CVE-2021-47146: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: mld: fix panic in mld_newpack() mld_newpack() doesn't allow to allocate high order page, only order-0 allocation is allowed. If headroom size is too large, a kernel panic could occur in skb_put(). Test commands: ip netns del A ip netns del B ip netns add A ip netns add B ip link add veth0 type veth peer name veth1 ip link set veth0 netns A ip link set veth1 netns B ip netns exec A ip link set lo up ip netns exec A ip link set veth0 up ip netns exec A ip -6 a a 2001:db8:0::1/64 dev veth0 ip netns exec B ip link set lo up ip netns exec B ip link set veth1 up ip netns exec B ip -6 a a 2001:db8:0::2/64 dev veth1 for i in {1..99} do let A=$i-1 ip netns exec A ip link add ip6gre$i type ip6gre \ local 2001:db8:$A::1 remote 2001:db8:$A::2 encaplimit 100 ip netns exec A ip -6 a a 2001:db8:$i::1/64 dev ip6gre$i ip netns exec A ip link set ip6gre$i up ip netns exec B ip link add ip6gre$i type ip6gre \ local 2001:db8:$A::2 remote 2001:db8:$A::1 encaplimit 100 ip netns exec B ip -6 a a 2001:db8:$i::2/64 dev ip6gre$i ip netns exec B ip link set ip6gre$i up done Splat looks like: kernel BUG at net/core/skbuff.c:110! invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI CPU: 0 PID: 7 Comm: kworker/0:1 Not tainted 5.12.0+ #891 Workqueue: ipv6_addrconf addrconf_dad_work RIP: 0010:skb_panic+0x15d/0x15f Code: 92 fe 4c 8b 4c 24 10 53 8b 4d 70 45 89 e0 48 c7 c7 00 ae 79 83 41 57 41 56 41 55 48 8b 54 24 a6 26 f9 ff <0f> 0b 48 8b 6c 24 20 89 34 24 e8 4a 4e 92 fe 8b 34 24 48 c7 c1 20 RSP: 0018:ffff88810091f820 EFLAGS: 00010282 RAX: 0000000000000089 RBX: ffff8881086e9000 RCX: 0000000000000000 RDX: 0000000000000089 RSI: 0000000000000008 RDI: ffffed1020123efb RBP: ffff888005f6eac0 R08: ffffed1022fc0031 R09: ffffed1022fc0031 R10: ffff888117e00187 R11: ffffed1022fc0030 R12: 0000000000000028 R13: ffff888008284eb0 R14: 0000000000000ed8 R15: 0000000000000ec0 FS: 0000000000000000(0000) GS:ffff888117c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f8b801c5640 CR3: 0000000033c2c006 CR4: 00000000003706f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ? ip6_mc_hdr.isra.26.constprop.46+0x12a/0x600 ? ip6_mc_hdr.isra.26.constprop.46+0x12a/0x600 skb_put.cold.104+0x22/0x22 ip6_mc_hdr.isra.26.constprop.46+0x12a/0x600 ? rcu_read_lock_sched_held+0x91/0xc0 mld_newpack+0x398/0x8f0 ? ip6_mc_hdr.isra.26.constprop.46+0x600/0x600 ? lock_contended+0xc40/0xc40 add_grhead.isra.33+0x280/0x380 add_grec+0x5ca/0xff0 ? mld_sendpack+0xf40/0xf40 ? lock_downgrade+0x690/0x690 mld_send_initial_cr.part.34+0xb9/0x180 ipv6_mc_dad_complete+0x15d/0x1b0 addrconf_dad_completed+0x8d2/0xbb0 ? lock_downgrade+0x690/0x690 ? addrconf_rs_timer+0x660/0x660 ? addrconf_dad_work+0x73c/0x10e0 addrconf_dad_work+0x73c/0x10e0 Allowing high order page allocation could fix this problem.
AI Analysis
Technical Summary
CVE-2021-47146 is a vulnerability identified in the Linux kernel's handling of IPv6 Multicast Listener Discovery (MLD) packets, specifically within the mld_newpack() function. The vulnerability arises because mld_newpack() restricts memory allocation to order-0 pages only, disallowing higher order page allocations. However, when the headroom size in the socket buffer (skb) is excessively large, this limitation can lead to a kernel panic triggered in the skb_put() function. The panic manifests as a BUG at net/core/skbuff.c, causing an invalid opcode exception and crashing the kernel. This issue can be reproduced by creating multiple network namespaces and virtual Ethernet (veth) pairs, then configuring IPv6 addresses and GRE tunnels as described in the test commands. The root cause is that the kernel code does not properly handle the allocation of larger memory blocks for skb headroom, leading to memory corruption or invalid memory access. The vulnerability affects Linux kernel versions prior to the patch that allows high order page allocations in this context. Although no known exploits are currently reported in the wild, the vulnerability can cause denial of service (DoS) conditions by crashing the kernel, which could be triggered remotely if an attacker can send specially crafted IPv6 MLD packets or manipulate network namespaces and interfaces. This vulnerability is particularly relevant for systems heavily utilizing IPv6 networking features, containerization, or network namespace isolation, such as cloud servers, virtualized environments, and network appliances running Linux kernels with the affected versions.
Potential Impact
For European organizations, the impact of CVE-2021-47146 primarily involves potential denial of service through kernel panics on Linux-based systems. Many European enterprises, cloud providers, and telecom operators rely extensively on Linux servers and network infrastructure that support IPv6 and containerized environments. A successful exploitation could disrupt critical services by crashing affected hosts, leading to downtime, loss of availability, and potential cascading failures in networked systems. This is especially critical for sectors such as finance, healthcare, telecommunications, and government services where uptime and network reliability are paramount. Additionally, organizations deploying Linux-based network appliances or edge devices that handle IPv6 traffic may face increased risk. Although this vulnerability does not appear to allow privilege escalation or remote code execution, the induced kernel panic can be leveraged as a vector for targeted DoS attacks, impacting service continuity and operational resilience.
Mitigation Recommendations
To mitigate CVE-2021-47146, European organizations should: 1) Apply the latest Linux kernel patches that address this vulnerability, specifically those that modify mld_newpack() to permit high order page allocations safely. 2) For environments where immediate patching is not feasible, consider disabling or restricting IPv6 multicast listener discovery features or network namespaces that are not essential, thereby reducing the attack surface. 3) Implement network-level filtering to block or monitor suspicious IPv6 MLD traffic, especially from untrusted sources. 4) Employ robust monitoring and alerting for kernel panics or unusual network namespace activities to detect potential exploitation attempts early. 5) In containerized or virtualized environments, enforce strict network namespace isolation policies and limit the creation of unnecessary virtual interfaces that could be exploited. 6) Coordinate with Linux distribution vendors and infrastructure providers to ensure timely updates and vulnerability management. These steps go beyond generic advice by focusing on the specific network features and kernel components involved in the vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2021-47146: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: mld: fix panic in mld_newpack() mld_newpack() doesn't allow to allocate high order page, only order-0 allocation is allowed. If headroom size is too large, a kernel panic could occur in skb_put(). Test commands: ip netns del A ip netns del B ip netns add A ip netns add B ip link add veth0 type veth peer name veth1 ip link set veth0 netns A ip link set veth1 netns B ip netns exec A ip link set lo up ip netns exec A ip link set veth0 up ip netns exec A ip -6 a a 2001:db8:0::1/64 dev veth0 ip netns exec B ip link set lo up ip netns exec B ip link set veth1 up ip netns exec B ip -6 a a 2001:db8:0::2/64 dev veth1 for i in {1..99} do let A=$i-1 ip netns exec A ip link add ip6gre$i type ip6gre \ local 2001:db8:$A::1 remote 2001:db8:$A::2 encaplimit 100 ip netns exec A ip -6 a a 2001:db8:$i::1/64 dev ip6gre$i ip netns exec A ip link set ip6gre$i up ip netns exec B ip link add ip6gre$i type ip6gre \ local 2001:db8:$A::2 remote 2001:db8:$A::1 encaplimit 100 ip netns exec B ip -6 a a 2001:db8:$i::2/64 dev ip6gre$i ip netns exec B ip link set ip6gre$i up done Splat looks like: kernel BUG at net/core/skbuff.c:110! invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI CPU: 0 PID: 7 Comm: kworker/0:1 Not tainted 5.12.0+ #891 Workqueue: ipv6_addrconf addrconf_dad_work RIP: 0010:skb_panic+0x15d/0x15f Code: 92 fe 4c 8b 4c 24 10 53 8b 4d 70 45 89 e0 48 c7 c7 00 ae 79 83 41 57 41 56 41 55 48 8b 54 24 a6 26 f9 ff <0f> 0b 48 8b 6c 24 20 89 34 24 e8 4a 4e 92 fe 8b 34 24 48 c7 c1 20 RSP: 0018:ffff88810091f820 EFLAGS: 00010282 RAX: 0000000000000089 RBX: ffff8881086e9000 RCX: 0000000000000000 RDX: 0000000000000089 RSI: 0000000000000008 RDI: ffffed1020123efb RBP: ffff888005f6eac0 R08: ffffed1022fc0031 R09: ffffed1022fc0031 R10: ffff888117e00187 R11: ffffed1022fc0030 R12: 0000000000000028 R13: ffff888008284eb0 R14: 0000000000000ed8 R15: 0000000000000ec0 FS: 0000000000000000(0000) GS:ffff888117c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f8b801c5640 CR3: 0000000033c2c006 CR4: 00000000003706f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ? ip6_mc_hdr.isra.26.constprop.46+0x12a/0x600 ? ip6_mc_hdr.isra.26.constprop.46+0x12a/0x600 skb_put.cold.104+0x22/0x22 ip6_mc_hdr.isra.26.constprop.46+0x12a/0x600 ? rcu_read_lock_sched_held+0x91/0xc0 mld_newpack+0x398/0x8f0 ? ip6_mc_hdr.isra.26.constprop.46+0x600/0x600 ? lock_contended+0xc40/0xc40 add_grhead.isra.33+0x280/0x380 add_grec+0x5ca/0xff0 ? mld_sendpack+0xf40/0xf40 ? lock_downgrade+0x690/0x690 mld_send_initial_cr.part.34+0xb9/0x180 ipv6_mc_dad_complete+0x15d/0x1b0 addrconf_dad_completed+0x8d2/0xbb0 ? lock_downgrade+0x690/0x690 ? addrconf_rs_timer+0x660/0x660 ? addrconf_dad_work+0x73c/0x10e0 addrconf_dad_work+0x73c/0x10e0 Allowing high order page allocation could fix this problem.
AI-Powered Analysis
Technical Analysis
CVE-2021-47146 is a vulnerability identified in the Linux kernel's handling of IPv6 Multicast Listener Discovery (MLD) packets, specifically within the mld_newpack() function. The vulnerability arises because mld_newpack() restricts memory allocation to order-0 pages only, disallowing higher order page allocations. However, when the headroom size in the socket buffer (skb) is excessively large, this limitation can lead to a kernel panic triggered in the skb_put() function. The panic manifests as a BUG at net/core/skbuff.c, causing an invalid opcode exception and crashing the kernel. This issue can be reproduced by creating multiple network namespaces and virtual Ethernet (veth) pairs, then configuring IPv6 addresses and GRE tunnels as described in the test commands. The root cause is that the kernel code does not properly handle the allocation of larger memory blocks for skb headroom, leading to memory corruption or invalid memory access. The vulnerability affects Linux kernel versions prior to the patch that allows high order page allocations in this context. Although no known exploits are currently reported in the wild, the vulnerability can cause denial of service (DoS) conditions by crashing the kernel, which could be triggered remotely if an attacker can send specially crafted IPv6 MLD packets or manipulate network namespaces and interfaces. This vulnerability is particularly relevant for systems heavily utilizing IPv6 networking features, containerization, or network namespace isolation, such as cloud servers, virtualized environments, and network appliances running Linux kernels with the affected versions.
Potential Impact
For European organizations, the impact of CVE-2021-47146 primarily involves potential denial of service through kernel panics on Linux-based systems. Many European enterprises, cloud providers, and telecom operators rely extensively on Linux servers and network infrastructure that support IPv6 and containerized environments. A successful exploitation could disrupt critical services by crashing affected hosts, leading to downtime, loss of availability, and potential cascading failures in networked systems. This is especially critical for sectors such as finance, healthcare, telecommunications, and government services where uptime and network reliability are paramount. Additionally, organizations deploying Linux-based network appliances or edge devices that handle IPv6 traffic may face increased risk. Although this vulnerability does not appear to allow privilege escalation or remote code execution, the induced kernel panic can be leveraged as a vector for targeted DoS attacks, impacting service continuity and operational resilience.
Mitigation Recommendations
To mitigate CVE-2021-47146, European organizations should: 1) Apply the latest Linux kernel patches that address this vulnerability, specifically those that modify mld_newpack() to permit high order page allocations safely. 2) For environments where immediate patching is not feasible, consider disabling or restricting IPv6 multicast listener discovery features or network namespaces that are not essential, thereby reducing the attack surface. 3) Implement network-level filtering to block or monitor suspicious IPv6 MLD traffic, especially from untrusted sources. 4) Employ robust monitoring and alerting for kernel panics or unusual network namespace activities to detect potential exploitation attempts early. 5) In containerized or virtualized environments, enforce strict network namespace isolation policies and limit the creation of unnecessary virtual interfaces that could be exploited. 6) Coordinate with Linux distribution vendors and infrastructure providers to ensure timely updates and vulnerability management. These steps go beyond generic advice by focusing on the specific network features and kernel components involved in the vulnerability.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-03-04T18:12:48.845Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9834c4522896dcbe9e97
Added to database: 5/21/2025, 9:09:08 AM
Last enriched: 6/26/2025, 7:21:49 PM
Last updated: 8/7/2025, 12:32:12 PM
Views: 10
Related Threats
CVE-2025-9091: Hard-coded Credentials in Tenda AC20
LowCVE-2025-9090: Command Injection in Tenda AC20
MediumCVE-2025-9092: CWE-400 Uncontrolled Resource Consumption in Legion of the Bouncy Castle Inc. Bouncy Castle for Java - BC-FJA 2.1.0
LowCVE-2025-9089: Stack-based Buffer Overflow in Tenda AC20
HighCVE-2025-9088: Stack-based Buffer Overflow in Tenda AC20
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.