity could cause application-level failures or intermittent connectivity issues, impacting business continuity. Organizations with high reliance on Linux-based network infrastructure and UDP tunneling should be particularly vigilant. The absence of known exploits reduces immediate risk, but unpatched systems remain vulnerable to potential future exploitation or operational issues.
Mitigation Recommendations
To mitigate CVE-2021-47036, European organizations should: 1) Apply the official Linux kernel patches that address this vulnerability as soon as they become available from trusted sources or vendor distributions. 2) Audit network configurations to identify the use of UDP tunneling protocols such as VXLAN and verify whether GRO features NETIF_F_GRO_FRAGLIST or NETIF_F_GRO_UDP_FWD are enabled. 3) Where feasible, temporarily disable these GRO features on affected interfaces to prevent the problematic aggregation behavior until patches are applied, understanding this may impact network performance. 4) Monitor network traffic for anomalies or performance degradation that could indicate issues related to UDP tunnel packet processing. 5) Engage with Linux distribution vendors and cloud providers to ensure timely updates and guidance are received. 6) Incorporate this vulnerability into vulnerability management and patching workflows, prioritizing systems that handle UDP tunnels in critical network paths. 7) Test patches in staging environments to confirm that the fix does not introduce unintended side effects in complex network setups.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Denmark, Ireland, Belgium, Italy
CVE-2021-47036: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: udp: skip L4 aggregation for UDP tunnel packets If NETIF_F_GRO_FRAGLIST or NETIF_F_GRO_UDP_FWD are enabled, and there are UDP tunnels available in the system, udp_gro_receive() could end-up doing L4 aggregation (either SKB_GSO_UDP_L4 or SKB_GSO_FRAGLIST) at the outer UDP tunnel level for packets effectively carrying and UDP tunnel header. That could cause inner protocol corruption. If e.g. the relevant packets carry a vxlan header, different vxlan ids will be ignored/ aggregated to the same GSO packet. Inner headers will be ignored, too, so that e.g. TCP over vxlan push packets will be held in the GRO engine till the next flush, etc. Just skip the SKB_GSO_UDP_L4 and SKB_GSO_FRAGLIST code path if the current packet could land in a UDP tunnel, and let udp_gro_receive() do GRO via udp_sk(sk)->gro_receive. The check implemented in this patch is broader than what is strictly needed, as the existing UDP tunnel could be e.g. configured on top of a different device: we could end-up skipping GRO at-all for some packets. Anyhow, that is a very thin corner case and covering it will add quite a bit of complexity. v1 -> v2: - hopefully clarify the commit message
AI-Powered Analysis
Technical Analysis
CVE-2021-47036 is a vulnerability identified in the Linux kernel related to the handling of UDP tunnel packets during Generic Receive Offload (GRO) processing. GRO is a performance optimization technique used in network stacks to aggregate multiple incoming packets into a larger single packet before passing it up the network stack, reducing CPU overhead. This vulnerability arises when certain GRO features, specifically NETIF_F_GRO_FRAGLIST or NETIF_F_GRO_UDP_FWD, are enabled on a system that uses UDP tunnels such as VXLAN. The function udp_gro_receive() may incorrectly perform Layer 4 (L4) aggregation on packets that encapsulate UDP tunnel headers. This improper aggregation can cause corruption of the inner protocol headers because packets carrying different VXLAN IDs or other tunnel identifiers may be aggregated together, ignoring their distinct inner headers. As a result, protocols encapsulated within the UDP tunnel (e.g., TCP over VXLAN) may experience delays or corruption, as packets are held improperly in the GRO engine until the next flush. The patch for this vulnerability modifies the kernel to skip the problematic L4 aggregation code paths (SKB_GSO_UDP_L4 and SKB_GSO_FRAGLIST) when packets are identified as potentially belonging to UDP tunnels, instead delegating GRO processing to udp_sk(sk)->gro_receive. This fix is broader than strictly necessary, potentially skipping GRO for some packets unnecessarily, but this trade-off avoids complexity and prevents the inner protocol corruption. No known exploits are reported in the wild, and the vulnerability primarily affects Linux kernel versions containing the specified commit hashes. The issue is subtle and relates to network performance and packet integrity rather than direct remote code execution or privilege escalation.
Potential Impact
For European organizations, the impact of CVE-2021-47036 centers on network reliability and data integrity in environments using Linux-based systems with UDP tunneling technologies such as VXLAN, commonly used in data centers and cloud infrastructures for network virtualization. Corruption or improper aggregation of tunneled packets can lead to degraded network performance, increased latency, and potential data transmission errors within virtualized network overlays. This could affect critical services relying on stable and efficient network communication, including cloud services, virtual desktop infrastructure (VDI), and multi-tenant environments. While this vulnerability does not directly expose systems to remote code execution or data breaches, the disruption of inner protocol integrity could cause application-level failures or intermittent connectivity issues, impacting business continuity. Organizations with high reliance on Linux-based network infrastructure and UDP tunneling should be particularly vigilant. The absence of known exploits reduces immediate risk, but unpatched systems remain vulnerable to potential future exploitation or operational issues.
Mitigation Recommendations
To mitigate CVE-2021-47036, European organizations should: 1) Apply the official Linux kernel patches that address this vulnerability as soon as they become available from trusted sources or vendor distributions. 2) Audit network configurations to identify the use of UDP tunneling protocols such as VXLAN and verify whether GRO features NETIF_F_GRO_FRAGLIST or NETIF_F_GRO_UDP_FWD are enabled. 3) Where feasible, temporarily disable these GRO features on affected interfaces to prevent the problematic aggregation behavior until patches are applied, understanding this may impact network performance. 4) Monitor network traffic for anomalies or performance degradation that could indicate issues related to UDP tunnel packet processing. 5) Engage with Linux distribution vendors and cloud providers to ensure timely updates and guidance are received. 6) Incorporate this vulnerability into vulnerability management and patching workflows, prioritizing systems that handle UDP tunnels in critical network paths. 7) Test patches in staging environments to confirm that the fix does not introduce unintended side effects in complex network setups.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-27T18:42:55.965Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9834c4522896dcbe9b1a
Added to database: 5/21/2025, 9:09:08 AM
Last enriched: 6/30/2025, 7:55:19 PM
Last updated: 8/15/2025, 2:54:42 AM
Views: 13
Related Threats
CVE-2025-9091: Hard-coded Credentials in Tenda AC20
LowCVE-2025-9090: Command Injection in Tenda AC20
MediumCVE-2025-9092: CWE-400 Uncontrolled Resource Consumption in Legion of the Bouncy Castle Inc. Bouncy Castle for Java - BC-FJA 2.1.0
LowCVE-2025-9089: Stack-based Buffer Overflow in Tenda AC20
HighCVE-2025-9088: Stack-based Buffer Overflow in Tenda AC20
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.