CVE-2021-47238: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: net: ipv4: fix memory leak in ip_mc_add1_src BUG: memory leak unreferenced object 0xffff888101bc4c00 (size 32): comm "syz-executor527", pid 360, jiffies 4294807421 (age 19.329s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 01 00 00 00 00 00 00 00 ac 14 14 bb 00 00 02 00 ................ backtrace: [<00000000f17c5244>] kmalloc include/linux/slab.h:558 [inline] [<00000000f17c5244>] kzalloc include/linux/slab.h:688 [inline] [<00000000f17c5244>] ip_mc_add1_src net/ipv4/igmp.c:1971 [inline] [<00000000f17c5244>] ip_mc_add_src+0x95f/0xdb0 net/ipv4/igmp.c:2095 [<000000001cb99709>] ip_mc_source+0x84c/0xea0 net/ipv4/igmp.c:2416 [<0000000052cf19ed>] do_ip_setsockopt net/ipv4/ip_sockglue.c:1294 [inline] [<0000000052cf19ed>] ip_setsockopt+0x114b/0x30c0 net/ipv4/ip_sockglue.c:1423 [<00000000477edfbc>] raw_setsockopt+0x13d/0x170 net/ipv4/raw.c:857 [<00000000e75ca9bb>] __sys_setsockopt+0x158/0x270 net/socket.c:2117 [<00000000bdb993a8>] __do_sys_setsockopt net/socket.c:2128 [inline] [<00000000bdb993a8>] __se_sys_setsockopt net/socket.c:2125 [inline] [<00000000bdb993a8>] __x64_sys_setsockopt+0xba/0x150 net/socket.c:2125 [<000000006a1ffdbd>] do_syscall_64+0x40/0x80 arch/x86/entry/common.c:47 [<00000000b11467c4>] entry_SYSCALL_64_after_hwframe+0x44/0xae In commit 24803f38a5c0 ("igmp: do not remove igmp souce list info when set link down"), the ip_mc_clear_src() in ip_mc_destroy_dev() was removed, because it was also called in igmpv3_clear_delrec(). Rough callgraph: inetdev_destroy -> ip_mc_destroy_dev -> igmpv3_clear_delrec -> ip_mc_clear_src -> RCU_INIT_POINTER(dev->ip_ptr, NULL) However, ip_mc_clear_src() called in igmpv3_clear_delrec() doesn't release in_dev->mc_list->sources. And RCU_INIT_POINTER() assigns the NULL to dev->ip_ptr. As a result, in_dev cannot be obtained through inetdev_by_index() and then in_dev->mc_list->sources cannot be released by ip_mc_del1_src() in the sock_close. Rough call sequence goes like: sock_close -> __sock_release -> inet_release -> ip_mc_drop_socket -> inetdev_by_index -> ip_mc_leave_src -> ip_mc_del_src -> ip_mc_del1_src So we still need to call ip_mc_clear_src() in ip_mc_destroy_dev() to free in_dev->mc_list->sources.
AI Analysis
Technical Summary
CVE-2021-47238 is a medium-severity vulnerability in the Linux kernel affecting the IPv4 multicast implementation, specifically within the ip_mc_add1_src function in the net/ipv4/igmp.c source file. The vulnerability arises from a memory leak caused by improper management of multicast source lists when network interfaces are destroyed or go down. A recent kernel commit (24803f38a5c0) removed a call to ip_mc_clear_src() in the ip_mc_destroy_dev() function, assuming it was redundant because ip_mc_clear_src() was also called in igmpv3_clear_delrec(). However, ip_mc_clear_src() called in igmpv3_clear_delrec() does not release the multicast source list (in_dev->mc_list->sources). Meanwhile, the device pointer dev->ip_ptr is set to NULL via RCU_INIT_POINTER(), making the in_dev structure inaccessible through inetdev_by_index(). Consequently, the multicast source list remains unreleased and leads to a memory leak when sockets are closed and multicast sources are deleted. The leak occurs during the socket close sequence, involving functions such as sock_close, __sock_release, inet_release, ip_mc_drop_socket, and ip_mc_del1_src. This vulnerability does not directly impact confidentiality or integrity but affects availability by causing resource exhaustion through memory leaks. The CVSS 3.1 score is 5.5 (medium severity), with attack vector local, low attack complexity, requiring privileges, no user interaction, and impacting availability only. The vulnerability affects multiple Linux kernel versions prior to the fix and is relevant to systems using IPv4 multicast networking. No known exploits are reported in the wild as of the publication date.
Potential Impact
For European organizations, the impact of CVE-2021-47238 primarily concerns systems running Linux kernels with affected versions that handle IPv4 multicast traffic. This includes servers, network appliances, and embedded devices in sectors such as telecommunications, finance, government, and critical infrastructure where Linux is prevalent. The memory leak can lead to gradual resource exhaustion, causing degraded system performance or crashes, potentially disrupting network services reliant on multicast communication (e.g., streaming, conferencing, or real-time data distribution). While the vulnerability does not allow remote code execution or data compromise, denial of service through resource depletion can affect availability of critical services. Organizations with large-scale Linux deployments or multicast-heavy environments are at higher risk. The absence of known exploits reduces immediate threat but does not eliminate risk, especially if attackers gain local access or privileges. Therefore, European entities should consider this vulnerability in their risk assessments, particularly those operating in sectors with stringent availability requirements or using multicast extensively.
Mitigation Recommendations
To mitigate CVE-2021-47238, European organizations should: 1) Apply the official Linux kernel patches that restore the call to ip_mc_clear_src() in ip_mc_destroy_dev(), ensuring proper cleanup of multicast source lists and preventing memory leaks. 2) Regularly update Linux kernel versions to the latest stable releases that include this fix. 3) Monitor system memory usage and kernel logs for signs of resource leaks or abnormal multicast socket behavior. 4) Limit local user privileges to reduce the risk of exploitation, as the vulnerability requires local privileges. 5) For critical systems, consider implementing kernel live patching solutions to apply fixes without downtime. 6) Audit and restrict multicast usage where possible to minimize exposure. 7) Employ system resource monitoring and alerting to detect potential denial-of-service conditions early. These steps go beyond generic advice by focusing on patch management, privilege control, and operational monitoring specific to this vulnerability's characteristics.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Sweden, Finland, Poland, Belgium
CVE-2021-47238: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: net: ipv4: fix memory leak in ip_mc_add1_src BUG: memory leak unreferenced object 0xffff888101bc4c00 (size 32): comm "syz-executor527", pid 360, jiffies 4294807421 (age 19.329s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 01 00 00 00 00 00 00 00 ac 14 14 bb 00 00 02 00 ................ backtrace: [<00000000f17c5244>] kmalloc include/linux/slab.h:558 [inline] [<00000000f17c5244>] kzalloc include/linux/slab.h:688 [inline] [<00000000f17c5244>] ip_mc_add1_src net/ipv4/igmp.c:1971 [inline] [<00000000f17c5244>] ip_mc_add_src+0x95f/0xdb0 net/ipv4/igmp.c:2095 [<000000001cb99709>] ip_mc_source+0x84c/0xea0 net/ipv4/igmp.c:2416 [<0000000052cf19ed>] do_ip_setsockopt net/ipv4/ip_sockglue.c:1294 [inline] [<0000000052cf19ed>] ip_setsockopt+0x114b/0x30c0 net/ipv4/ip_sockglue.c:1423 [<00000000477edfbc>] raw_setsockopt+0x13d/0x170 net/ipv4/raw.c:857 [<00000000e75ca9bb>] __sys_setsockopt+0x158/0x270 net/socket.c:2117 [<00000000bdb993a8>] __do_sys_setsockopt net/socket.c:2128 [inline] [<00000000bdb993a8>] __se_sys_setsockopt net/socket.c:2125 [inline] [<00000000bdb993a8>] __x64_sys_setsockopt+0xba/0x150 net/socket.c:2125 [<000000006a1ffdbd>] do_syscall_64+0x40/0x80 arch/x86/entry/common.c:47 [<00000000b11467c4>] entry_SYSCALL_64_after_hwframe+0x44/0xae In commit 24803f38a5c0 ("igmp: do not remove igmp souce list info when set link down"), the ip_mc_clear_src() in ip_mc_destroy_dev() was removed, because it was also called in igmpv3_clear_delrec(). Rough callgraph: inetdev_destroy -> ip_mc_destroy_dev -> igmpv3_clear_delrec -> ip_mc_clear_src -> RCU_INIT_POINTER(dev->ip_ptr, NULL) However, ip_mc_clear_src() called in igmpv3_clear_delrec() doesn't release in_dev->mc_list->sources. And RCU_INIT_POINTER() assigns the NULL to dev->ip_ptr. As a result, in_dev cannot be obtained through inetdev_by_index() and then in_dev->mc_list->sources cannot be released by ip_mc_del1_src() in the sock_close. Rough call sequence goes like: sock_close -> __sock_release -> inet_release -> ip_mc_drop_socket -> inetdev_by_index -> ip_mc_leave_src -> ip_mc_del_src -> ip_mc_del1_src So we still need to call ip_mc_clear_src() in ip_mc_destroy_dev() to free in_dev->mc_list->sources.
AI-Powered Analysis
Technical Analysis
CVE-2021-47238 is a medium-severity vulnerability in the Linux kernel affecting the IPv4 multicast implementation, specifically within the ip_mc_add1_src function in the net/ipv4/igmp.c source file. The vulnerability arises from a memory leak caused by improper management of multicast source lists when network interfaces are destroyed or go down. A recent kernel commit (24803f38a5c0) removed a call to ip_mc_clear_src() in the ip_mc_destroy_dev() function, assuming it was redundant because ip_mc_clear_src() was also called in igmpv3_clear_delrec(). However, ip_mc_clear_src() called in igmpv3_clear_delrec() does not release the multicast source list (in_dev->mc_list->sources). Meanwhile, the device pointer dev->ip_ptr is set to NULL via RCU_INIT_POINTER(), making the in_dev structure inaccessible through inetdev_by_index(). Consequently, the multicast source list remains unreleased and leads to a memory leak when sockets are closed and multicast sources are deleted. The leak occurs during the socket close sequence, involving functions such as sock_close, __sock_release, inet_release, ip_mc_drop_socket, and ip_mc_del1_src. This vulnerability does not directly impact confidentiality or integrity but affects availability by causing resource exhaustion through memory leaks. The CVSS 3.1 score is 5.5 (medium severity), with attack vector local, low attack complexity, requiring privileges, no user interaction, and impacting availability only. The vulnerability affects multiple Linux kernel versions prior to the fix and is relevant to systems using IPv4 multicast networking. No known exploits are reported in the wild as of the publication date.
Potential Impact
For European organizations, the impact of CVE-2021-47238 primarily concerns systems running Linux kernels with affected versions that handle IPv4 multicast traffic. This includes servers, network appliances, and embedded devices in sectors such as telecommunications, finance, government, and critical infrastructure where Linux is prevalent. The memory leak can lead to gradual resource exhaustion, causing degraded system performance or crashes, potentially disrupting network services reliant on multicast communication (e.g., streaming, conferencing, or real-time data distribution). While the vulnerability does not allow remote code execution or data compromise, denial of service through resource depletion can affect availability of critical services. Organizations with large-scale Linux deployments or multicast-heavy environments are at higher risk. The absence of known exploits reduces immediate threat but does not eliminate risk, especially if attackers gain local access or privileges. Therefore, European entities should consider this vulnerability in their risk assessments, particularly those operating in sectors with stringent availability requirements or using multicast extensively.
Mitigation Recommendations
To mitigate CVE-2021-47238, European organizations should: 1) Apply the official Linux kernel patches that restore the call to ip_mc_clear_src() in ip_mc_destroy_dev(), ensuring proper cleanup of multicast source lists and preventing memory leaks. 2) Regularly update Linux kernel versions to the latest stable releases that include this fix. 3) Monitor system memory usage and kernel logs for signs of resource leaks or abnormal multicast socket behavior. 4) Limit local user privileges to reduce the risk of exploitation, as the vulnerability requires local privileges. 5) For critical systems, consider implementing kernel live patching solutions to apply fixes without downtime. 6) Audit and restrict multicast usage where possible to minimize exposure. 7) Employ system resource monitoring and alerting to detect potential denial-of-service conditions early. These steps go beyond generic advice by focusing on patch management, privilege control, and operational monitoring specific to this vulnerability's characteristics.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-04-10T18:59:19.532Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9819c4522896dcbd8db4
Added to database: 5/21/2025, 9:08:41 AM
Last enriched: 7/5/2025, 9:41:34 AM
Last updated: 8/14/2025, 11:22:51 PM
Views: 12
Related Threats
CVE-2025-8193
LowCVE-2025-9356: Stack-based Buffer Overflow in Linksys RE6250
HighCVE-2025-9355: Stack-based Buffer Overflow in Linksys RE6250
HighCVE-2025-43761: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Liferay Portal
MediumCVE-2025-24902: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in LabRedesCefetRJ WeGIA
CriticalActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.