CVE-2021-47129: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_ct: skip expectations for confirmed conntrack nft_ct_expect_obj_eval() calls nf_ct_ext_add() for a confirmed conntrack entry. However, nf_ct_ext_add() can only be called for !nf_ct_is_confirmed(). [ 1825.349056] WARNING: CPU: 0 PID: 1279 at net/netfilter/nf_conntrack_extend.c:48 nf_ct_xt_add+0x18e/0x1a0 [nf_conntrack] [ 1825.351391] RIP: 0010:nf_ct_ext_add+0x18e/0x1a0 [nf_conntrack] [ 1825.351493] Code: 41 5c 41 5d 41 5e 41 5f c3 41 bc 0a 00 00 00 e9 15 ff ff ff ba 09 00 00 00 31 f6 4c 89 ff e8 69 6c 3d e9 eb 96 45 31 ed eb cd <0f> 0b e9 b1 fe ff ff e8 86 79 14 e9 eb bf 0f 1f 40 00 0f 1f 44 00 [ 1825.351721] RSP: 0018:ffffc90002e1f1e8 EFLAGS: 00010202 [ 1825.351790] RAX: 000000000000000e RBX: ffff88814f5783c0 RCX: ffffffffc0e4f887 [ 1825.351881] RDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffff88814f578440 [ 1825.351971] RBP: 0000000000000000 R08: 0000000000000000 R09: ffff88814f578447 [ 1825.352060] R10: ffffed1029eaf088 R11: 0000000000000001 R12: ffff88814f578440 [ 1825.352150] R13: ffff8882053f3a00 R14: 0000000000000000 R15: 0000000000000a20 [ 1825.352240] FS: 00007f992261c900(0000) GS:ffff889faec00000(0000) knlGS:0000000000000000 [ 1825.352343] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 1825.352417] CR2: 000056070a4d1158 CR3: 000000015efe0000 CR4: 0000000000350ee0 [ 1825.352508] Call Trace: [ 1825.352544] nf_ct_helper_ext_add+0x10/0x60 [nf_conntrack] [ 1825.352641] nft_ct_expect_obj_eval+0x1b8/0x1e0 [nft_ct] [ 1825.352716] nft_do_chain+0x232/0x850 [nf_tables] Add the ct helper extension only for unconfirmed conntrack. Skip rule evaluation if the ct helper extension does not exist. Thus, you can only create expectations from the first packet. It should be possible to remove this limitation by adding a new action to attach a generic ct helper to the first packet. Then, use this ct helper extension from follow up packets to create the ct expectation. While at it, add a missing check to skip the template conntrack too and remove check for IPCT_UNTRACK which is implicit to !ct.
AI Analysis
Technical Summary
CVE-2021-47129 is a medium severity vulnerability in the Linux kernel's netfilter subsystem, specifically within the nftables connection tracking (conntrack) implementation. The issue arises in the nft_ct_expect_obj_eval() function, which improperly calls nf_ct_ext_add() on a confirmed conntrack entry. According to the kernel's logic, nf_ct_ext_add() should only be invoked for unconfirmed conntrack entries (!nf_ct_is_confirmed()). This flaw can lead to improper handling of connection tracking expectations, potentially causing kernel warnings or crashes due to invalid state transitions. The vulnerability stems from the failure to skip expectations for confirmed conntrack entries, which can result in instability or denial of service conditions. The patch involves adding the connection tracking helper extension only for unconfirmed conntrack entries and skipping rule evaluation if the helper extension does not exist. This limits the creation of expectations to the first packet of a connection, preventing the erroneous state changes. The description also suggests a potential future improvement by introducing a new action to attach a generic connection tracking helper to the first packet, enabling expectations to be created from follow-up packets safely. Additionally, the fix includes skipping template conntrack entries and removing redundant checks for IPCT_UNTRACK flags. The vulnerability has a CVSS 3.1 score of 4.6 (medium severity), with an attack vector of network, low attack complexity, requiring privileges and user interaction, and impacts confidentiality and integrity but not availability. No known exploits are reported in the wild at this time.
Potential Impact
For European organizations, this vulnerability could lead to kernel instability or denial of service on Linux systems that utilize nftables for firewalling and connection tracking, which is common in enterprise and cloud environments. The flaw could be exploited by an attacker with some level of local privileges and user interaction to cause unexpected behavior in network packet processing, potentially disrupting network services or enabling further privilege escalation or information leakage. While the direct impact on confidentiality and integrity is limited (partial impact), the disruption of network filtering and connection tracking could affect critical infrastructure, especially in sectors relying heavily on Linux-based firewalls and routers. Given the widespread use of Linux in European data centers, telecommunications, and government networks, unpatched systems could face service interruptions or be leveraged as a stepping stone for more advanced attacks. However, the requirement for privileges and user interaction reduces the risk of remote exploitation without prior access.
Mitigation Recommendations
European organizations should prioritize applying the Linux kernel patches that address CVE-2021-47129 as soon as they become available from their Linux distribution vendors. Since this vulnerability affects the netfilter conntrack subsystem, organizations should audit their firewall and network filtering configurations to minimize exposure. Specifically, they should: 1) Ensure that only trusted users have privileges to interact with nftables and connection tracking features to reduce the risk of exploitation. 2) Monitor kernel logs for warnings related to nf_conntrack to detect potential exploitation attempts or instability. 3) Employ kernel hardening techniques such as SELinux or AppArmor to restrict access to network subsystem interfaces. 4) In environments where immediate patching is not feasible, consider temporarily disabling nftables connection tracking features if operationally acceptable. 5) Maintain strict user privilege management and limit user interaction paths that could trigger this vulnerability. 6) Regularly update Linux systems and monitor vendor advisories for backported fixes or mitigations. These steps go beyond generic advice by focusing on controlling access to the vulnerable subsystem, monitoring for exploitation signs, and adjusting configurations to reduce attack surface.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland, Sweden
CVE-2021-47129: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_ct: skip expectations for confirmed conntrack nft_ct_expect_obj_eval() calls nf_ct_ext_add() for a confirmed conntrack entry. However, nf_ct_ext_add() can only be called for !nf_ct_is_confirmed(). [ 1825.349056] WARNING: CPU: 0 PID: 1279 at net/netfilter/nf_conntrack_extend.c:48 nf_ct_xt_add+0x18e/0x1a0 [nf_conntrack] [ 1825.351391] RIP: 0010:nf_ct_ext_add+0x18e/0x1a0 [nf_conntrack] [ 1825.351493] Code: 41 5c 41 5d 41 5e 41 5f c3 41 bc 0a 00 00 00 e9 15 ff ff ff ba 09 00 00 00 31 f6 4c 89 ff e8 69 6c 3d e9 eb 96 45 31 ed eb cd <0f> 0b e9 b1 fe ff ff e8 86 79 14 e9 eb bf 0f 1f 40 00 0f 1f 44 00 [ 1825.351721] RSP: 0018:ffffc90002e1f1e8 EFLAGS: 00010202 [ 1825.351790] RAX: 000000000000000e RBX: ffff88814f5783c0 RCX: ffffffffc0e4f887 [ 1825.351881] RDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffff88814f578440 [ 1825.351971] RBP: 0000000000000000 R08: 0000000000000000 R09: ffff88814f578447 [ 1825.352060] R10: ffffed1029eaf088 R11: 0000000000000001 R12: ffff88814f578440 [ 1825.352150] R13: ffff8882053f3a00 R14: 0000000000000000 R15: 0000000000000a20 [ 1825.352240] FS: 00007f992261c900(0000) GS:ffff889faec00000(0000) knlGS:0000000000000000 [ 1825.352343] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 1825.352417] CR2: 000056070a4d1158 CR3: 000000015efe0000 CR4: 0000000000350ee0 [ 1825.352508] Call Trace: [ 1825.352544] nf_ct_helper_ext_add+0x10/0x60 [nf_conntrack] [ 1825.352641] nft_ct_expect_obj_eval+0x1b8/0x1e0 [nft_ct] [ 1825.352716] nft_do_chain+0x232/0x850 [nf_tables] Add the ct helper extension only for unconfirmed conntrack. Skip rule evaluation if the ct helper extension does not exist. Thus, you can only create expectations from the first packet. It should be possible to remove this limitation by adding a new action to attach a generic ct helper to the first packet. Then, use this ct helper extension from follow up packets to create the ct expectation. While at it, add a missing check to skip the template conntrack too and remove check for IPCT_UNTRACK which is implicit to !ct.
AI-Powered Analysis
Technical Analysis
CVE-2021-47129 is a medium severity vulnerability in the Linux kernel's netfilter subsystem, specifically within the nftables connection tracking (conntrack) implementation. The issue arises in the nft_ct_expect_obj_eval() function, which improperly calls nf_ct_ext_add() on a confirmed conntrack entry. According to the kernel's logic, nf_ct_ext_add() should only be invoked for unconfirmed conntrack entries (!nf_ct_is_confirmed()). This flaw can lead to improper handling of connection tracking expectations, potentially causing kernel warnings or crashes due to invalid state transitions. The vulnerability stems from the failure to skip expectations for confirmed conntrack entries, which can result in instability or denial of service conditions. The patch involves adding the connection tracking helper extension only for unconfirmed conntrack entries and skipping rule evaluation if the helper extension does not exist. This limits the creation of expectations to the first packet of a connection, preventing the erroneous state changes. The description also suggests a potential future improvement by introducing a new action to attach a generic connection tracking helper to the first packet, enabling expectations to be created from follow-up packets safely. Additionally, the fix includes skipping template conntrack entries and removing redundant checks for IPCT_UNTRACK flags. The vulnerability has a CVSS 3.1 score of 4.6 (medium severity), with an attack vector of network, low attack complexity, requiring privileges and user interaction, and impacts confidentiality and integrity but not availability. No known exploits are reported in the wild at this time.
Potential Impact
For European organizations, this vulnerability could lead to kernel instability or denial of service on Linux systems that utilize nftables for firewalling and connection tracking, which is common in enterprise and cloud environments. The flaw could be exploited by an attacker with some level of local privileges and user interaction to cause unexpected behavior in network packet processing, potentially disrupting network services or enabling further privilege escalation or information leakage. While the direct impact on confidentiality and integrity is limited (partial impact), the disruption of network filtering and connection tracking could affect critical infrastructure, especially in sectors relying heavily on Linux-based firewalls and routers. Given the widespread use of Linux in European data centers, telecommunications, and government networks, unpatched systems could face service interruptions or be leveraged as a stepping stone for more advanced attacks. However, the requirement for privileges and user interaction reduces the risk of remote exploitation without prior access.
Mitigation Recommendations
European organizations should prioritize applying the Linux kernel patches that address CVE-2021-47129 as soon as they become available from their Linux distribution vendors. Since this vulnerability affects the netfilter conntrack subsystem, organizations should audit their firewall and network filtering configurations to minimize exposure. Specifically, they should: 1) Ensure that only trusted users have privileges to interact with nftables and connection tracking features to reduce the risk of exploitation. 2) Monitor kernel logs for warnings related to nf_conntrack to detect potential exploitation attempts or instability. 3) Employ kernel hardening techniques such as SELinux or AppArmor to restrict access to network subsystem interfaces. 4) In environments where immediate patching is not feasible, consider temporarily disabling nftables connection tracking features if operationally acceptable. 5) Maintain strict user privilege management and limit user interaction paths that could trigger this vulnerability. 6) Regularly update Linux systems and monitor vendor advisories for backported fixes or mitigations. These steps go beyond generic advice by focusing on controlling access to the vulnerable subsystem, monitoring for exploitation signs, and adjusting configurations to reduce attack surface.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-03-04T18:12:48.839Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9834c4522896dcbe9dfe
Added to database: 5/21/2025, 9:09:08 AM
Last enriched: 6/27/2025, 1:02:49 PM
Last updated: 8/6/2025, 4:37:24 AM
Views: 17
Related Threats
CVE-2025-8824: Stack-based Buffer Overflow in Linksys RE6250
HighCVE-2025-8823: OS Command Injection in Linksys RE6250
MediumCVE-2025-8822: Stack-based Buffer Overflow in Linksys RE6250
HighCVE-2025-8821: OS Command Injection in Linksys RE6250
MediumCVE-2025-8817: Stack-based Buffer Overflow in Linksys RE6250
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.