CVE-2021-47162: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: tipc: skb_linearize the head skb when reassembling msgs It's not a good idea to append the frag skb to a skb's frag_list if the frag_list already has skbs from elsewhere, such as this skb was created by pskb_copy() where the frag_list was cloned (all the skbs in it were skb_get'ed) and shared by multiple skbs. However, the new appended frag skb should have been only seen by the current skb. Otherwise, it will cause use after free crashes as this appended frag skb are seen by multiple skbs but it only got skb_get called once. The same thing happens with a skb updated by pskb_may_pull() with a skb_cloned skb. Li Shuang has reported quite a few crashes caused by this when doing testing over macvlan devices: [] kernel BUG at net/core/skbuff.c:1970! [] Call Trace: [] skb_clone+0x4d/0xb0 [] macvlan_broadcast+0xd8/0x160 [macvlan] [] macvlan_process_broadcast+0x148/0x150 [macvlan] [] process_one_work+0x1a7/0x360 [] worker_thread+0x30/0x390 [] kernel BUG at mm/usercopy.c:102! [] Call Trace: [] __check_heap_object+0xd3/0x100 [] __check_object_size+0xff/0x16b [] simple_copy_to_iter+0x1c/0x30 [] __skb_datagram_iter+0x7d/0x310 [] __skb_datagram_iter+0x2a5/0x310 [] skb_copy_datagram_iter+0x3b/0x90 [] tipc_recvmsg+0x14a/0x3a0 [tipc] [] ____sys_recvmsg+0x91/0x150 [] ___sys_recvmsg+0x7b/0xc0 [] kernel BUG at mm/slub.c:305! [] Call Trace: [] <IRQ> [] kmem_cache_free+0x3ff/0x400 [] __netif_receive_skb_core+0x12c/0xc40 [] ? kmem_cache_alloc+0x12e/0x270 [] netif_receive_skb_internal+0x3d/0xb0 [] ? get_rx_page_info+0x8e/0xa0 [be2net] [] be_poll+0x6ef/0xd00 [be2net] [] ? irq_exit+0x4f/0x100 [] net_rx_action+0x149/0x3b0 ... This patch is to fix it by linearizing the head skb if it has frag_list set in tipc_buf_append(). Note that we choose to do this before calling skb_unshare(), as __skb_linearize() will avoid skb_copy(). Also, we can not just drop the frag_list either as the early time.
AI Analysis
Technical Summary
CVE-2021-47162 is a vulnerability in the Linux kernel's handling of socket buffers (skbs) within the Transparent Inter-Process Communication (TIPC) protocol implementation. The issue arises when the kernel appends a fragment skb to an skb's frag_list that already contains skbs originating from other sources, such as when the skb was created by pskb_copy() and the frag_list was cloned and shared among multiple skbs. In such cases, the appended frag skb is incorrectly shared by multiple skbs but only has its reference count incremented once (skb_get called once), leading to use-after-free conditions. This can cause kernel crashes (BUGs) and memory corruption. The problem also occurs when skb is updated by pskb_may_pull() with a cloned skb. The vulnerability was identified through testing on macvlan devices, which triggered kernel BUGs in various kernel subsystems including net/core/skbuff.c, mm/usercopy.c, and mm/slub.c. The root cause is improper management of skb frag_list references, leading to double-free or use-after-free scenarios. The patch fixes the issue by linearizing the head skb if it has a frag_list set before calling skb_unshare(), preventing the need for skb_copy() and ensuring proper reference counting. This fix is applied in the tipc_buf_append() function. The vulnerability affects multiple Linux kernel versions as indicated by the affected commit hashes. No known exploits are reported in the wild as of the publication date (March 25, 2024).
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running vulnerable Linux kernel versions that utilize the TIPC protocol or macvlan network devices. The impact includes potential kernel crashes leading to denial of service (DoS) conditions, which can disrupt critical services and applications relying on Linux servers. In environments where Linux is used for network infrastructure, cloud services, or container orchestration (e.g., Kubernetes clusters using macvlan networking), this vulnerability could lead to instability and service interruptions. Although no remote code execution or privilege escalation is directly indicated, the use-after-free condition could be leveraged in complex attack chains to compromise system integrity. The vulnerability requires local or network-level interaction with the affected kernel networking stack, which may be exploited by attackers with access to the network or the ability to send crafted packets. Given the widespread use of Linux in European enterprises, cloud providers, and government infrastructure, unpatched systems could face operational disruptions and increased risk of targeted attacks exploiting this flaw.
Mitigation Recommendations
1. Immediate patching: Apply the official Linux kernel patches that address CVE-2021-47162 as soon as they become available from trusted sources or Linux distribution vendors. 2. Kernel version upgrade: Upgrade to a Linux kernel version that includes the fix for this vulnerability. 3. Network segmentation: Limit exposure of vulnerable systems by segmenting networks and restricting access to services that utilize TIPC or macvlan devices. 4. Disable unused protocols: If TIPC is not required, disable it to reduce the attack surface. 5. Monitor kernel logs: Implement monitoring for kernel BUG messages and crashes related to skbuff or macvlan to detect potential exploitation attempts. 6. Harden container networking: For containerized environments using macvlan, review and harden network configurations to prevent malicious packet injection. 7. Incident response readiness: Prepare for potential denial of service incidents by having failover and recovery procedures in place for critical Linux-based services.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Poland, Italy, Spain
CVE-2021-47162: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: tipc: skb_linearize the head skb when reassembling msgs It's not a good idea to append the frag skb to a skb's frag_list if the frag_list already has skbs from elsewhere, such as this skb was created by pskb_copy() where the frag_list was cloned (all the skbs in it were skb_get'ed) and shared by multiple skbs. However, the new appended frag skb should have been only seen by the current skb. Otherwise, it will cause use after free crashes as this appended frag skb are seen by multiple skbs but it only got skb_get called once. The same thing happens with a skb updated by pskb_may_pull() with a skb_cloned skb. Li Shuang has reported quite a few crashes caused by this when doing testing over macvlan devices: [] kernel BUG at net/core/skbuff.c:1970! [] Call Trace: [] skb_clone+0x4d/0xb0 [] macvlan_broadcast+0xd8/0x160 [macvlan] [] macvlan_process_broadcast+0x148/0x150 [macvlan] [] process_one_work+0x1a7/0x360 [] worker_thread+0x30/0x390 [] kernel BUG at mm/usercopy.c:102! [] Call Trace: [] __check_heap_object+0xd3/0x100 [] __check_object_size+0xff/0x16b [] simple_copy_to_iter+0x1c/0x30 [] __skb_datagram_iter+0x7d/0x310 [] __skb_datagram_iter+0x2a5/0x310 [] skb_copy_datagram_iter+0x3b/0x90 [] tipc_recvmsg+0x14a/0x3a0 [tipc] [] ____sys_recvmsg+0x91/0x150 [] ___sys_recvmsg+0x7b/0xc0 [] kernel BUG at mm/slub.c:305! [] Call Trace: [] <IRQ> [] kmem_cache_free+0x3ff/0x400 [] __netif_receive_skb_core+0x12c/0xc40 [] ? kmem_cache_alloc+0x12e/0x270 [] netif_receive_skb_internal+0x3d/0xb0 [] ? get_rx_page_info+0x8e/0xa0 [be2net] [] be_poll+0x6ef/0xd00 [be2net] [] ? irq_exit+0x4f/0x100 [] net_rx_action+0x149/0x3b0 ... This patch is to fix it by linearizing the head skb if it has frag_list set in tipc_buf_append(). Note that we choose to do this before calling skb_unshare(), as __skb_linearize() will avoid skb_copy(). Also, we can not just drop the frag_list either as the early time.
AI-Powered Analysis
Technical Analysis
CVE-2021-47162 is a vulnerability in the Linux kernel's handling of socket buffers (skbs) within the Transparent Inter-Process Communication (TIPC) protocol implementation. The issue arises when the kernel appends a fragment skb to an skb's frag_list that already contains skbs originating from other sources, such as when the skb was created by pskb_copy() and the frag_list was cloned and shared among multiple skbs. In such cases, the appended frag skb is incorrectly shared by multiple skbs but only has its reference count incremented once (skb_get called once), leading to use-after-free conditions. This can cause kernel crashes (BUGs) and memory corruption. The problem also occurs when skb is updated by pskb_may_pull() with a cloned skb. The vulnerability was identified through testing on macvlan devices, which triggered kernel BUGs in various kernel subsystems including net/core/skbuff.c, mm/usercopy.c, and mm/slub.c. The root cause is improper management of skb frag_list references, leading to double-free or use-after-free scenarios. The patch fixes the issue by linearizing the head skb if it has a frag_list set before calling skb_unshare(), preventing the need for skb_copy() and ensuring proper reference counting. This fix is applied in the tipc_buf_append() function. The vulnerability affects multiple Linux kernel versions as indicated by the affected commit hashes. No known exploits are reported in the wild as of the publication date (March 25, 2024).
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running vulnerable Linux kernel versions that utilize the TIPC protocol or macvlan network devices. The impact includes potential kernel crashes leading to denial of service (DoS) conditions, which can disrupt critical services and applications relying on Linux servers. In environments where Linux is used for network infrastructure, cloud services, or container orchestration (e.g., Kubernetes clusters using macvlan networking), this vulnerability could lead to instability and service interruptions. Although no remote code execution or privilege escalation is directly indicated, the use-after-free condition could be leveraged in complex attack chains to compromise system integrity. The vulnerability requires local or network-level interaction with the affected kernel networking stack, which may be exploited by attackers with access to the network or the ability to send crafted packets. Given the widespread use of Linux in European enterprises, cloud providers, and government infrastructure, unpatched systems could face operational disruptions and increased risk of targeted attacks exploiting this flaw.
Mitigation Recommendations
1. Immediate patching: Apply the official Linux kernel patches that address CVE-2021-47162 as soon as they become available from trusted sources or Linux distribution vendors. 2. Kernel version upgrade: Upgrade to a Linux kernel version that includes the fix for this vulnerability. 3. Network segmentation: Limit exposure of vulnerable systems by segmenting networks and restricting access to services that utilize TIPC or macvlan devices. 4. Disable unused protocols: If TIPC is not required, disable it to reduce the attack surface. 5. Monitor kernel logs: Implement monitoring for kernel BUG messages and crashes related to skbuff or macvlan to detect potential exploitation attempts. 6. Harden container networking: For containerized environments using macvlan, review and harden network configurations to prevent malicious packet injection. 7. Incident response readiness: Prepare for potential denial of service incidents by having failover and recovery procedures in place for critical Linux-based services.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-03-25T09:12:14.109Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9821c4522896dcbde05e
Added to database: 5/21/2025, 9:08:49 AM
Last enriched: 6/28/2025, 4:56:12 AM
Last updated: 8/13/2025, 2:11:41 PM
Views: 13
Related Threats
Top Israeli Cybersecurity Director Arrested in US Child Exploitation Sting
HighCVE-2025-8878: CWE-94 Improper Control of Generation of Code ('Code Injection') in properfraction Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
MediumCVE-2025-8143: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pencidesign Soledad
MediumCVE-2025-8142: CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') in pencidesign Soledad
HighCVE-2025-8105: CWE-94 Improper Control of Generation of Code ('Code Injection') in pencidesign Soledad
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.