CVE-2021-47199: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: CT, Fix multiple allocations and memleak of mod acts CT clear action offload adds additional mod hdr actions to the flow's original mod actions in order to clear the registers which hold ct_state. When such flow also includes encap action, a neigh update event can cause the driver to unoffload the flow and then reoffload it. Each time this happens, the ct clear handling adds that same set of mod hdr actions to reset ct_state until the max of mod hdr actions is reached. Also the driver never releases the allocated mod hdr actions and causing a memleak. Fix above two issues by moving CT clear mod acts allocation into the parsing actions phase and only use it when offloading the rule. The release of mod acts will be done in the normal flow_put(). backtrace: [<000000007316e2f3>] krealloc+0x83/0xd0 [<00000000ef157de1>] mlx5e_mod_hdr_alloc+0x147/0x300 [mlx5_core] [<00000000970ce4ae>] mlx5e_tc_match_to_reg_set_and_get_id+0xd7/0x240 [mlx5_core] [<0000000067c5fa17>] mlx5e_tc_match_to_reg_set+0xa/0x20 [mlx5_core] [<00000000d032eb98>] mlx5_tc_ct_entry_set_registers.isra.0+0x36/0xc0 [mlx5_core] [<00000000fd23b869>] mlx5_tc_ct_flow_offload+0x272/0x1f10 [mlx5_core] [<000000004fc24acc>] mlx5e_tc_offload_fdb_rules.part.0+0x150/0x620 [mlx5_core] [<00000000dc741c17>] mlx5e_tc_encap_flows_add+0x489/0x690 [mlx5_core] [<00000000e92e49d7>] mlx5e_rep_update_flows+0x6e4/0x9b0 [mlx5_core] [<00000000f60f5602>] mlx5e_rep_neigh_update+0x39a/0x5d0 [mlx5_core]
AI Analysis
Technical Summary
CVE-2021-47199 is a vulnerability in the Linux kernel specifically affecting the mlx5e driver, which is part of the Mellanox (now NVIDIA) mlx5_core network driver stack. The vulnerability arises from improper handling of connection tracking (CT) clear action offload in combination with encapsulation (encap) actions. When a flow includes both CT clear actions and encap actions, a neighbor update event can trigger the driver to unoffload and then reoffload the flow. Each reoffload incorrectly adds the same set of modification header (mod hdr) actions repeatedly until a maximum limit is reached. Additionally, the driver fails to release allocated mod hdr actions, causing a memory leak. This can lead to resource exhaustion in the kernel memory space. The root cause is that the allocation of CT clear mod actions is done multiple times during reoffloading instead of being allocated once during the parsing phase and released properly during flow cleanup. The fix involves moving the allocation to the parsing phase and ensuring proper release of these actions in the flow_put() cleanup routine. The backtrace provided shows the call stack within the mlx5_core driver where the issue manifests, involving functions like mlx5e_mod_hdr_alloc, mlx5e_tc_match_to_reg_set_and_get_id, mlx5e_tc_ct_flow_offload, and mlx5e_rep_neigh_update. This vulnerability does not have a CVSS score assigned yet and no known exploits in the wild have been reported. However, it affects Linux kernel versions containing the vulnerable mlx5e driver code prior to the patch. Since the mlx5e driver is used in high-performance networking environments, including data centers and enterprise servers, this vulnerability could impact systems relying on Mellanox network adapters for advanced traffic offloading and connection tracking features.
Potential Impact
For European organizations, the impact of CVE-2021-47199 could be significant in environments using Linux servers with Mellanox mlx5 network adapters, especially in data centers, cloud providers, and enterprises with high-throughput networking needs. The memory leak caused by repeated mod hdr action allocations can lead to kernel memory exhaustion, potentially causing degraded network performance, system instability, or crashes. This could disrupt critical services, including cloud infrastructure, telecommunications, and financial services that rely on stable and performant Linux networking stacks. Although no direct remote code execution or privilege escalation is indicated, denial of service through resource exhaustion can still have severe operational impacts. Organizations running containerized workloads or network function virtualization (NFV) on Linux with these drivers are particularly at risk. The lack of known exploits reduces immediate risk, but the vulnerability's presence in kernel networking code means attackers with local or network access might trigger the issue to degrade service availability.
Mitigation Recommendations
To mitigate CVE-2021-47199, European organizations should: 1) Identify Linux systems using Mellanox mlx5 network adapters and verify kernel versions against vendor advisories for patches addressing this vulnerability. 2) Apply the latest Linux kernel updates or vendor-provided patches that fix the CT clear action offload and mod hdr allocation logic in the mlx5e driver. 3) Monitor kernel logs and system metrics for signs of memory leaks or abnormal network driver behavior, especially after neighbor update events or flow offload operations. 4) Limit exposure by restricting network access to critical Linux servers with mlx5 adapters, minimizing the attack surface for triggering neighbor update events maliciously. 5) If patching is delayed, consider disabling advanced offload features related to connection tracking or encapsulation in the mlx5e driver as a temporary workaround, understanding this may impact performance. 6) Engage with hardware and Linux distribution vendors for guidance and timely updates. 7) Incorporate this vulnerability into vulnerability management and incident response plans to detect and respond to potential exploitation attempts.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Denmark, Ireland
CVE-2021-47199: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: CT, Fix multiple allocations and memleak of mod acts CT clear action offload adds additional mod hdr actions to the flow's original mod actions in order to clear the registers which hold ct_state. When such flow also includes encap action, a neigh update event can cause the driver to unoffload the flow and then reoffload it. Each time this happens, the ct clear handling adds that same set of mod hdr actions to reset ct_state until the max of mod hdr actions is reached. Also the driver never releases the allocated mod hdr actions and causing a memleak. Fix above two issues by moving CT clear mod acts allocation into the parsing actions phase and only use it when offloading the rule. The release of mod acts will be done in the normal flow_put(). backtrace: [<000000007316e2f3>] krealloc+0x83/0xd0 [<00000000ef157de1>] mlx5e_mod_hdr_alloc+0x147/0x300 [mlx5_core] [<00000000970ce4ae>] mlx5e_tc_match_to_reg_set_and_get_id+0xd7/0x240 [mlx5_core] [<0000000067c5fa17>] mlx5e_tc_match_to_reg_set+0xa/0x20 [mlx5_core] [<00000000d032eb98>] mlx5_tc_ct_entry_set_registers.isra.0+0x36/0xc0 [mlx5_core] [<00000000fd23b869>] mlx5_tc_ct_flow_offload+0x272/0x1f10 [mlx5_core] [<000000004fc24acc>] mlx5e_tc_offload_fdb_rules.part.0+0x150/0x620 [mlx5_core] [<00000000dc741c17>] mlx5e_tc_encap_flows_add+0x489/0x690 [mlx5_core] [<00000000e92e49d7>] mlx5e_rep_update_flows+0x6e4/0x9b0 [mlx5_core] [<00000000f60f5602>] mlx5e_rep_neigh_update+0x39a/0x5d0 [mlx5_core]
AI-Powered Analysis
Technical Analysis
CVE-2021-47199 is a vulnerability in the Linux kernel specifically affecting the mlx5e driver, which is part of the Mellanox (now NVIDIA) mlx5_core network driver stack. The vulnerability arises from improper handling of connection tracking (CT) clear action offload in combination with encapsulation (encap) actions. When a flow includes both CT clear actions and encap actions, a neighbor update event can trigger the driver to unoffload and then reoffload the flow. Each reoffload incorrectly adds the same set of modification header (mod hdr) actions repeatedly until a maximum limit is reached. Additionally, the driver fails to release allocated mod hdr actions, causing a memory leak. This can lead to resource exhaustion in the kernel memory space. The root cause is that the allocation of CT clear mod actions is done multiple times during reoffloading instead of being allocated once during the parsing phase and released properly during flow cleanup. The fix involves moving the allocation to the parsing phase and ensuring proper release of these actions in the flow_put() cleanup routine. The backtrace provided shows the call stack within the mlx5_core driver where the issue manifests, involving functions like mlx5e_mod_hdr_alloc, mlx5e_tc_match_to_reg_set_and_get_id, mlx5e_tc_ct_flow_offload, and mlx5e_rep_neigh_update. This vulnerability does not have a CVSS score assigned yet and no known exploits in the wild have been reported. However, it affects Linux kernel versions containing the vulnerable mlx5e driver code prior to the patch. Since the mlx5e driver is used in high-performance networking environments, including data centers and enterprise servers, this vulnerability could impact systems relying on Mellanox network adapters for advanced traffic offloading and connection tracking features.
Potential Impact
For European organizations, the impact of CVE-2021-47199 could be significant in environments using Linux servers with Mellanox mlx5 network adapters, especially in data centers, cloud providers, and enterprises with high-throughput networking needs. The memory leak caused by repeated mod hdr action allocations can lead to kernel memory exhaustion, potentially causing degraded network performance, system instability, or crashes. This could disrupt critical services, including cloud infrastructure, telecommunications, and financial services that rely on stable and performant Linux networking stacks. Although no direct remote code execution or privilege escalation is indicated, denial of service through resource exhaustion can still have severe operational impacts. Organizations running containerized workloads or network function virtualization (NFV) on Linux with these drivers are particularly at risk. The lack of known exploits reduces immediate risk, but the vulnerability's presence in kernel networking code means attackers with local or network access might trigger the issue to degrade service availability.
Mitigation Recommendations
To mitigate CVE-2021-47199, European organizations should: 1) Identify Linux systems using Mellanox mlx5 network adapters and verify kernel versions against vendor advisories for patches addressing this vulnerability. 2) Apply the latest Linux kernel updates or vendor-provided patches that fix the CT clear action offload and mod hdr allocation logic in the mlx5e driver. 3) Monitor kernel logs and system metrics for signs of memory leaks or abnormal network driver behavior, especially after neighbor update events or flow offload operations. 4) Limit exposure by restricting network access to critical Linux servers with mlx5 adapters, minimizing the attack surface for triggering neighbor update events maliciously. 5) If patching is delayed, consider disabling advanced offload features related to connection tracking or encapsulation in the mlx5e driver as a temporary workaround, understanding this may impact performance. 6) Engage with hardware and Linux distribution vendors for guidance and timely updates. 7) Incorporate this vulnerability into vulnerability management and incident response plans to detect and respond to potential exploitation attempts.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-03-25T09:12:14.117Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9835c4522896dcbea026
Added to database: 5/21/2025, 9:09:09 AM
Last enriched: 6/26/2025, 5:06:43 PM
Last updated: 7/31/2025, 11:08:10 AM
Views: 11
Related Threats
CVE-2025-8878: CWE-94 Improper Control of Generation of Code ('Code Injection') in properfraction Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
MediumCVE-2025-8143: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pencidesign Soledad
MediumCVE-2025-8142: CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') in pencidesign Soledad
HighCVE-2025-8105: CWE-94 Improper Control of Generation of Code ('Code Injection') in pencidesign Soledad
HighCVE-2025-8719: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in reubenthiessen Translate This gTranslate Shortcode
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.