CVE-2021-47174: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo_avx2: Add irq_fpu_usable() check, fallback to non-AVX2 version Arturo reported this backtrace: [709732.358791] WARNING: CPU: 3 PID: 456 at arch/x86/kernel/fpu/core.c:128 kernel_fpu_begin_mask+0xae/0xe0 [709732.358793] Modules linked in: binfmt_misc nft_nat nft_chain_nat nf_nat nft_counter nft_ct nf_tables nf_conntrack_netlink nfnetlink 8021q garp stp mrp llc vrf intel_rapl_msr intel_rapl_common skx_edac nfit libnvdimm ipmi_ssif x86_pkg_temp_thermal intel_powerclamp coretemp crc32_pclmul mgag200 ghash_clmulni_intel drm_kms_helper cec aesni_intel drm libaes crypto_simd cryptd glue_helper mei_me dell_smbios iTCO_wdt evdev intel_pmc_bxt iTCO_vendor_support dcdbas pcspkr rapl dell_wmi_descriptor wmi_bmof sg i2c_algo_bit watchdog mei acpi_ipmi ipmi_si button nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ipmi_devintf ipmi_msghandler ip_tables x_tables autofs4 ext4 crc16 mbcache jbd2 dm_mod raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor sd_mod t10_pi crc_t10dif crct10dif_generic raid6_pq libcrc32c crc32c_generic raid1 raid0 multipath linear md_mod ahci libahci tg3 libata xhci_pci libphy xhci_hcd ptp usbcore crct10dif_pclmul crct10dif_common bnxt_en crc32c_intel scsi_mod [709732.358941] pps_core i2c_i801 lpc_ich i2c_smbus wmi usb_common [709732.358957] CPU: 3 PID: 456 Comm: jbd2/dm-0-8 Not tainted 5.10.0-0.bpo.5-amd64 #1 Debian 5.10.24-1~bpo10+1 [709732.358959] Hardware name: Dell Inc. PowerEdge R440/04JN2K, BIOS 2.9.3 09/23/2020 [709732.358964] RIP: 0010:kernel_fpu_begin_mask+0xae/0xe0 [709732.358969] Code: ae 54 24 04 83 e3 01 75 38 48 8b 44 24 08 65 48 33 04 25 28 00 00 00 75 33 48 83 c4 10 5b c3 65 8a 05 5e 21 5e 76 84 c0 74 92 <0f> 0b eb 8e f0 80 4f 01 40 48 81 c7 00 14 00 00 e8 dd fb ff ff eb [709732.358972] RSP: 0018:ffffbb9700304740 EFLAGS: 00010202 [709732.358976] RAX: 0000000000000001 RBX: 0000000000000003 RCX: 0000000000000001 [709732.358979] RDX: ffffbb9700304970 RSI: ffff922fe1952e00 RDI: 0000000000000003 [709732.358981] RBP: ffffbb9700304970 R08: ffff922fc868a600 R09: ffff922fc711e462 [709732.358984] R10: 000000000000005f R11: ffff922ff0b27180 R12: ffffbb9700304960 [709732.358987] R13: ffffbb9700304b08 R14: ffff922fc664b6c8 R15: ffff922fc664b660 [709732.358990] FS: 0000000000000000(0000) GS:ffff92371fec0000(0000) knlGS:0000000000000000 [709732.358993] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [709732.358996] CR2: 0000557a6655bdd0 CR3: 000000026020a001 CR4: 00000000007706e0 [709732.358999] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [709732.359001] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [709732.359003] PKRU: 55555554 [709732.359005] Call Trace: [709732.359009] <IRQ> [709732.359035] nft_pipapo_avx2_lookup+0x4c/0x1cba [nf_tables] [709732.359046] ? sched_clock+0x5/0x10 [709732.359054] ? sched_clock_cpu+0xc/0xb0 [709732.359061] ? record_times+0x16/0x80 [709732.359068] ? plist_add+0xc1/0x100 [709732.359073] ? psi_group_change+0x47/0x230 [709732.359079] ? skb_clone+0x4d/0xb0 [709732.359085] ? enqueue_task_rt+0x22b/0x310 [709732.359098] ? bnxt_start_xmit+0x1e8/0xaf0 [bnxt_en] [709732.359102] ? packet_rcv+0x40/0x4a0 [709732.359121] nft_lookup_eval+0x59/0x160 [nf_tables] [709732.359133] nft_do_chain+0x350/0x500 [nf_tables] [709732.359152] ? nft_lookup_eval+0x59/0x160 [nf_tables] [709732.359163] ? nft_do_chain+0x364/0x500 [nf_tables] [709732.359172] ? fib4_rule_action+0x6d/0x80 [709732.359178] ? fib_rules_lookup+0x107/0x250 [709732.359184] nft_nat_do_chain+0x8a/0xf2 [nft_chain_nat] [709732.359193] nf_nat_inet_fn+0xea/0x210 [nf_nat] [709732.359202] nf_nat_ipv4_out+0x14/0xa0 [nf_nat] [709732.359207] nf_hook_slow+0x44/0xc0 [709732.359214] ip_output+0xd2/0x100 [709732.359221] ? __ip_finish_output+0x210/0x210 [709732.359226] ip_forward+0x37d/0x4a0 [709732.359232] ? ip4_key_hashfn+0xb0/0xb0 [709732.359238] ip_subli ---truncated---
AI Analysis
Technical Summary
CVE-2021-47174 is a vulnerability identified in the Linux kernel, specifically within the netfilter subsystem's nft_set_pipapo_avx2 function. The issue arises due to the absence of a proper check for irq_fpu_usable(), which is necessary to determine if the current interrupt context can safely use the floating-point unit (FPU) with AVX2 instructions. Without this check, the kernel may attempt to execute AVX2 instructions in an inappropriate context, leading to a kernel warning or potentially a kernel panic. The vulnerability was reported with a detailed backtrace indicating a warning triggered in kernel_fpu_begin_mask(), which is part of the kernel's FPU management code. The problem occurs when nft_pipapo_avx2_lookup, a function within the nf_tables module responsible for packet filtering and network address translation, executes AVX2 instructions without verifying FPU usability in interrupt context. This can cause instability or crashes in the kernel, impacting system availability. The vulnerability affects Linux kernel versions around 5.10.24 as indicated by the example system (Debian 5.10.24-1~bpo10+1) and is related to the nf_tables and netfilter components used widely for firewalling and packet filtering. Although no known exploits are reported in the wild, the flaw could be triggered by crafted network packets processed by nftables rules using the affected AVX2 code path. The lack of a CVSS score suggests this is a recently published issue with limited public exploitation data. However, the technical details imply a medium to high risk due to potential kernel crashes and denial of service. The patch involves adding the irq_fpu_usable() check and falling back to a non-AVX2 code path when AVX2 usage is unsafe, preventing the kernel from executing floating-point instructions in unsuitable contexts.
Potential Impact
For European organizations, the impact of CVE-2021-47174 primarily concerns system stability and availability. Linux servers running kernel versions with this vulnerability, especially those utilizing nftables for firewalling and network packet filtering, may experience kernel warnings or crashes when processing certain network traffic. This can lead to denial of service conditions, disrupting critical services such as web hosting, cloud infrastructure, and network security appliances. Organizations relying on Linux-based network devices, including firewalls, routers, and load balancers, could see degraded network performance or outages. While the vulnerability does not directly expose confidentiality or integrity risks, the resulting downtime can affect business continuity and service level agreements. Additionally, the vulnerability could be leveraged in targeted denial of service attacks by adversaries sending specially crafted packets to trigger the faulty AVX2 code path. Given the widespread use of Linux in European data centers, cloud providers, and enterprise environments, the threat is significant for sectors such as finance, telecommunications, government, and critical infrastructure. The absence of known exploits reduces immediate risk, but unpatched systems remain vulnerable to potential exploitation as attackers analyze the flaw.
Mitigation Recommendations
European organizations should prioritize updating Linux kernels to versions where this vulnerability is patched, specifically those including the irq_fpu_usable() check in nft_set_pipapo_avx2. Kernel updates from trusted Linux distributions (e.g., Debian, Ubuntu, Red Hat, SUSE) should be applied promptly. Network administrators should audit nftables configurations to identify rules that may trigger the AVX2 code path and consider temporarily disabling or modifying such rules if immediate patching is not feasible. Employing network segmentation and filtering to limit exposure of vulnerable systems to untrusted networks can reduce attack surface. Monitoring kernel logs for warnings related to kernel_fpu_begin_mask or nft_pipapo_avx2_lookup can help detect attempts to trigger the vulnerability. For high-security environments, consider deploying intrusion detection systems capable of recognizing anomalous nftables traffic patterns. Finally, organizations should maintain a robust patch management process to quickly incorporate kernel security updates and test them in staging environments to avoid service disruptions.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Sweden, Poland, Belgium, Finland
CVE-2021-47174: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo_avx2: Add irq_fpu_usable() check, fallback to non-AVX2 version Arturo reported this backtrace: [709732.358791] WARNING: CPU: 3 PID: 456 at arch/x86/kernel/fpu/core.c:128 kernel_fpu_begin_mask+0xae/0xe0 [709732.358793] Modules linked in: binfmt_misc nft_nat nft_chain_nat nf_nat nft_counter nft_ct nf_tables nf_conntrack_netlink nfnetlink 8021q garp stp mrp llc vrf intel_rapl_msr intel_rapl_common skx_edac nfit libnvdimm ipmi_ssif x86_pkg_temp_thermal intel_powerclamp coretemp crc32_pclmul mgag200 ghash_clmulni_intel drm_kms_helper cec aesni_intel drm libaes crypto_simd cryptd glue_helper mei_me dell_smbios iTCO_wdt evdev intel_pmc_bxt iTCO_vendor_support dcdbas pcspkr rapl dell_wmi_descriptor wmi_bmof sg i2c_algo_bit watchdog mei acpi_ipmi ipmi_si button nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ipmi_devintf ipmi_msghandler ip_tables x_tables autofs4 ext4 crc16 mbcache jbd2 dm_mod raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor sd_mod t10_pi crc_t10dif crct10dif_generic raid6_pq libcrc32c crc32c_generic raid1 raid0 multipath linear md_mod ahci libahci tg3 libata xhci_pci libphy xhci_hcd ptp usbcore crct10dif_pclmul crct10dif_common bnxt_en crc32c_intel scsi_mod [709732.358941] pps_core i2c_i801 lpc_ich i2c_smbus wmi usb_common [709732.358957] CPU: 3 PID: 456 Comm: jbd2/dm-0-8 Not tainted 5.10.0-0.bpo.5-amd64 #1 Debian 5.10.24-1~bpo10+1 [709732.358959] Hardware name: Dell Inc. PowerEdge R440/04JN2K, BIOS 2.9.3 09/23/2020 [709732.358964] RIP: 0010:kernel_fpu_begin_mask+0xae/0xe0 [709732.358969] Code: ae 54 24 04 83 e3 01 75 38 48 8b 44 24 08 65 48 33 04 25 28 00 00 00 75 33 48 83 c4 10 5b c3 65 8a 05 5e 21 5e 76 84 c0 74 92 <0f> 0b eb 8e f0 80 4f 01 40 48 81 c7 00 14 00 00 e8 dd fb ff ff eb [709732.358972] RSP: 0018:ffffbb9700304740 EFLAGS: 00010202 [709732.358976] RAX: 0000000000000001 RBX: 0000000000000003 RCX: 0000000000000001 [709732.358979] RDX: ffffbb9700304970 RSI: ffff922fe1952e00 RDI: 0000000000000003 [709732.358981] RBP: ffffbb9700304970 R08: ffff922fc868a600 R09: ffff922fc711e462 [709732.358984] R10: 000000000000005f R11: ffff922ff0b27180 R12: ffffbb9700304960 [709732.358987] R13: ffffbb9700304b08 R14: ffff922fc664b6c8 R15: ffff922fc664b660 [709732.358990] FS: 0000000000000000(0000) GS:ffff92371fec0000(0000) knlGS:0000000000000000 [709732.358993] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [709732.358996] CR2: 0000557a6655bdd0 CR3: 000000026020a001 CR4: 00000000007706e0 [709732.358999] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [709732.359001] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [709732.359003] PKRU: 55555554 [709732.359005] Call Trace: [709732.359009] <IRQ> [709732.359035] nft_pipapo_avx2_lookup+0x4c/0x1cba [nf_tables] [709732.359046] ? sched_clock+0x5/0x10 [709732.359054] ? sched_clock_cpu+0xc/0xb0 [709732.359061] ? record_times+0x16/0x80 [709732.359068] ? plist_add+0xc1/0x100 [709732.359073] ? psi_group_change+0x47/0x230 [709732.359079] ? skb_clone+0x4d/0xb0 [709732.359085] ? enqueue_task_rt+0x22b/0x310 [709732.359098] ? bnxt_start_xmit+0x1e8/0xaf0 [bnxt_en] [709732.359102] ? packet_rcv+0x40/0x4a0 [709732.359121] nft_lookup_eval+0x59/0x160 [nf_tables] [709732.359133] nft_do_chain+0x350/0x500 [nf_tables] [709732.359152] ? nft_lookup_eval+0x59/0x160 [nf_tables] [709732.359163] ? nft_do_chain+0x364/0x500 [nf_tables] [709732.359172] ? fib4_rule_action+0x6d/0x80 [709732.359178] ? fib_rules_lookup+0x107/0x250 [709732.359184] nft_nat_do_chain+0x8a/0xf2 [nft_chain_nat] [709732.359193] nf_nat_inet_fn+0xea/0x210 [nf_nat] [709732.359202] nf_nat_ipv4_out+0x14/0xa0 [nf_nat] [709732.359207] nf_hook_slow+0x44/0xc0 [709732.359214] ip_output+0xd2/0x100 [709732.359221] ? __ip_finish_output+0x210/0x210 [709732.359226] ip_forward+0x37d/0x4a0 [709732.359232] ? ip4_key_hashfn+0xb0/0xb0 [709732.359238] ip_subli ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2021-47174 is a vulnerability identified in the Linux kernel, specifically within the netfilter subsystem's nft_set_pipapo_avx2 function. The issue arises due to the absence of a proper check for irq_fpu_usable(), which is necessary to determine if the current interrupt context can safely use the floating-point unit (FPU) with AVX2 instructions. Without this check, the kernel may attempt to execute AVX2 instructions in an inappropriate context, leading to a kernel warning or potentially a kernel panic. The vulnerability was reported with a detailed backtrace indicating a warning triggered in kernel_fpu_begin_mask(), which is part of the kernel's FPU management code. The problem occurs when nft_pipapo_avx2_lookup, a function within the nf_tables module responsible for packet filtering and network address translation, executes AVX2 instructions without verifying FPU usability in interrupt context. This can cause instability or crashes in the kernel, impacting system availability. The vulnerability affects Linux kernel versions around 5.10.24 as indicated by the example system (Debian 5.10.24-1~bpo10+1) and is related to the nf_tables and netfilter components used widely for firewalling and packet filtering. Although no known exploits are reported in the wild, the flaw could be triggered by crafted network packets processed by nftables rules using the affected AVX2 code path. The lack of a CVSS score suggests this is a recently published issue with limited public exploitation data. However, the technical details imply a medium to high risk due to potential kernel crashes and denial of service. The patch involves adding the irq_fpu_usable() check and falling back to a non-AVX2 code path when AVX2 usage is unsafe, preventing the kernel from executing floating-point instructions in unsuitable contexts.
Potential Impact
For European organizations, the impact of CVE-2021-47174 primarily concerns system stability and availability. Linux servers running kernel versions with this vulnerability, especially those utilizing nftables for firewalling and network packet filtering, may experience kernel warnings or crashes when processing certain network traffic. This can lead to denial of service conditions, disrupting critical services such as web hosting, cloud infrastructure, and network security appliances. Organizations relying on Linux-based network devices, including firewalls, routers, and load balancers, could see degraded network performance or outages. While the vulnerability does not directly expose confidentiality or integrity risks, the resulting downtime can affect business continuity and service level agreements. Additionally, the vulnerability could be leveraged in targeted denial of service attacks by adversaries sending specially crafted packets to trigger the faulty AVX2 code path. Given the widespread use of Linux in European data centers, cloud providers, and enterprise environments, the threat is significant for sectors such as finance, telecommunications, government, and critical infrastructure. The absence of known exploits reduces immediate risk, but unpatched systems remain vulnerable to potential exploitation as attackers analyze the flaw.
Mitigation Recommendations
European organizations should prioritize updating Linux kernels to versions where this vulnerability is patched, specifically those including the irq_fpu_usable() check in nft_set_pipapo_avx2. Kernel updates from trusted Linux distributions (e.g., Debian, Ubuntu, Red Hat, SUSE) should be applied promptly. Network administrators should audit nftables configurations to identify rules that may trigger the AVX2 code path and consider temporarily disabling or modifying such rules if immediate patching is not feasible. Employing network segmentation and filtering to limit exposure of vulnerable systems to untrusted networks can reduce attack surface. Monitoring kernel logs for warnings related to kernel_fpu_begin_mask or nft_pipapo_avx2_lookup can help detect attempts to trigger the vulnerability. For high-security environments, consider deploying intrusion detection systems capable of recognizing anomalous nftables traffic patterns. Finally, organizations should maintain a robust patch management process to quickly incorporate kernel security updates and test them in staging environments to avoid service disruptions.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-03-25T09:12:14.111Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9835c4522896dcbe9f6c
Added to database: 5/21/2025, 9:09:09 AM
Last enriched: 6/26/2025, 6:20:24 PM
Last updated: 8/11/2025, 6:59:31 AM
Views: 13
Related Threats
Researcher to release exploit for full auth bypass on FortiWeb
HighCVE-2025-9091: Hard-coded Credentials in Tenda AC20
LowCVE-2025-9090: Command Injection in Tenda AC20
MediumCVE-2025-9092: CWE-400 Uncontrolled Resource Consumption in Legion of the Bouncy Castle Inc. Bouncy Castle for Java - BC-FJA 2.1.0
LowCVE-2025-9089: Stack-based Buffer Overflow in Tenda AC20
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.