CVE-2021-47099: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: veth: ensure skb entering GRO are not cloned. After commit d3256efd8e8b ("veth: allow enabling NAPI even without XDP"), if GRO is enabled on a veth device and TSO is disabled on the peer device, TCP skbs will go through the NAPI callback. If there is no XDP program attached, the veth code does not perform any share check, and shared/cloned skbs could enter the GRO engine. Ignat reported a BUG triggered later-on due to the above condition: [ 53.970529][ C1] kernel BUG at net/core/skbuff.c:3574! [ 53.981755][ C1] invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI [ 53.982634][ C1] CPU: 1 PID: 19 Comm: ksoftirqd/1 Not tainted 5.16.0-rc5+ #25 [ 53.982634][ C1] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 [ 53.982634][ C1] RIP: 0010:skb_shift+0x13ef/0x23b0 [ 53.982634][ C1] Code: ea 03 0f b6 04 02 48 89 fa 83 e2 07 38 d0 7f 08 84 c0 0f 85 41 0c 00 00 41 80 7f 02 00 4d 8d b5 d0 00 00 00 0f 85 74 f5 ff ff <0f> 0b 4d 8d 77 20 be 04 00 00 00 4c 89 44 24 78 4c 89 f7 4c 89 8c [ 53.982634][ C1] RSP: 0018:ffff8881008f7008 EFLAGS: 00010246 [ 53.982634][ C1] RAX: 0000000000000000 RBX: ffff8881180b4c80 RCX: 0000000000000000 [ 53.982634][ C1] RDX: 0000000000000002 RSI: ffff8881180b4d3c RDI: ffff88810bc9cac2 [ 53.982634][ C1] RBP: ffff8881008f70b8 R08: ffff8881180b4cf4 R09: ffff8881180b4cf0 [ 53.982634][ C1] R10: ffffed1022999e5c R11: 0000000000000002 R12: 0000000000000590 [ 53.982634][ C1] R13: ffff88810f940c80 R14: ffff88810f940d50 R15: ffff88810bc9cac0 [ 53.982634][ C1] FS: 0000000000000000(0000) GS:ffff888235880000(0000) knlGS:0000000000000000 [ 53.982634][ C1] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 53.982634][ C1] CR2: 00007ff5f9b86680 CR3: 0000000108ce8004 CR4: 0000000000170ee0 [ 53.982634][ C1] Call Trace: [ 53.982634][ C1] <TASK> [ 53.982634][ C1] tcp_sacktag_walk+0xaba/0x18e0 [ 53.982634][ C1] tcp_sacktag_write_queue+0xe7b/0x3460 [ 53.982634][ C1] tcp_ack+0x2666/0x54b0 [ 53.982634][ C1] tcp_rcv_established+0x4d9/0x20f0 [ 53.982634][ C1] tcp_v4_do_rcv+0x551/0x810 [ 53.982634][ C1] tcp_v4_rcv+0x22ed/0x2ed0 [ 53.982634][ C1] ip_protocol_deliver_rcu+0x96/0xaf0 [ 53.982634][ C1] ip_local_deliver_finish+0x1e0/0x2f0 [ 53.982634][ C1] ip_sublist_rcv_finish+0x211/0x440 [ 53.982634][ C1] ip_list_rcv_finish.constprop.0+0x424/0x660 [ 53.982634][ C1] ip_list_rcv+0x2c8/0x410 [ 53.982634][ C1] __netif_receive_skb_list_core+0x65c/0x910 [ 53.982634][ C1] netif_receive_skb_list_internal+0x5f9/0xcb0 [ 53.982634][ C1] napi_complete_done+0x188/0x6e0 [ 53.982634][ C1] gro_cell_poll+0x10c/0x1d0 [ 53.982634][ C1] __napi_poll+0xa1/0x530 [ 53.982634][ C1] net_rx_action+0x567/0x1270 [ 53.982634][ C1] __do_softirq+0x28a/0x9ba [ 53.982634][ C1] run_ksoftirqd+0x32/0x60 [ 53.982634][ C1] smpboot_thread_fn+0x559/0x8c0 [ 53.982634][ C1] kthread+0x3b9/0x490 [ 53.982634][ C1] ret_from_fork+0x22/0x30 [ 53.982634][ C1] </TASK> Address the issue by skipping the GRO stage for shared or cloned skbs. To reduce the chance of OoO, try to unclone the skbs before giving up. v1 -> v2: - use avoid skb_copy and fallback to netif_receive_skb - Eric
AI Analysis
Technical Summary
CVE-2021-47099 is a vulnerability in the Linux kernel's virtual Ethernet (veth) device implementation related to the handling of socket buffers (skbs) during Generic Receive Offload (GRO) processing. The issue arises after commit d3256efd8e8b which allowed enabling NAPI (New API for interrupt mitigation) on veth devices even without an attached eXpress Data Path (XDP) program. Specifically, if GRO is enabled on a veth device and TCP Segmentation Offload (TSO) is disabled on its peer device, TCP packets (skbs) are processed through the NAPI callback. In the absence of an XDP program, the veth code fails to check whether skbs are shared or cloned before they enter the GRO engine. This can lead to shared or cloned skbs being processed incorrectly, causing a kernel BUG triggered in the skb_shift function, which manipulates skb data. The bug manifests as an invalid opcode exception and kernel crash, as demonstrated by the provided kernel log. The root cause is that the GRO stage does not handle cloned/shared skbs properly, leading to memory corruption or use-after-free conditions. The fix involves skipping the GRO stage for shared or cloned skbs and attempting to unclone skbs before fallback processing to reduce out-of-order packet issues. This vulnerability affects Linux kernel versions including and after the specified commit and has a CVSS score of 6.0 (medium severity) with a vector indicating local attack vector, low attack complexity, high privileges required, no user interaction, unchanged scope, high confidentiality impact, no integrity impact, and high availability impact. No known exploits are reported in the wild as of the publication date.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels with the affected veth implementation, especially in environments using containerization or virtualization technologies where veth devices are common (e.g., Docker, Kubernetes). Exploitation could lead to kernel crashes causing denial of service (DoS), impacting availability of critical services. The high confidentiality impact suggests potential information leakage risks, possibly through memory corruption or kernel state exposure. Given the requirement for high privileges and local access, the threat is more relevant to internal attackers or compromised accounts rather than remote attackers. Disruptions in network virtualization infrastructure could affect cloud service providers, data centers, and enterprises relying on Linux-based network functions. The vulnerability could also impact embedded Linux devices used in industrial control or telecommunications sectors prevalent in Europe. The absence of known exploits reduces immediate risk but patching remains critical to prevent future exploitation and maintain system stability.
Mitigation Recommendations
1. Apply the official Linux kernel patches that address CVE-2021-47099 as soon as possible. Monitor kernel updates from trusted Linux distributions and vendors. 2. In containerized or virtualized environments, ensure that the host and guest kernels are updated to versions including the fix. 3. Restrict local administrative access to trusted personnel and enforce strong privilege separation to reduce the risk of local exploitation. 4. Monitor kernel logs for BUG messages or crashes related to skb processing to detect potential exploitation attempts or instability. 5. Consider disabling GRO or TSO on veth devices temporarily if patching is delayed, understanding this may impact network performance. 6. Employ kernel hardening techniques such as Kernel Address Space Layout Randomization (KASLR) and Kernel Page Table Isolation (KPTI) to mitigate exploitation impact. 7. Conduct regular vulnerability assessments and penetration testing focusing on local privilege escalation and kernel vulnerabilities in Linux environments. 8. For critical infrastructure, implement redundancy and failover mechanisms to mitigate availability impact from potential DoS conditions caused by this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2021-47099: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: veth: ensure skb entering GRO are not cloned. After commit d3256efd8e8b ("veth: allow enabling NAPI even without XDP"), if GRO is enabled on a veth device and TSO is disabled on the peer device, TCP skbs will go through the NAPI callback. If there is no XDP program attached, the veth code does not perform any share check, and shared/cloned skbs could enter the GRO engine. Ignat reported a BUG triggered later-on due to the above condition: [ 53.970529][ C1] kernel BUG at net/core/skbuff.c:3574! [ 53.981755][ C1] invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI [ 53.982634][ C1] CPU: 1 PID: 19 Comm: ksoftirqd/1 Not tainted 5.16.0-rc5+ #25 [ 53.982634][ C1] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 [ 53.982634][ C1] RIP: 0010:skb_shift+0x13ef/0x23b0 [ 53.982634][ C1] Code: ea 03 0f b6 04 02 48 89 fa 83 e2 07 38 d0 7f 08 84 c0 0f 85 41 0c 00 00 41 80 7f 02 00 4d 8d b5 d0 00 00 00 0f 85 74 f5 ff ff <0f> 0b 4d 8d 77 20 be 04 00 00 00 4c 89 44 24 78 4c 89 f7 4c 89 8c [ 53.982634][ C1] RSP: 0018:ffff8881008f7008 EFLAGS: 00010246 [ 53.982634][ C1] RAX: 0000000000000000 RBX: ffff8881180b4c80 RCX: 0000000000000000 [ 53.982634][ C1] RDX: 0000000000000002 RSI: ffff8881180b4d3c RDI: ffff88810bc9cac2 [ 53.982634][ C1] RBP: ffff8881008f70b8 R08: ffff8881180b4cf4 R09: ffff8881180b4cf0 [ 53.982634][ C1] R10: ffffed1022999e5c R11: 0000000000000002 R12: 0000000000000590 [ 53.982634][ C1] R13: ffff88810f940c80 R14: ffff88810f940d50 R15: ffff88810bc9cac0 [ 53.982634][ C1] FS: 0000000000000000(0000) GS:ffff888235880000(0000) knlGS:0000000000000000 [ 53.982634][ C1] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 53.982634][ C1] CR2: 00007ff5f9b86680 CR3: 0000000108ce8004 CR4: 0000000000170ee0 [ 53.982634][ C1] Call Trace: [ 53.982634][ C1] <TASK> [ 53.982634][ C1] tcp_sacktag_walk+0xaba/0x18e0 [ 53.982634][ C1] tcp_sacktag_write_queue+0xe7b/0x3460 [ 53.982634][ C1] tcp_ack+0x2666/0x54b0 [ 53.982634][ C1] tcp_rcv_established+0x4d9/0x20f0 [ 53.982634][ C1] tcp_v4_do_rcv+0x551/0x810 [ 53.982634][ C1] tcp_v4_rcv+0x22ed/0x2ed0 [ 53.982634][ C1] ip_protocol_deliver_rcu+0x96/0xaf0 [ 53.982634][ C1] ip_local_deliver_finish+0x1e0/0x2f0 [ 53.982634][ C1] ip_sublist_rcv_finish+0x211/0x440 [ 53.982634][ C1] ip_list_rcv_finish.constprop.0+0x424/0x660 [ 53.982634][ C1] ip_list_rcv+0x2c8/0x410 [ 53.982634][ C1] __netif_receive_skb_list_core+0x65c/0x910 [ 53.982634][ C1] netif_receive_skb_list_internal+0x5f9/0xcb0 [ 53.982634][ C1] napi_complete_done+0x188/0x6e0 [ 53.982634][ C1] gro_cell_poll+0x10c/0x1d0 [ 53.982634][ C1] __napi_poll+0xa1/0x530 [ 53.982634][ C1] net_rx_action+0x567/0x1270 [ 53.982634][ C1] __do_softirq+0x28a/0x9ba [ 53.982634][ C1] run_ksoftirqd+0x32/0x60 [ 53.982634][ C1] smpboot_thread_fn+0x559/0x8c0 [ 53.982634][ C1] kthread+0x3b9/0x490 [ 53.982634][ C1] ret_from_fork+0x22/0x30 [ 53.982634][ C1] </TASK> Address the issue by skipping the GRO stage for shared or cloned skbs. To reduce the chance of OoO, try to unclone the skbs before giving up. v1 -> v2: - use avoid skb_copy and fallback to netif_receive_skb - Eric
AI-Powered Analysis
Technical Analysis
CVE-2021-47099 is a vulnerability in the Linux kernel's virtual Ethernet (veth) device implementation related to the handling of socket buffers (skbs) during Generic Receive Offload (GRO) processing. The issue arises after commit d3256efd8e8b which allowed enabling NAPI (New API for interrupt mitigation) on veth devices even without an attached eXpress Data Path (XDP) program. Specifically, if GRO is enabled on a veth device and TCP Segmentation Offload (TSO) is disabled on its peer device, TCP packets (skbs) are processed through the NAPI callback. In the absence of an XDP program, the veth code fails to check whether skbs are shared or cloned before they enter the GRO engine. This can lead to shared or cloned skbs being processed incorrectly, causing a kernel BUG triggered in the skb_shift function, which manipulates skb data. The bug manifests as an invalid opcode exception and kernel crash, as demonstrated by the provided kernel log. The root cause is that the GRO stage does not handle cloned/shared skbs properly, leading to memory corruption or use-after-free conditions. The fix involves skipping the GRO stage for shared or cloned skbs and attempting to unclone skbs before fallback processing to reduce out-of-order packet issues. This vulnerability affects Linux kernel versions including and after the specified commit and has a CVSS score of 6.0 (medium severity) with a vector indicating local attack vector, low attack complexity, high privileges required, no user interaction, unchanged scope, high confidentiality impact, no integrity impact, and high availability impact. No known exploits are reported in the wild as of the publication date.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels with the affected veth implementation, especially in environments using containerization or virtualization technologies where veth devices are common (e.g., Docker, Kubernetes). Exploitation could lead to kernel crashes causing denial of service (DoS), impacting availability of critical services. The high confidentiality impact suggests potential information leakage risks, possibly through memory corruption or kernel state exposure. Given the requirement for high privileges and local access, the threat is more relevant to internal attackers or compromised accounts rather than remote attackers. Disruptions in network virtualization infrastructure could affect cloud service providers, data centers, and enterprises relying on Linux-based network functions. The vulnerability could also impact embedded Linux devices used in industrial control or telecommunications sectors prevalent in Europe. The absence of known exploits reduces immediate risk but patching remains critical to prevent future exploitation and maintain system stability.
Mitigation Recommendations
1. Apply the official Linux kernel patches that address CVE-2021-47099 as soon as possible. Monitor kernel updates from trusted Linux distributions and vendors. 2. In containerized or virtualized environments, ensure that the host and guest kernels are updated to versions including the fix. 3. Restrict local administrative access to trusted personnel and enforce strong privilege separation to reduce the risk of local exploitation. 4. Monitor kernel logs for BUG messages or crashes related to skb processing to detect potential exploitation attempts or instability. 5. Consider disabling GRO or TSO on veth devices temporarily if patching is delayed, understanding this may impact network performance. 6. Employ kernel hardening techniques such as Kernel Address Space Layout Randomization (KASLR) and Kernel Page Table Isolation (KPTI) to mitigate exploitation impact. 7. Conduct regular vulnerability assessments and penetration testing focusing on local privilege escalation and kernel vulnerabilities in Linux environments. 8. For critical infrastructure, implement redundancy and failover mechanisms to mitigate availability impact from potential DoS conditions caused by this vulnerability.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-29T22:33:44.301Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9834c4522896dcbe9cfa
Added to database: 5/21/2025, 9:09:08 AM
Last enriched: 6/30/2025, 9:27:58 PM
Last updated: 8/2/2025, 7:04:48 AM
Views: 13
Related Threats
CVE-2025-8081: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in elemntor Elementor Website Builder – More Than Just a Page Builder
MediumCVE-2025-6253: CWE-862 Missing Authorization in uicore UiCore Elements – Free Elementor widgets and templates
HighCVE-2025-3892: CWE-250: Execution with Unnecessary Privileges in Axis Communications AB AXIS OS
MediumCVE-2025-30027: CWE-1287: Improper Validation of Specified Type of Input in Axis Communications AB AXIS OS
MediumCVE-2025-7622: CWE-918: Server-Side Request Forgery (SSRF) in Axis Communications AB AXIS Camera Station Pro
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.