CVE-2021-47222: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: net: bridge: fix vlan tunnel dst refcnt when egressing The egress tunnel code uses dst_clone() and directly sets the result which is wrong because the entry might have 0 refcnt or be already deleted, causing number of problems. It also triggers the WARN_ON() in dst_hold()[1] when a refcnt couldn't be taken. Fix it by using dst_hold_safe() and checking if a reference was actually taken before setting the dst. [1] dmesg WARN_ON log and following refcnt errors WARNING: CPU: 5 PID: 38 at include/net/dst.h:230 br_handle_egress_vlan_tunnel+0x10b/0x134 [bridge] Modules linked in: 8021q garp mrp bridge stp llc bonding ipv6 virtio_net CPU: 5 PID: 38 Comm: ksoftirqd/5 Kdump: loaded Tainted: G W 5.13.0-rc3+ #360 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33 04/01/2014 RIP: 0010:br_handle_egress_vlan_tunnel+0x10b/0x134 [bridge] Code: e8 85 bc 01 e1 45 84 f6 74 90 45 31 f6 85 db 48 c7 c7 a0 02 19 a0 41 0f 94 c6 31 c9 31 d2 44 89 f6 e8 64 bc 01 e1 85 db 75 02 <0f> 0b 31 c9 31 d2 44 89 f6 48 c7 c7 70 02 19 a0 e8 4b bc 01 e1 49 RSP: 0018:ffff8881003d39e8 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffffffffa01902a0 RBP: ffff8881040c6700 R08: 0000000000000000 R09: 0000000000000001 R10: 2ce93d0054fe0d00 R11: 54fe0d00000e0000 R12: ffff888109515000 R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000401 FS: 0000000000000000(0000) GS:ffff88822bf40000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f42ba70f030 CR3: 0000000109926000 CR4: 00000000000006e0 Call Trace: br_handle_vlan+0xbc/0xca [bridge] __br_forward+0x23/0x164 [bridge] deliver_clone+0x41/0x48 [bridge] br_handle_frame_finish+0x36f/0x3aa [bridge] ? skb_dst+0x2e/0x38 [bridge] ? br_handle_ingress_vlan_tunnel+0x3e/0x1c8 [bridge] ? br_handle_frame_finish+0x3aa/0x3aa [bridge] br_handle_frame+0x2c3/0x377 [bridge] ? __skb_pull+0x33/0x51 ? vlan_do_receive+0x4f/0x36a ? br_handle_frame_finish+0x3aa/0x3aa [bridge] __netif_receive_skb_core+0x539/0x7c6 ? __list_del_entry_valid+0x16e/0x1c2 __netif_receive_skb_list_core+0x6d/0xd6 netif_receive_skb_list_internal+0x1d9/0x1fa gro_normal_list+0x22/0x3e dev_gro_receive+0x55b/0x600 ? detach_buf_split+0x58/0x140 napi_gro_receive+0x94/0x12e virtnet_poll+0x15d/0x315 [virtio_net] __napi_poll+0x2c/0x1c9 net_rx_action+0xe6/0x1fb __do_softirq+0x115/0x2d8 run_ksoftirqd+0x18/0x20 smpboot_thread_fn+0x183/0x19c ? smpboot_unregister_percpu_thread+0x66/0x66 kthread+0x10a/0x10f ? kthread_mod_delayed_work+0xb6/0xb6 ret_from_fork+0x22/0x30 ---[ end trace 49f61b07f775fd2b ]--- dst_release: dst:00000000c02d677a refcnt:-1 dst_release underflow
AI Analysis
Technical Summary
CVE-2021-47222 is a vulnerability in the Linux kernel's network bridge component, specifically related to VLAN tunnel egress processing. The issue arises from improper handling of destination (dst) references in the egress tunnel code. The vulnerable code uses dst_clone() and directly assigns the result without ensuring the reference count (refcnt) is valid or non-zero. This can lead to scenarios where the dst entry has a zero refcnt or has already been deleted, causing reference count underflows and triggering kernel warnings (WARN_ON) and potential instability. The root cause is the failure to use dst_hold_safe(), which safely increments the reference count only if the dst entry is valid. The vulnerability manifests as kernel warnings and refcnt errors, which could lead to kernel crashes or undefined behavior in the network stack. The affected function is br_handle_egress_vlan_tunnel() within the bridge module, which handles VLAN tunneling on egress packets. The vulnerability affects Linux kernel versions prior to the patch and is relevant to systems using bridging with VLAN tunnels, common in virtualized environments and complex network setups. Although no known exploits are reported in the wild, the flaw could be leveraged to cause denial of service (DoS) by crashing the kernel or disrupting network traffic. The vulnerability does not appear to allow privilege escalation or remote code execution directly but impacts kernel stability and network availability.
Potential Impact
For European organizations, the impact of CVE-2021-47222 is primarily related to network reliability and availability. Many enterprises, cloud providers, and data centers in Europe rely on Linux-based systems for network bridging and virtualization, especially in environments using VLAN tunneling for traffic segmentation and multi-tenant isolation. A successful exploitation or triggering of this vulnerability could cause kernel panics or crashes, leading to denial of service on critical network infrastructure. This can disrupt business operations, affect cloud services, and degrade performance of virtualized network functions. Although the vulnerability does not directly compromise confidentiality or integrity, the resulting instability could be exploited as part of a broader attack chain or cause significant operational downtime. Organizations with complex network topologies, including telecom providers and financial institutions in Europe, may face increased risk due to their reliance on advanced Linux networking features. The absence of known exploits reduces immediate risk, but the vulnerability should be addressed promptly to prevent potential future attacks or accidental triggers.
Mitigation Recommendations
European organizations should apply the official Linux kernel patches that fix the dst reference counting issue in the bridge VLAN tunnel egress code. Since the vulnerability is in the kernel networking stack, updating to a patched kernel version is the most effective mitigation. For environments where immediate patching is challenging, temporary mitigations include disabling VLAN tunneling on bridges if feasible, or isolating vulnerable systems from untrusted networks to reduce exposure. Network administrators should monitor kernel logs for WARN_ON messages related to dst reference counts as indicators of attempted exploitation or triggering. Additionally, organizations should implement robust kernel crash recovery mechanisms and maintain up-to-date backups to minimize downtime. For virtualized environments, updating hypervisor and guest Linux kernels is critical. Security teams should also review network configurations to limit unnecessary use of VLAN tunnels and bridge features. Finally, maintaining a strong patch management process and monitoring Linux kernel advisories will help ensure timely response to this and similar vulnerabilities.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2021-47222: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: net: bridge: fix vlan tunnel dst refcnt when egressing The egress tunnel code uses dst_clone() and directly sets the result which is wrong because the entry might have 0 refcnt or be already deleted, causing number of problems. It also triggers the WARN_ON() in dst_hold()[1] when a refcnt couldn't be taken. Fix it by using dst_hold_safe() and checking if a reference was actually taken before setting the dst. [1] dmesg WARN_ON log and following refcnt errors WARNING: CPU: 5 PID: 38 at include/net/dst.h:230 br_handle_egress_vlan_tunnel+0x10b/0x134 [bridge] Modules linked in: 8021q garp mrp bridge stp llc bonding ipv6 virtio_net CPU: 5 PID: 38 Comm: ksoftirqd/5 Kdump: loaded Tainted: G W 5.13.0-rc3+ #360 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33 04/01/2014 RIP: 0010:br_handle_egress_vlan_tunnel+0x10b/0x134 [bridge] Code: e8 85 bc 01 e1 45 84 f6 74 90 45 31 f6 85 db 48 c7 c7 a0 02 19 a0 41 0f 94 c6 31 c9 31 d2 44 89 f6 e8 64 bc 01 e1 85 db 75 02 <0f> 0b 31 c9 31 d2 44 89 f6 48 c7 c7 70 02 19 a0 e8 4b bc 01 e1 49 RSP: 0018:ffff8881003d39e8 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffffffffa01902a0 RBP: ffff8881040c6700 R08: 0000000000000000 R09: 0000000000000001 R10: 2ce93d0054fe0d00 R11: 54fe0d00000e0000 R12: ffff888109515000 R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000401 FS: 0000000000000000(0000) GS:ffff88822bf40000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f42ba70f030 CR3: 0000000109926000 CR4: 00000000000006e0 Call Trace: br_handle_vlan+0xbc/0xca [bridge] __br_forward+0x23/0x164 [bridge] deliver_clone+0x41/0x48 [bridge] br_handle_frame_finish+0x36f/0x3aa [bridge] ? skb_dst+0x2e/0x38 [bridge] ? br_handle_ingress_vlan_tunnel+0x3e/0x1c8 [bridge] ? br_handle_frame_finish+0x3aa/0x3aa [bridge] br_handle_frame+0x2c3/0x377 [bridge] ? __skb_pull+0x33/0x51 ? vlan_do_receive+0x4f/0x36a ? br_handle_frame_finish+0x3aa/0x3aa [bridge] __netif_receive_skb_core+0x539/0x7c6 ? __list_del_entry_valid+0x16e/0x1c2 __netif_receive_skb_list_core+0x6d/0xd6 netif_receive_skb_list_internal+0x1d9/0x1fa gro_normal_list+0x22/0x3e dev_gro_receive+0x55b/0x600 ? detach_buf_split+0x58/0x140 napi_gro_receive+0x94/0x12e virtnet_poll+0x15d/0x315 [virtio_net] __napi_poll+0x2c/0x1c9 net_rx_action+0xe6/0x1fb __do_softirq+0x115/0x2d8 run_ksoftirqd+0x18/0x20 smpboot_thread_fn+0x183/0x19c ? smpboot_unregister_percpu_thread+0x66/0x66 kthread+0x10a/0x10f ? kthread_mod_delayed_work+0xb6/0xb6 ret_from_fork+0x22/0x30 ---[ end trace 49f61b07f775fd2b ]--- dst_release: dst:00000000c02d677a refcnt:-1 dst_release underflow
AI-Powered Analysis
Technical Analysis
CVE-2021-47222 is a vulnerability in the Linux kernel's network bridge component, specifically related to VLAN tunnel egress processing. The issue arises from improper handling of destination (dst) references in the egress tunnel code. The vulnerable code uses dst_clone() and directly assigns the result without ensuring the reference count (refcnt) is valid or non-zero. This can lead to scenarios where the dst entry has a zero refcnt or has already been deleted, causing reference count underflows and triggering kernel warnings (WARN_ON) and potential instability. The root cause is the failure to use dst_hold_safe(), which safely increments the reference count only if the dst entry is valid. The vulnerability manifests as kernel warnings and refcnt errors, which could lead to kernel crashes or undefined behavior in the network stack. The affected function is br_handle_egress_vlan_tunnel() within the bridge module, which handles VLAN tunneling on egress packets. The vulnerability affects Linux kernel versions prior to the patch and is relevant to systems using bridging with VLAN tunnels, common in virtualized environments and complex network setups. Although no known exploits are reported in the wild, the flaw could be leveraged to cause denial of service (DoS) by crashing the kernel or disrupting network traffic. The vulnerability does not appear to allow privilege escalation or remote code execution directly but impacts kernel stability and network availability.
Potential Impact
For European organizations, the impact of CVE-2021-47222 is primarily related to network reliability and availability. Many enterprises, cloud providers, and data centers in Europe rely on Linux-based systems for network bridging and virtualization, especially in environments using VLAN tunneling for traffic segmentation and multi-tenant isolation. A successful exploitation or triggering of this vulnerability could cause kernel panics or crashes, leading to denial of service on critical network infrastructure. This can disrupt business operations, affect cloud services, and degrade performance of virtualized network functions. Although the vulnerability does not directly compromise confidentiality or integrity, the resulting instability could be exploited as part of a broader attack chain or cause significant operational downtime. Organizations with complex network topologies, including telecom providers and financial institutions in Europe, may face increased risk due to their reliance on advanced Linux networking features. The absence of known exploits reduces immediate risk, but the vulnerability should be addressed promptly to prevent potential future attacks or accidental triggers.
Mitigation Recommendations
European organizations should apply the official Linux kernel patches that fix the dst reference counting issue in the bridge VLAN tunnel egress code. Since the vulnerability is in the kernel networking stack, updating to a patched kernel version is the most effective mitigation. For environments where immediate patching is challenging, temporary mitigations include disabling VLAN tunneling on bridges if feasible, or isolating vulnerable systems from untrusted networks to reduce exposure. Network administrators should monitor kernel logs for WARN_ON messages related to dst reference counts as indicators of attempted exploitation or triggering. Additionally, organizations should implement robust kernel crash recovery mechanisms and maintain up-to-date backups to minimize downtime. For virtualized environments, updating hypervisor and guest Linux kernels is critical. Security teams should also review network configurations to limit unnecessary use of VLAN tunnels and bridge features. Finally, maintaining a strong patch management process and monitoring Linux kernel advisories will help ensure timely response to this and similar vulnerabilities.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-04-10T18:59:19.529Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9835c4522896dcbea0c7
Added to database: 5/21/2025, 9:09:09 AM
Last enriched: 6/26/2025, 3:07:43 PM
Last updated: 8/17/2025, 11:55:19 AM
Views: 14
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.