CVE-2021-47175: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: net/sched: fq_pie: fix OOB access in the traffic path the following script: # tc qdisc add dev eth0 handle 0x1 root fq_pie flows 2 # tc qdisc add dev eth0 clsact # tc filter add dev eth0 egress matchall action skbedit priority 0x10002 # ping 192.0.2.2 -I eth0 -c2 -w1 -q produces the following splat: BUG: KASAN: slab-out-of-bounds in fq_pie_qdisc_enqueue+0x1314/0x19d0 [sch_fq_pie] Read of size 4 at addr ffff888171306924 by task ping/942 CPU: 3 PID: 942 Comm: ping Not tainted 5.12.0+ #441 Hardware name: Red Hat KVM, BIOS 1.11.1-4.module+el8.1.0+4066+0f1aadab 04/01/2014 Call Trace: dump_stack+0x92/0xc1 print_address_description.constprop.7+0x1a/0x150 kasan_report.cold.13+0x7f/0x111 fq_pie_qdisc_enqueue+0x1314/0x19d0 [sch_fq_pie] __dev_queue_xmit+0x1034/0x2b10 ip_finish_output2+0xc62/0x2120 __ip_finish_output+0x553/0xea0 ip_output+0x1ca/0x4d0 ip_send_skb+0x37/0xa0 raw_sendmsg+0x1c4b/0x2d00 sock_sendmsg+0xdb/0x110 __sys_sendto+0x1d7/0x2b0 __x64_sys_sendto+0xdd/0x1b0 do_syscall_64+0x3c/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7fe69735c3eb Code: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 f3 0f 1e fa 48 8d 05 75 42 2c 00 41 89 ca 8b 00 85 c0 75 14 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 75 c3 0f 1f 40 00 41 57 4d 89 c7 41 56 41 89 RSP: 002b:00007fff06d7fb38 EFLAGS: 00000246 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 000055e961413700 RCX: 00007fe69735c3eb RDX: 0000000000000040 RSI: 000055e961413700 RDI: 0000000000000003 RBP: 0000000000000040 R08: 000055e961410500 R09: 0000000000000010 R10: 0000000000000000 R11: 0000000000000246 R12: 00007fff06d81260 R13: 00007fff06d7fb40 R14: 00007fff06d7fc30 R15: 000055e96140f0a0 Allocated by task 917: kasan_save_stack+0x19/0x40 __kasan_kmalloc+0x7f/0xa0 __kmalloc_node+0x139/0x280 fq_pie_init+0x555/0x8e8 [sch_fq_pie] qdisc_create+0x407/0x11b0 tc_modify_qdisc+0x3c2/0x17e0 rtnetlink_rcv_msg+0x346/0x8e0 netlink_rcv_skb+0x120/0x380 netlink_unicast+0x439/0x630 netlink_sendmsg+0x719/0xbf0 sock_sendmsg+0xe2/0x110 ____sys_sendmsg+0x5ba/0x890 ___sys_sendmsg+0xe9/0x160 __sys_sendmsg+0xd3/0x170 do_syscall_64+0x3c/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae The buggy address belongs to the object at ffff888171306800 which belongs to the cache kmalloc-256 of size 256 The buggy address is located 36 bytes to the right of 256-byte region [ffff888171306800, ffff888171306900) The buggy address belongs to the page: page:00000000bcfb624e refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x171306 head:00000000bcfb624e order:1 compound_mapcount:0 flags: 0x17ffffc0010200(slab|head|node=0|zone=2|lastcpupid=0x1fffff) raw: 0017ffffc0010200 dead000000000100 dead000000000122 ffff888100042b40 raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888171306800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888171306880: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc >ffff888171306900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff888171306980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888171306a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fix fq_pie traffic path to avoid selecting 'q->flows + q->flows_cnt' as a valid flow: it's an address beyond the allocated memory.
AI Analysis
Technical Summary
CVE-2021-47175 is a vulnerability in the Linux kernel's fq_pie (Fair Queueing with Proportional Integral controller Enhanced) traffic control module, specifically within the net/sched subsystem. The flaw is an out-of-bounds (OOB) memory access occurring in the fq_pie_qdisc_enqueue function, which is responsible for enqueueing packets in the traffic shaping queue. The vulnerability arises because the code incorrectly allows selection of an index beyond the allocated memory bounds for flow structures, specifically allowing access to 'q->flows + q->flows_cnt', which is outside the allocated array. This leads to a slab-out-of-bounds read detected by Kernel Address Sanitizer (KASAN), causing a kernel crash (BUG) and potential memory corruption. The issue can be triggered by executing a sequence of traffic control (tc) commands to add fq_pie qdisc and clsact qdisc on an interface, followed by sending packets (e.g., ping) through the interface. The vulnerability affects Linux kernel versions around 5.12.0+ and likely others using the vulnerable fq_pie implementation. The root cause is a logic error in the traffic path that mishandles flow indexing, leading to invalid memory reads. Although no public exploits are known, the flaw can cause denial of service (kernel panic) and may be leveraged for privilege escalation or arbitrary code execution if combined with other vulnerabilities. The patch involves fixing the flow selection logic to prevent accessing memory beyond the allocated flow array. This vulnerability is significant because fq_pie is widely used for network traffic shaping and quality of service in Linux systems, including servers, cloud infrastructure, and embedded devices.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to Linux-based infrastructure that employs fq_pie for traffic control, including data centers, cloud providers, telecom operators, and enterprises running Linux servers. Exploitation can lead to kernel crashes causing denial of service, disrupting critical services and network availability. In multi-tenant environments such as cloud platforms common in Europe, an attacker with network access or limited privileges could trigger the flaw to destabilize hosts or potentially escalate privileges, threatening confidentiality and integrity. The impact is heightened in sectors relying heavily on Linux networking stacks, such as financial services, telecommunications, and government agencies. Additionally, embedded Linux devices used in industrial control systems or IoT deployments across Europe could be affected, risking operational disruptions. Although no known exploits exist, the vulnerability's presence in the kernel's networking code makes it a candidate for future exploitation attempts. The lack of a CVSS score complicates risk assessment, but the potential for denial of service and memory corruption in kernel space indicates a serious threat to availability and system stability.
Mitigation Recommendations
European organizations should prioritize updating Linux kernels to versions where this vulnerability is patched. Since fq_pie is a kernel module, applying official Linux kernel updates or vendor-specific patches (e.g., from Red Hat, SUSE, Canonical) is the most effective mitigation. Network administrators should audit usage of fq_pie qdiscs on critical systems and consider temporarily disabling or replacing fq_pie with alternative queuing disciplines if patching is delayed. Implement strict network segmentation and access controls to limit untrusted users' ability to send crafted traffic that could trigger the flaw. Monitoring kernel logs for KASAN or BUG messages related to fq_pie can help detect attempted exploitation. For cloud providers and multi-tenant environments, enforce tenant isolation and limit capabilities that allow manipulation of traffic control settings. Additionally, conduct vulnerability scanning and penetration testing focused on kernel-level network components to identify exposure. Finally, maintain up-to-date incident response plans to quickly address potential denial of service or compromise scenarios stemming from kernel vulnerabilities.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2021-47175: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: net/sched: fq_pie: fix OOB access in the traffic path the following script: # tc qdisc add dev eth0 handle 0x1 root fq_pie flows 2 # tc qdisc add dev eth0 clsact # tc filter add dev eth0 egress matchall action skbedit priority 0x10002 # ping 192.0.2.2 -I eth0 -c2 -w1 -q produces the following splat: BUG: KASAN: slab-out-of-bounds in fq_pie_qdisc_enqueue+0x1314/0x19d0 [sch_fq_pie] Read of size 4 at addr ffff888171306924 by task ping/942 CPU: 3 PID: 942 Comm: ping Not tainted 5.12.0+ #441 Hardware name: Red Hat KVM, BIOS 1.11.1-4.module+el8.1.0+4066+0f1aadab 04/01/2014 Call Trace: dump_stack+0x92/0xc1 print_address_description.constprop.7+0x1a/0x150 kasan_report.cold.13+0x7f/0x111 fq_pie_qdisc_enqueue+0x1314/0x19d0 [sch_fq_pie] __dev_queue_xmit+0x1034/0x2b10 ip_finish_output2+0xc62/0x2120 __ip_finish_output+0x553/0xea0 ip_output+0x1ca/0x4d0 ip_send_skb+0x37/0xa0 raw_sendmsg+0x1c4b/0x2d00 sock_sendmsg+0xdb/0x110 __sys_sendto+0x1d7/0x2b0 __x64_sys_sendto+0xdd/0x1b0 do_syscall_64+0x3c/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7fe69735c3eb Code: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 f3 0f 1e fa 48 8d 05 75 42 2c 00 41 89 ca 8b 00 85 c0 75 14 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 75 c3 0f 1f 40 00 41 57 4d 89 c7 41 56 41 89 RSP: 002b:00007fff06d7fb38 EFLAGS: 00000246 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 000055e961413700 RCX: 00007fe69735c3eb RDX: 0000000000000040 RSI: 000055e961413700 RDI: 0000000000000003 RBP: 0000000000000040 R08: 000055e961410500 R09: 0000000000000010 R10: 0000000000000000 R11: 0000000000000246 R12: 00007fff06d81260 R13: 00007fff06d7fb40 R14: 00007fff06d7fc30 R15: 000055e96140f0a0 Allocated by task 917: kasan_save_stack+0x19/0x40 __kasan_kmalloc+0x7f/0xa0 __kmalloc_node+0x139/0x280 fq_pie_init+0x555/0x8e8 [sch_fq_pie] qdisc_create+0x407/0x11b0 tc_modify_qdisc+0x3c2/0x17e0 rtnetlink_rcv_msg+0x346/0x8e0 netlink_rcv_skb+0x120/0x380 netlink_unicast+0x439/0x630 netlink_sendmsg+0x719/0xbf0 sock_sendmsg+0xe2/0x110 ____sys_sendmsg+0x5ba/0x890 ___sys_sendmsg+0xe9/0x160 __sys_sendmsg+0xd3/0x170 do_syscall_64+0x3c/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae The buggy address belongs to the object at ffff888171306800 which belongs to the cache kmalloc-256 of size 256 The buggy address is located 36 bytes to the right of 256-byte region [ffff888171306800, ffff888171306900) The buggy address belongs to the page: page:00000000bcfb624e refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x171306 head:00000000bcfb624e order:1 compound_mapcount:0 flags: 0x17ffffc0010200(slab|head|node=0|zone=2|lastcpupid=0x1fffff) raw: 0017ffffc0010200 dead000000000100 dead000000000122 ffff888100042b40 raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888171306800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888171306880: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc >ffff888171306900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff888171306980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888171306a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fix fq_pie traffic path to avoid selecting 'q->flows + q->flows_cnt' as a valid flow: it's an address beyond the allocated memory.
AI-Powered Analysis
Technical Analysis
CVE-2021-47175 is a vulnerability in the Linux kernel's fq_pie (Fair Queueing with Proportional Integral controller Enhanced) traffic control module, specifically within the net/sched subsystem. The flaw is an out-of-bounds (OOB) memory access occurring in the fq_pie_qdisc_enqueue function, which is responsible for enqueueing packets in the traffic shaping queue. The vulnerability arises because the code incorrectly allows selection of an index beyond the allocated memory bounds for flow structures, specifically allowing access to 'q->flows + q->flows_cnt', which is outside the allocated array. This leads to a slab-out-of-bounds read detected by Kernel Address Sanitizer (KASAN), causing a kernel crash (BUG) and potential memory corruption. The issue can be triggered by executing a sequence of traffic control (tc) commands to add fq_pie qdisc and clsact qdisc on an interface, followed by sending packets (e.g., ping) through the interface. The vulnerability affects Linux kernel versions around 5.12.0+ and likely others using the vulnerable fq_pie implementation. The root cause is a logic error in the traffic path that mishandles flow indexing, leading to invalid memory reads. Although no public exploits are known, the flaw can cause denial of service (kernel panic) and may be leveraged for privilege escalation or arbitrary code execution if combined with other vulnerabilities. The patch involves fixing the flow selection logic to prevent accessing memory beyond the allocated flow array. This vulnerability is significant because fq_pie is widely used for network traffic shaping and quality of service in Linux systems, including servers, cloud infrastructure, and embedded devices.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to Linux-based infrastructure that employs fq_pie for traffic control, including data centers, cloud providers, telecom operators, and enterprises running Linux servers. Exploitation can lead to kernel crashes causing denial of service, disrupting critical services and network availability. In multi-tenant environments such as cloud platforms common in Europe, an attacker with network access or limited privileges could trigger the flaw to destabilize hosts or potentially escalate privileges, threatening confidentiality and integrity. The impact is heightened in sectors relying heavily on Linux networking stacks, such as financial services, telecommunications, and government agencies. Additionally, embedded Linux devices used in industrial control systems or IoT deployments across Europe could be affected, risking operational disruptions. Although no known exploits exist, the vulnerability's presence in the kernel's networking code makes it a candidate for future exploitation attempts. The lack of a CVSS score complicates risk assessment, but the potential for denial of service and memory corruption in kernel space indicates a serious threat to availability and system stability.
Mitigation Recommendations
European organizations should prioritize updating Linux kernels to versions where this vulnerability is patched. Since fq_pie is a kernel module, applying official Linux kernel updates or vendor-specific patches (e.g., from Red Hat, SUSE, Canonical) is the most effective mitigation. Network administrators should audit usage of fq_pie qdiscs on critical systems and consider temporarily disabling or replacing fq_pie with alternative queuing disciplines if patching is delayed. Implement strict network segmentation and access controls to limit untrusted users' ability to send crafted traffic that could trigger the flaw. Monitoring kernel logs for KASAN or BUG messages related to fq_pie can help detect attempted exploitation. For cloud providers and multi-tenant environments, enforce tenant isolation and limit capabilities that allow manipulation of traffic control settings. Additionally, conduct vulnerability scanning and penetration testing focused on kernel-level network components to identify exposure. Finally, maintain up-to-date incident response plans to quickly address potential denial of service or compromise scenarios stemming from kernel vulnerabilities.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-03-25T09:12:14.111Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9835c4522896dcbe9f83
Added to database: 5/21/2025, 9:09:09 AM
Last enriched: 6/26/2025, 6:20:06 PM
Last updated: 8/18/2025, 9:53:14 AM
Views: 12
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.