CVE-2021-47136: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: net: zero-initialize tc skb extension on allocation Function skb_ext_add() doesn't initialize created skb extension with any value and leaves it up to the user. However, since extension of type TC_SKB_EXT originally contained only single value tc_skb_ext->chain its users used to just assign the chain value without setting whole extension memory to zero first. This assumption changed when TC_SKB_EXT extension was extended with additional fields but not all users were updated to initialize the new fields which leads to use of uninitialized memory afterwards. UBSAN log: [ 778.299821] UBSAN: invalid-load in net/openvswitch/flow.c:899:28 [ 778.301495] load of value 107 is not a valid value for type '_Bool' [ 778.303215] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.12.0-rc7+ #2 [ 778.304933] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 [ 778.307901] Call Trace: [ 778.308680] <IRQ> [ 778.309358] dump_stack+0xbb/0x107 [ 778.310307] ubsan_epilogue+0x5/0x40 [ 778.311167] __ubsan_handle_load_invalid_value.cold+0x43/0x48 [ 778.312454] ? memset+0x20/0x40 [ 778.313230] ovs_flow_key_extract.cold+0xf/0x14 [openvswitch] [ 778.314532] ovs_vport_receive+0x19e/0x2e0 [openvswitch] [ 778.315749] ? ovs_vport_find_upcall_portid+0x330/0x330 [openvswitch] [ 778.317188] ? create_prof_cpu_mask+0x20/0x20 [ 778.318220] ? arch_stack_walk+0x82/0xf0 [ 778.319153] ? secondary_startup_64_no_verify+0xb0/0xbb [ 778.320399] ? stack_trace_save+0x91/0xc0 [ 778.321362] ? stack_trace_consume_entry+0x160/0x160 [ 778.322517] ? lock_release+0x52e/0x760 [ 778.323444] netdev_frame_hook+0x323/0x610 [openvswitch] [ 778.324668] ? ovs_netdev_get_vport+0xe0/0xe0 [openvswitch] [ 778.325950] __netif_receive_skb_core+0x771/0x2db0 [ 778.327067] ? lock_downgrade+0x6e0/0x6f0 [ 778.328021] ? lock_acquire+0x565/0x720 [ 778.328940] ? generic_xdp_tx+0x4f0/0x4f0 [ 778.329902] ? inet_gro_receive+0x2a7/0x10a0 [ 778.330914] ? lock_downgrade+0x6f0/0x6f0 [ 778.331867] ? udp4_gro_receive+0x4c4/0x13e0 [ 778.332876] ? lock_release+0x52e/0x760 [ 778.333808] ? dev_gro_receive+0xcc8/0x2380 [ 778.334810] ? lock_downgrade+0x6f0/0x6f0 [ 778.335769] __netif_receive_skb_list_core+0x295/0x820 [ 778.336955] ? process_backlog+0x780/0x780 [ 778.337941] ? mlx5e_rep_tc_netdevice_event_unregister+0x20/0x20 [mlx5_core] [ 778.339613] ? seqcount_lockdep_reader_access.constprop.0+0xa7/0xc0 [ 778.341033] ? kvm_clock_get_cycles+0x14/0x20 [ 778.342072] netif_receive_skb_list_internal+0x5f5/0xcb0 [ 778.343288] ? __kasan_kmalloc+0x7a/0x90 [ 778.344234] ? mlx5e_handle_rx_cqe_mpwrq+0x9e0/0x9e0 [mlx5_core] [ 778.345676] ? mlx5e_xmit_xdp_frame_mpwqe+0x14d0/0x14d0 [mlx5_core] [ 778.347140] ? __netif_receive_skb_list_core+0x820/0x820 [ 778.348351] ? mlx5e_post_rx_mpwqes+0xa6/0x25d0 [mlx5_core] [ 778.349688] ? napi_gro_flush+0x26c/0x3c0 [ 778.350641] napi_complete_done+0x188/0x6b0 [ 778.351627] mlx5e_napi_poll+0x373/0x1b80 [mlx5_core] [ 778.352853] __napi_poll+0x9f/0x510 [ 778.353704] ? mlx5_flow_namespace_set_mode+0x260/0x260 [mlx5_core] [ 778.355158] net_rx_action+0x34c/0xa40 [ 778.356060] ? napi_threaded_poll+0x3d0/0x3d0 [ 778.357083] ? sched_clock_cpu+0x18/0x190 [ 778.358041] ? __common_interrupt+0x8e/0x1a0 [ 778.359045] __do_softirq+0x1ce/0x984 [ 778.359938] __irq_exit_rcu+0x137/0x1d0 [ 778.360865] irq_exit_rcu+0xa/0x20 [ 778.361708] common_interrupt+0x80/0xa0 [ 778.362640] </IRQ> [ 778.363212] asm_common_interrupt+0x1e/0x40 [ 778.364204] RIP: 0010:native_safe_halt+0xe/0x10 [ 778.365273] Code: 4f ff ff ff 4c 89 e7 e8 50 3f 40 fe e9 dc fe ff ff 48 89 df e8 43 3f 40 fe eb 90 cc e9 07 00 00 00 0f 00 2d 74 05 62 00 fb f4 <c3> 90 e9 07 00 00 00 0f 00 2d 64 05 62 00 f4 c3 cc cc 0f 1f 44 00 [ 778.369355] RSP: 0018:ffffffff84407e48 EFLAGS: 00000246 [ 778.370570] RAX ---truncated---
AI Analysis
Technical Summary
CVE-2021-47136 is a vulnerability in the Linux kernel related to the handling of traffic control (tc) socket buffer (skb) extensions. Specifically, the function skb_ext_add() allocates a new skb extension but does not zero-initialize the memory for the extension. Originally, the TC_SKB_EXT extension contained only a single field, tc_skb_ext->chain, which users typically assigned directly without zeroing the entire extension memory. However, when the TC_SKB_EXT structure was extended with additional fields, not all users of this extension were updated to initialize these new fields properly. This oversight leads to the use of uninitialized memory, which can cause undefined behavior, including invalid loads and potential memory corruption. The vulnerability was detected through Undefined Behavior Sanitizer (UBSAN) logs showing invalid loads of boolean values from uninitialized memory within the Open vSwitch (openvswitch) kernel module, which interacts with the tc skb extensions. The issue arises during packet processing in the networking stack, particularly when Open vSwitch extracts flow keys or processes network packets. While the vulnerability does not have a CVSS score assigned, it is a memory initialization flaw that could lead to kernel crashes or unpredictable behavior in network packet processing. There is no evidence of known exploits in the wild as of the published date. The vulnerability affects specific Linux kernel versions identified by commit hashes, and it was publicly disclosed in March 2024. The root cause is a failure to zero-initialize newly added fields in a kernel data structure used in networking, which can lead to use of uninitialized memory and potential instability or security issues in affected Linux systems running Open vSwitch or similar components relying on tc skb extensions.
Potential Impact
For European organizations, this vulnerability poses risks primarily to systems running Linux kernels with affected versions, especially those utilizing Open vSwitch or similar networking components that handle traffic control skb extensions. The impact includes potential kernel crashes or undefined behavior during network packet processing, which could lead to denial of service (DoS) conditions on critical infrastructure, including data centers, cloud environments, and enterprise networks. Organizations relying on Linux-based network virtualization, software-defined networking (SDN), or container orchestration platforms that use Open vSwitch are particularly at risk. While there is no indication of remote code execution or privilege escalation directly from this vulnerability, the instability caused by uninitialized memory usage can disrupt network services, impacting availability and operational continuity. Given the widespread use of Linux in European governmental, financial, telecommunications, and industrial sectors, any disruption in network infrastructure could have cascading effects on business operations and critical services. Furthermore, the lack of a patch or mitigation at the time of disclosure increases the urgency for organizations to assess exposure and implement compensating controls to minimize risk.
Mitigation Recommendations
1. Immediate assessment of Linux kernel versions in use across all infrastructure to identify systems running affected versions. 2. Apply official Linux kernel updates or patches as soon as they become available from trusted sources or Linux distribution vendors. 3. If patching is not immediately possible, consider disabling or limiting the use of Open vSwitch or other components that rely on tc skb extensions to reduce exposure. 4. Implement network segmentation and strict access controls to limit exposure of vulnerable systems to untrusted networks. 5. Monitor kernel logs and system behavior for signs of instability or crashes related to network packet processing. 6. Employ kernel hardening techniques such as Kernel Address Sanitizer (KASAN) or other runtime memory error detection tools in test environments to detect similar issues proactively. 7. Engage with Linux distribution security teams to track patch releases and advisories related to this vulnerability. 8. For critical environments, consider deploying intrusion detection systems (IDS) with signatures or heuristics to detect anomalous network behavior that could be linked to exploitation attempts or instability caused by this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland
CVE-2021-47136: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: net: zero-initialize tc skb extension on allocation Function skb_ext_add() doesn't initialize created skb extension with any value and leaves it up to the user. However, since extension of type TC_SKB_EXT originally contained only single value tc_skb_ext->chain its users used to just assign the chain value without setting whole extension memory to zero first. This assumption changed when TC_SKB_EXT extension was extended with additional fields but not all users were updated to initialize the new fields which leads to use of uninitialized memory afterwards. UBSAN log: [ 778.299821] UBSAN: invalid-load in net/openvswitch/flow.c:899:28 [ 778.301495] load of value 107 is not a valid value for type '_Bool' [ 778.303215] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.12.0-rc7+ #2 [ 778.304933] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 [ 778.307901] Call Trace: [ 778.308680] <IRQ> [ 778.309358] dump_stack+0xbb/0x107 [ 778.310307] ubsan_epilogue+0x5/0x40 [ 778.311167] __ubsan_handle_load_invalid_value.cold+0x43/0x48 [ 778.312454] ? memset+0x20/0x40 [ 778.313230] ovs_flow_key_extract.cold+0xf/0x14 [openvswitch] [ 778.314532] ovs_vport_receive+0x19e/0x2e0 [openvswitch] [ 778.315749] ? ovs_vport_find_upcall_portid+0x330/0x330 [openvswitch] [ 778.317188] ? create_prof_cpu_mask+0x20/0x20 [ 778.318220] ? arch_stack_walk+0x82/0xf0 [ 778.319153] ? secondary_startup_64_no_verify+0xb0/0xbb [ 778.320399] ? stack_trace_save+0x91/0xc0 [ 778.321362] ? stack_trace_consume_entry+0x160/0x160 [ 778.322517] ? lock_release+0x52e/0x760 [ 778.323444] netdev_frame_hook+0x323/0x610 [openvswitch] [ 778.324668] ? ovs_netdev_get_vport+0xe0/0xe0 [openvswitch] [ 778.325950] __netif_receive_skb_core+0x771/0x2db0 [ 778.327067] ? lock_downgrade+0x6e0/0x6f0 [ 778.328021] ? lock_acquire+0x565/0x720 [ 778.328940] ? generic_xdp_tx+0x4f0/0x4f0 [ 778.329902] ? inet_gro_receive+0x2a7/0x10a0 [ 778.330914] ? lock_downgrade+0x6f0/0x6f0 [ 778.331867] ? udp4_gro_receive+0x4c4/0x13e0 [ 778.332876] ? lock_release+0x52e/0x760 [ 778.333808] ? dev_gro_receive+0xcc8/0x2380 [ 778.334810] ? lock_downgrade+0x6f0/0x6f0 [ 778.335769] __netif_receive_skb_list_core+0x295/0x820 [ 778.336955] ? process_backlog+0x780/0x780 [ 778.337941] ? mlx5e_rep_tc_netdevice_event_unregister+0x20/0x20 [mlx5_core] [ 778.339613] ? seqcount_lockdep_reader_access.constprop.0+0xa7/0xc0 [ 778.341033] ? kvm_clock_get_cycles+0x14/0x20 [ 778.342072] netif_receive_skb_list_internal+0x5f5/0xcb0 [ 778.343288] ? __kasan_kmalloc+0x7a/0x90 [ 778.344234] ? mlx5e_handle_rx_cqe_mpwrq+0x9e0/0x9e0 [mlx5_core] [ 778.345676] ? mlx5e_xmit_xdp_frame_mpwqe+0x14d0/0x14d0 [mlx5_core] [ 778.347140] ? __netif_receive_skb_list_core+0x820/0x820 [ 778.348351] ? mlx5e_post_rx_mpwqes+0xa6/0x25d0 [mlx5_core] [ 778.349688] ? napi_gro_flush+0x26c/0x3c0 [ 778.350641] napi_complete_done+0x188/0x6b0 [ 778.351627] mlx5e_napi_poll+0x373/0x1b80 [mlx5_core] [ 778.352853] __napi_poll+0x9f/0x510 [ 778.353704] ? mlx5_flow_namespace_set_mode+0x260/0x260 [mlx5_core] [ 778.355158] net_rx_action+0x34c/0xa40 [ 778.356060] ? napi_threaded_poll+0x3d0/0x3d0 [ 778.357083] ? sched_clock_cpu+0x18/0x190 [ 778.358041] ? __common_interrupt+0x8e/0x1a0 [ 778.359045] __do_softirq+0x1ce/0x984 [ 778.359938] __irq_exit_rcu+0x137/0x1d0 [ 778.360865] irq_exit_rcu+0xa/0x20 [ 778.361708] common_interrupt+0x80/0xa0 [ 778.362640] </IRQ> [ 778.363212] asm_common_interrupt+0x1e/0x40 [ 778.364204] RIP: 0010:native_safe_halt+0xe/0x10 [ 778.365273] Code: 4f ff ff ff 4c 89 e7 e8 50 3f 40 fe e9 dc fe ff ff 48 89 df e8 43 3f 40 fe eb 90 cc e9 07 00 00 00 0f 00 2d 74 05 62 00 fb f4 <c3> 90 e9 07 00 00 00 0f 00 2d 64 05 62 00 f4 c3 cc cc 0f 1f 44 00 [ 778.369355] RSP: 0018:ffffffff84407e48 EFLAGS: 00000246 [ 778.370570] RAX ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2021-47136 is a vulnerability in the Linux kernel related to the handling of traffic control (tc) socket buffer (skb) extensions. Specifically, the function skb_ext_add() allocates a new skb extension but does not zero-initialize the memory for the extension. Originally, the TC_SKB_EXT extension contained only a single field, tc_skb_ext->chain, which users typically assigned directly without zeroing the entire extension memory. However, when the TC_SKB_EXT structure was extended with additional fields, not all users of this extension were updated to initialize these new fields properly. This oversight leads to the use of uninitialized memory, which can cause undefined behavior, including invalid loads and potential memory corruption. The vulnerability was detected through Undefined Behavior Sanitizer (UBSAN) logs showing invalid loads of boolean values from uninitialized memory within the Open vSwitch (openvswitch) kernel module, which interacts with the tc skb extensions. The issue arises during packet processing in the networking stack, particularly when Open vSwitch extracts flow keys or processes network packets. While the vulnerability does not have a CVSS score assigned, it is a memory initialization flaw that could lead to kernel crashes or unpredictable behavior in network packet processing. There is no evidence of known exploits in the wild as of the published date. The vulnerability affects specific Linux kernel versions identified by commit hashes, and it was publicly disclosed in March 2024. The root cause is a failure to zero-initialize newly added fields in a kernel data structure used in networking, which can lead to use of uninitialized memory and potential instability or security issues in affected Linux systems running Open vSwitch or similar components relying on tc skb extensions.
Potential Impact
For European organizations, this vulnerability poses risks primarily to systems running Linux kernels with affected versions, especially those utilizing Open vSwitch or similar networking components that handle traffic control skb extensions. The impact includes potential kernel crashes or undefined behavior during network packet processing, which could lead to denial of service (DoS) conditions on critical infrastructure, including data centers, cloud environments, and enterprise networks. Organizations relying on Linux-based network virtualization, software-defined networking (SDN), or container orchestration platforms that use Open vSwitch are particularly at risk. While there is no indication of remote code execution or privilege escalation directly from this vulnerability, the instability caused by uninitialized memory usage can disrupt network services, impacting availability and operational continuity. Given the widespread use of Linux in European governmental, financial, telecommunications, and industrial sectors, any disruption in network infrastructure could have cascading effects on business operations and critical services. Furthermore, the lack of a patch or mitigation at the time of disclosure increases the urgency for organizations to assess exposure and implement compensating controls to minimize risk.
Mitigation Recommendations
1. Immediate assessment of Linux kernel versions in use across all infrastructure to identify systems running affected versions. 2. Apply official Linux kernel updates or patches as soon as they become available from trusted sources or Linux distribution vendors. 3. If patching is not immediately possible, consider disabling or limiting the use of Open vSwitch or other components that rely on tc skb extensions to reduce exposure. 4. Implement network segmentation and strict access controls to limit exposure of vulnerable systems to untrusted networks. 5. Monitor kernel logs and system behavior for signs of instability or crashes related to network packet processing. 6. Employ kernel hardening techniques such as Kernel Address Sanitizer (KASAN) or other runtime memory error detection tools in test environments to detect similar issues proactively. 7. Engage with Linux distribution security teams to track patch releases and advisories related to this vulnerability. 8. For critical environments, consider deploying intrusion detection systems (IDS) with signatures or heuristics to detect anomalous network behavior that could be linked to exploitation attempts or instability caused by this vulnerability.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-03-04T18:12:48.840Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9821c4522896dcbde05a
Added to database: 5/21/2025, 9:08:49 AM
Last enriched: 6/28/2025, 4:56:03 AM
Last updated: 8/15/2025, 3:48:36 AM
Views: 14
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.