CVE-2021-47131: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: net/tls: Fix use-after-free after the TLS device goes down and up When a netdev with active TLS offload goes down, tls_device_down is called to stop the offload and tear down the TLS context. However, the socket stays alive, and it still points to the TLS context, which is now deallocated. If a netdev goes up, while the connection is still active, and the data flow resumes after a number of TCP retransmissions, it will lead to a use-after-free of the TLS context. This commit addresses this bug by keeping the context alive until its normal destruction, and implements the necessary fallbacks, so that the connection can resume in software (non-offloaded) kTLS mode. On the TX side tls_sw_fallback is used to encrypt all packets. The RX side already has all the necessary fallbacks, because receiving non-decrypted packets is supported. The thing needed on the RX side is to block resync requests, which are normally produced after receiving non-decrypted packets. The necessary synchronization is implemented for a graceful teardown: first the fallbacks are deployed, then the driver resources are released (it used to be possible to have a tls_dev_resync after tls_dev_del). A new flag called TLS_RX_DEV_DEGRADED is added to indicate the fallback mode. It's used to skip the RX resync logic completely, as it becomes useless, and some objects may be released (for example, resync_async, which is allocated and freed by the driver).
AI Analysis
Technical Summary
CVE-2021-47131 is a vulnerability in the Linux kernel's implementation of TLS offloading on network devices. The issue arises when a network device (netdev) with active TLS offload goes down and then comes back up while a TLS connection is still active. Specifically, when the netdev goes down, the kernel calls tls_device_down to stop the TLS offload and tear down the TLS context. However, the socket remains active and continues to reference the now deallocated TLS context, leading to a use-after-free condition. If the netdev comes back up and data flow resumes after TCP retransmissions, this dangling pointer can be dereferenced, causing memory corruption and potentially leading to system instability or privilege escalation. The fix involves keeping the TLS context alive until its normal destruction and implementing fallbacks to software-based (non-offloaded) kernel TLS (kTLS) mode to allow the connection to resume safely. On the transmit (TX) side, the fallback encrypts all packets in software, while on the receive (RX) side, the kernel blocks resynchronization requests that would normally occur after receiving non-decrypted packets. A new flag, TLS_RX_DEV_DEGRADED, was introduced to indicate fallback mode and to skip RX resync logic, preventing use-after-free scenarios. Synchronization improvements ensure a graceful teardown sequence, preventing race conditions where resync operations could occur after device deletion. This vulnerability affects Linux kernel versions containing the specified commit hash and is relevant to systems using TLS offload on network devices. No known exploits are reported in the wild as of the publication date.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to servers and network appliances running Linux kernels with TLS offload enabled on network devices. Exploitation could lead to kernel memory corruption, causing system crashes or potential privilege escalation, which could be leveraged for further compromise. This is particularly critical for data centers, cloud providers, and enterprises relying on high-performance TLS offloading for secure communications. Disruption of TLS connections could impact confidentiality and availability of sensitive data transmissions. Given the kernel-level nature of the flaw, successful exploitation could undermine the integrity and availability of critical infrastructure services. Organizations handling sensitive personal data under GDPR could face compliance risks if this vulnerability leads to data breaches or service outages. However, the absence of known exploits and the complexity of triggering the use-after-free condition may limit immediate widespread impact. Still, the vulnerability warrants prompt attention to prevent future exploitation, especially in environments with high network throughput and TLS offloading enabled.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions where this vulnerability is patched. Since the vulnerability involves TLS offload on network devices, administrators should audit their systems to identify if TLS offloading is enabled and in use. If TLS offload is not essential, consider disabling it temporarily until patches are applied. For systems requiring TLS offload, ensure that kernel updates include the fix that maintains TLS context lifecycle and fallback mechanisms. Network device drivers should also be updated to versions compatible with the patched kernel to avoid synchronization issues. Monitoring kernel logs for unusual TLS device state changes or network device flapping can help detect attempts to trigger the vulnerability. Implementing strict access controls and limiting administrative privileges reduces the risk of exploitation. Additionally, organizations should test updates in staging environments to validate fallback behavior and avoid unintended service disruptions. Maintaining robust backup and recovery procedures is advisable to mitigate potential service outages resulting from exploitation attempts.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2021-47131: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: net/tls: Fix use-after-free after the TLS device goes down and up When a netdev with active TLS offload goes down, tls_device_down is called to stop the offload and tear down the TLS context. However, the socket stays alive, and it still points to the TLS context, which is now deallocated. If a netdev goes up, while the connection is still active, and the data flow resumes after a number of TCP retransmissions, it will lead to a use-after-free of the TLS context. This commit addresses this bug by keeping the context alive until its normal destruction, and implements the necessary fallbacks, so that the connection can resume in software (non-offloaded) kTLS mode. On the TX side tls_sw_fallback is used to encrypt all packets. The RX side already has all the necessary fallbacks, because receiving non-decrypted packets is supported. The thing needed on the RX side is to block resync requests, which are normally produced after receiving non-decrypted packets. The necessary synchronization is implemented for a graceful teardown: first the fallbacks are deployed, then the driver resources are released (it used to be possible to have a tls_dev_resync after tls_dev_del). A new flag called TLS_RX_DEV_DEGRADED is added to indicate the fallback mode. It's used to skip the RX resync logic completely, as it becomes useless, and some objects may be released (for example, resync_async, which is allocated and freed by the driver).
AI-Powered Analysis
Technical Analysis
CVE-2021-47131 is a vulnerability in the Linux kernel's implementation of TLS offloading on network devices. The issue arises when a network device (netdev) with active TLS offload goes down and then comes back up while a TLS connection is still active. Specifically, when the netdev goes down, the kernel calls tls_device_down to stop the TLS offload and tear down the TLS context. However, the socket remains active and continues to reference the now deallocated TLS context, leading to a use-after-free condition. If the netdev comes back up and data flow resumes after TCP retransmissions, this dangling pointer can be dereferenced, causing memory corruption and potentially leading to system instability or privilege escalation. The fix involves keeping the TLS context alive until its normal destruction and implementing fallbacks to software-based (non-offloaded) kernel TLS (kTLS) mode to allow the connection to resume safely. On the transmit (TX) side, the fallback encrypts all packets in software, while on the receive (RX) side, the kernel blocks resynchronization requests that would normally occur after receiving non-decrypted packets. A new flag, TLS_RX_DEV_DEGRADED, was introduced to indicate fallback mode and to skip RX resync logic, preventing use-after-free scenarios. Synchronization improvements ensure a graceful teardown sequence, preventing race conditions where resync operations could occur after device deletion. This vulnerability affects Linux kernel versions containing the specified commit hash and is relevant to systems using TLS offload on network devices. No known exploits are reported in the wild as of the publication date.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to servers and network appliances running Linux kernels with TLS offload enabled on network devices. Exploitation could lead to kernel memory corruption, causing system crashes or potential privilege escalation, which could be leveraged for further compromise. This is particularly critical for data centers, cloud providers, and enterprises relying on high-performance TLS offloading for secure communications. Disruption of TLS connections could impact confidentiality and availability of sensitive data transmissions. Given the kernel-level nature of the flaw, successful exploitation could undermine the integrity and availability of critical infrastructure services. Organizations handling sensitive personal data under GDPR could face compliance risks if this vulnerability leads to data breaches or service outages. However, the absence of known exploits and the complexity of triggering the use-after-free condition may limit immediate widespread impact. Still, the vulnerability warrants prompt attention to prevent future exploitation, especially in environments with high network throughput and TLS offloading enabled.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions where this vulnerability is patched. Since the vulnerability involves TLS offload on network devices, administrators should audit their systems to identify if TLS offloading is enabled and in use. If TLS offload is not essential, consider disabling it temporarily until patches are applied. For systems requiring TLS offload, ensure that kernel updates include the fix that maintains TLS context lifecycle and fallback mechanisms. Network device drivers should also be updated to versions compatible with the patched kernel to avoid synchronization issues. Monitoring kernel logs for unusual TLS device state changes or network device flapping can help detect attempts to trigger the vulnerability. Implementing strict access controls and limiting administrative privileges reduces the risk of exploitation. Additionally, organizations should test updates in staging environments to validate fallback behavior and avoid unintended service disruptions. Maintaining robust backup and recovery procedures is advisable to mitigate potential service outages resulting from exploitation attempts.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-03-04T18:12:48.840Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9834c4522896dcbe9e0f
Added to database: 5/21/2025, 9:09:08 AM
Last enriched: 6/26/2025, 7:51:23 PM
Last updated: 7/26/2025, 7:38:29 PM
Views: 10
Related Threats
CVE-2025-8864: CWE-532 Insertion of Sensitive Information into Log File in YugabyteDB Inc YugabyteDB Anywhere
MediumCVE-2025-8851: Stack-based Buffer Overflow in LibTIFF
MediumCVE-2025-8863: CWE-319 Cleartext Transmission of Sensitive Information in YugabyteDB Inc YugabyteDB
HighCVE-2025-8847: Cross Site Scripting in yangzongzhuan RuoYi
MediumCVE-2025-8839: Improper Authorization in jshERP
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.