CVE-2021-47300: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix tail_call_reachable rejection for interpreter when jit failed During testing of f263a81451c1 ("bpf: Track subprog poke descriptors correctly and fix use-after-free") under various failure conditions, for example, when jit_subprogs() fails and tries to clean up the program to be run under the interpreter, we ran into the following freeze: [...] #127/8 tailcall_bpf2bpf_3:FAIL [...] [ 92.041251] BUG: KASAN: slab-out-of-bounds in ___bpf_prog_run+0x1b9d/0x2e20 [ 92.042408] Read of size 8 at addr ffff88800da67f68 by task test_progs/682 [ 92.043707] [ 92.044030] CPU: 1 PID: 682 Comm: test_progs Tainted: G O 5.13.0-53301-ge6c08cb33a30-dirty #87 [ 92.045542] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1 04/01/2014 [ 92.046785] Call Trace: [ 92.047171] ? __bpf_prog_run_args64+0xc0/0xc0 [ 92.047773] ? __bpf_prog_run_args32+0x8b/0xb0 [ 92.048389] ? __bpf_prog_run_args64+0xc0/0xc0 [ 92.049019] ? ktime_get+0x117/0x130 [...] // few hundred [similar] lines more [ 92.659025] ? ktime_get+0x117/0x130 [ 92.659845] ? __bpf_prog_run_args64+0xc0/0xc0 [ 92.660738] ? __bpf_prog_run_args32+0x8b/0xb0 [ 92.661528] ? __bpf_prog_run_args64+0xc0/0xc0 [ 92.662378] ? print_usage_bug+0x50/0x50 [ 92.663221] ? print_usage_bug+0x50/0x50 [ 92.664077] ? bpf_ksym_find+0x9c/0xe0 [ 92.664887] ? ktime_get+0x117/0x130 [ 92.665624] ? kernel_text_address+0xf5/0x100 [ 92.666529] ? __kernel_text_address+0xe/0x30 [ 92.667725] ? unwind_get_return_address+0x2f/0x50 [ 92.668854] ? ___bpf_prog_run+0x15d4/0x2e20 [ 92.670185] ? ktime_get+0x117/0x130 [ 92.671130] ? __bpf_prog_run_args64+0xc0/0xc0 [ 92.672020] ? __bpf_prog_run_args32+0x8b/0xb0 [ 92.672860] ? __bpf_prog_run_args64+0xc0/0xc0 [ 92.675159] ? ktime_get+0x117/0x130 [ 92.677074] ? lock_is_held_type+0xd5/0x130 [ 92.678662] ? ___bpf_prog_run+0x15d4/0x2e20 [ 92.680046] ? ktime_get+0x117/0x130 [ 92.681285] ? __bpf_prog_run32+0x6b/0x90 [ 92.682601] ? __bpf_prog_run64+0x90/0x90 [ 92.683636] ? lock_downgrade+0x370/0x370 [ 92.684647] ? mark_held_locks+0x44/0x90 [ 92.685652] ? ktime_get+0x117/0x130 [ 92.686752] ? lockdep_hardirqs_on+0x79/0x100 [ 92.688004] ? ktime_get+0x117/0x130 [ 92.688573] ? __cant_migrate+0x2b/0x80 [ 92.689192] ? bpf_test_run+0x2f4/0x510 [ 92.689869] ? bpf_test_timer_continue+0x1c0/0x1c0 [ 92.690856] ? rcu_read_lock_bh_held+0x90/0x90 [ 92.691506] ? __kasan_slab_alloc+0x61/0x80 [ 92.692128] ? eth_type_trans+0x128/0x240 [ 92.692737] ? __build_skb+0x46/0x50 [ 92.693252] ? bpf_prog_test_run_skb+0x65e/0xc50 [ 92.693954] ? bpf_prog_test_run_raw_tp+0x2d0/0x2d0 [ 92.694639] ? __fget_light+0xa1/0x100 [ 92.695162] ? bpf_prog_inc+0x23/0x30 [ 92.695685] ? __sys_bpf+0xb40/0x2c80 [ 92.696324] ? bpf_link_get_from_fd+0x90/0x90 [ 92.697150] ? mark_held_locks+0x24/0x90 [ 92.698007] ? lockdep_hardirqs_on_prepare+0x124/0x220 [ 92.699045] ? finish_task_switch+0xe6/0x370 [ 92.700072] ? lockdep_hardirqs_on+0x79/0x100 [ 92.701233] ? finish_task_switch+0x11d/0x370 [ 92.702264] ? __switch_to+0x2c0/0x740 [ 92.703148] ? mark_held_locks+0x24/0x90 [ 92.704155] ? __x64_sys_bpf+0x45/0x50 [ 92.705146] ? do_syscall_64+0x35/0x80 [ 92.706953] ? entry_SYSCALL_64_after_hwframe+0x44/0xae [...] Turns out that the program rejection from e411901c0b77 ("bpf: allow for tailcalls in BPF subprograms for x64 JIT") is buggy since env->prog->aux->tail_call_reachable is never true. Commit ebf7d1f508a7 ("bpf, x64: rework pro/epilogue and tailcall handling in JIT") added a tracker into check_max_stack_depth() which propagates the tail_call_reachable condition throughout the subprograms. This info is then assigned to the subprogram's ---truncated---
AI Analysis
Technical Summary
CVE-2021-47300 is a vulnerability identified in the Linux kernel's eBPF (extended Berkeley Packet Filter) subsystem, specifically related to the handling of tail calls within BPF subprograms when the Just-In-Time (JIT) compiler fails. The eBPF subsystem allows for running sandboxed programs in the kernel, commonly used for networking, tracing, and security purposes. The vulnerability arises from a logic flaw in the kernel's verification and execution of BPF programs. When the JIT compiler fails to compile subprograms, the kernel falls back to interpreting the BPF bytecode. However, due to a bug in the tail call reachability tracking, the kernel incorrectly rejects certain programs or mishandles tail calls, leading to a use-after-free condition and slab-out-of-bounds memory access. This can cause kernel crashes (freezes) or potentially allow an attacker to execute arbitrary code within the kernel context. The root cause is tied to improper propagation of the tail_call_reachable flag across subprograms during verification and execution, introduced in commits related to tail call handling and JIT prologue/epilogue rework. The vulnerability manifests under specific failure conditions of the JIT compiler and affects Linux kernel versions containing the faulty commits. While no public exploits are known, the vulnerability could be triggered by maliciously crafted BPF programs, which are often loaded by privileged users or processes with BPF capabilities. The detailed kernel logs indicate a KASAN (Kernel Address Sanitizer) detected out-of-bounds read, confirming memory safety violations. This vulnerability is significant because eBPF is widely used in modern Linux systems for performance monitoring, security enforcement, and networking, making the kernel susceptible to stability and security issues if exploited.
Potential Impact
For European organizations, the impact of CVE-2021-47300 can be substantial, especially for those relying on Linux-based infrastructure for critical services such as cloud computing, telecommunications, financial services, and industrial control systems. Exploitation could lead to kernel panics causing denial of service (DoS), disrupting business operations and service availability. More critically, if leveraged for arbitrary code execution, attackers could gain kernel-level privileges, bypassing security controls, potentially leading to full system compromise, data breaches, or lateral movement within networks. Given the prevalence of Linux in servers, containers, and embedded devices across Europe, this vulnerability poses a risk to a broad range of sectors. Organizations using eBPF-based security tools or network functions could be particularly exposed. The lack of known exploits reduces immediate risk but does not eliminate the threat, as attackers may develop exploits once the vulnerability details are public. The complexity of the vulnerability and requirement for crafted BPF programs suggest that exploitation may require privileged access or sophisticated attack vectors, somewhat limiting exposure to external attackers but increasing risk from insider threats or compromised accounts.
Mitigation Recommendations
1. Apply kernel updates: Organizations should promptly apply Linux kernel patches that address CVE-2021-47300 once available from their distribution vendors. Since this vulnerability is in the kernel, updating to a fixed kernel version is the most effective mitigation. 2. Restrict BPF usage: Limit the ability to load and run BPF programs to trusted users and processes only. Use Linux capabilities (CAP_BPF and CAP_SYS_ADMIN) judiciously to reduce attack surface. 3. Harden container environments: For containerized workloads, ensure that container runtimes and orchestrators restrict BPF program loading and usage, preventing untrusted containers from exploiting this vulnerability. 4. Monitor kernel logs: Enable and monitor kernel logs for signs of unusual BPF activity or kernel crashes that may indicate exploitation attempts. 5. Use security modules: Employ Linux Security Modules (LSMs) like SELinux or AppArmor to enforce policies restricting BPF program loading and execution. 6. Network segmentation: Isolate critical Linux hosts running eBPF programs to limit exposure to potentially compromised systems. 7. Incident response readiness: Prepare for potential exploitation by having incident response plans that include kernel-level compromise scenarios and forensic capabilities to analyze kernel memory and logs.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland
CVE-2021-47300: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix tail_call_reachable rejection for interpreter when jit failed During testing of f263a81451c1 ("bpf: Track subprog poke descriptors correctly and fix use-after-free") under various failure conditions, for example, when jit_subprogs() fails and tries to clean up the program to be run under the interpreter, we ran into the following freeze: [...] #127/8 tailcall_bpf2bpf_3:FAIL [...] [ 92.041251] BUG: KASAN: slab-out-of-bounds in ___bpf_prog_run+0x1b9d/0x2e20 [ 92.042408] Read of size 8 at addr ffff88800da67f68 by task test_progs/682 [ 92.043707] [ 92.044030] CPU: 1 PID: 682 Comm: test_progs Tainted: G O 5.13.0-53301-ge6c08cb33a30-dirty #87 [ 92.045542] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1 04/01/2014 [ 92.046785] Call Trace: [ 92.047171] ? __bpf_prog_run_args64+0xc0/0xc0 [ 92.047773] ? __bpf_prog_run_args32+0x8b/0xb0 [ 92.048389] ? __bpf_prog_run_args64+0xc0/0xc0 [ 92.049019] ? ktime_get+0x117/0x130 [...] // few hundred [similar] lines more [ 92.659025] ? ktime_get+0x117/0x130 [ 92.659845] ? __bpf_prog_run_args64+0xc0/0xc0 [ 92.660738] ? __bpf_prog_run_args32+0x8b/0xb0 [ 92.661528] ? __bpf_prog_run_args64+0xc0/0xc0 [ 92.662378] ? print_usage_bug+0x50/0x50 [ 92.663221] ? print_usage_bug+0x50/0x50 [ 92.664077] ? bpf_ksym_find+0x9c/0xe0 [ 92.664887] ? ktime_get+0x117/0x130 [ 92.665624] ? kernel_text_address+0xf5/0x100 [ 92.666529] ? __kernel_text_address+0xe/0x30 [ 92.667725] ? unwind_get_return_address+0x2f/0x50 [ 92.668854] ? ___bpf_prog_run+0x15d4/0x2e20 [ 92.670185] ? ktime_get+0x117/0x130 [ 92.671130] ? __bpf_prog_run_args64+0xc0/0xc0 [ 92.672020] ? __bpf_prog_run_args32+0x8b/0xb0 [ 92.672860] ? __bpf_prog_run_args64+0xc0/0xc0 [ 92.675159] ? ktime_get+0x117/0x130 [ 92.677074] ? lock_is_held_type+0xd5/0x130 [ 92.678662] ? ___bpf_prog_run+0x15d4/0x2e20 [ 92.680046] ? ktime_get+0x117/0x130 [ 92.681285] ? __bpf_prog_run32+0x6b/0x90 [ 92.682601] ? __bpf_prog_run64+0x90/0x90 [ 92.683636] ? lock_downgrade+0x370/0x370 [ 92.684647] ? mark_held_locks+0x44/0x90 [ 92.685652] ? ktime_get+0x117/0x130 [ 92.686752] ? lockdep_hardirqs_on+0x79/0x100 [ 92.688004] ? ktime_get+0x117/0x130 [ 92.688573] ? __cant_migrate+0x2b/0x80 [ 92.689192] ? bpf_test_run+0x2f4/0x510 [ 92.689869] ? bpf_test_timer_continue+0x1c0/0x1c0 [ 92.690856] ? rcu_read_lock_bh_held+0x90/0x90 [ 92.691506] ? __kasan_slab_alloc+0x61/0x80 [ 92.692128] ? eth_type_trans+0x128/0x240 [ 92.692737] ? __build_skb+0x46/0x50 [ 92.693252] ? bpf_prog_test_run_skb+0x65e/0xc50 [ 92.693954] ? bpf_prog_test_run_raw_tp+0x2d0/0x2d0 [ 92.694639] ? __fget_light+0xa1/0x100 [ 92.695162] ? bpf_prog_inc+0x23/0x30 [ 92.695685] ? __sys_bpf+0xb40/0x2c80 [ 92.696324] ? bpf_link_get_from_fd+0x90/0x90 [ 92.697150] ? mark_held_locks+0x24/0x90 [ 92.698007] ? lockdep_hardirqs_on_prepare+0x124/0x220 [ 92.699045] ? finish_task_switch+0xe6/0x370 [ 92.700072] ? lockdep_hardirqs_on+0x79/0x100 [ 92.701233] ? finish_task_switch+0x11d/0x370 [ 92.702264] ? __switch_to+0x2c0/0x740 [ 92.703148] ? mark_held_locks+0x24/0x90 [ 92.704155] ? __x64_sys_bpf+0x45/0x50 [ 92.705146] ? do_syscall_64+0x35/0x80 [ 92.706953] ? entry_SYSCALL_64_after_hwframe+0x44/0xae [...] Turns out that the program rejection from e411901c0b77 ("bpf: allow for tailcalls in BPF subprograms for x64 JIT") is buggy since env->prog->aux->tail_call_reachable is never true. Commit ebf7d1f508a7 ("bpf, x64: rework pro/epilogue and tailcall handling in JIT") added a tracker into check_max_stack_depth() which propagates the tail_call_reachable condition throughout the subprograms. This info is then assigned to the subprogram's ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2021-47300 is a vulnerability identified in the Linux kernel's eBPF (extended Berkeley Packet Filter) subsystem, specifically related to the handling of tail calls within BPF subprograms when the Just-In-Time (JIT) compiler fails. The eBPF subsystem allows for running sandboxed programs in the kernel, commonly used for networking, tracing, and security purposes. The vulnerability arises from a logic flaw in the kernel's verification and execution of BPF programs. When the JIT compiler fails to compile subprograms, the kernel falls back to interpreting the BPF bytecode. However, due to a bug in the tail call reachability tracking, the kernel incorrectly rejects certain programs or mishandles tail calls, leading to a use-after-free condition and slab-out-of-bounds memory access. This can cause kernel crashes (freezes) or potentially allow an attacker to execute arbitrary code within the kernel context. The root cause is tied to improper propagation of the tail_call_reachable flag across subprograms during verification and execution, introduced in commits related to tail call handling and JIT prologue/epilogue rework. The vulnerability manifests under specific failure conditions of the JIT compiler and affects Linux kernel versions containing the faulty commits. While no public exploits are known, the vulnerability could be triggered by maliciously crafted BPF programs, which are often loaded by privileged users or processes with BPF capabilities. The detailed kernel logs indicate a KASAN (Kernel Address Sanitizer) detected out-of-bounds read, confirming memory safety violations. This vulnerability is significant because eBPF is widely used in modern Linux systems for performance monitoring, security enforcement, and networking, making the kernel susceptible to stability and security issues if exploited.
Potential Impact
For European organizations, the impact of CVE-2021-47300 can be substantial, especially for those relying on Linux-based infrastructure for critical services such as cloud computing, telecommunications, financial services, and industrial control systems. Exploitation could lead to kernel panics causing denial of service (DoS), disrupting business operations and service availability. More critically, if leveraged for arbitrary code execution, attackers could gain kernel-level privileges, bypassing security controls, potentially leading to full system compromise, data breaches, or lateral movement within networks. Given the prevalence of Linux in servers, containers, and embedded devices across Europe, this vulnerability poses a risk to a broad range of sectors. Organizations using eBPF-based security tools or network functions could be particularly exposed. The lack of known exploits reduces immediate risk but does not eliminate the threat, as attackers may develop exploits once the vulnerability details are public. The complexity of the vulnerability and requirement for crafted BPF programs suggest that exploitation may require privileged access or sophisticated attack vectors, somewhat limiting exposure to external attackers but increasing risk from insider threats or compromised accounts.
Mitigation Recommendations
1. Apply kernel updates: Organizations should promptly apply Linux kernel patches that address CVE-2021-47300 once available from their distribution vendors. Since this vulnerability is in the kernel, updating to a fixed kernel version is the most effective mitigation. 2. Restrict BPF usage: Limit the ability to load and run BPF programs to trusted users and processes only. Use Linux capabilities (CAP_BPF and CAP_SYS_ADMIN) judiciously to reduce attack surface. 3. Harden container environments: For containerized workloads, ensure that container runtimes and orchestrators restrict BPF program loading and usage, preventing untrusted containers from exploiting this vulnerability. 4. Monitor kernel logs: Enable and monitor kernel logs for signs of unusual BPF activity or kernel crashes that may indicate exploitation attempts. 5. Use security modules: Employ Linux Security Modules (LSMs) like SELinux or AppArmor to enforce policies restricting BPF program loading and execution. 6. Network segmentation: Isolate critical Linux hosts running eBPF programs to limit exposure to potentially compromised systems. 7. Incident response readiness: Prepare for potential exploitation by having incident response plans that include kernel-level compromise scenarios and forensic capabilities to analyze kernel memory and logs.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-21T13:27:52.132Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9835c4522896dcbea360
Added to database: 5/21/2025, 9:09:09 AM
Last enriched: 6/26/2025, 11:08:41 AM
Last updated: 8/15/2025, 5:52:12 PM
Views: 12
Related Threats
CVE-2025-9169: Cross Site Scripting in SolidInvoice
MediumCVE-2025-9168: Cross Site Scripting in SolidInvoice
MediumCVE-2025-8364: Address bar spoofing using an blob URI on Firefox for Android in Mozilla Firefox
HighCVE-2025-8042: Sandboxed iframe could start downloads in Mozilla Firefox
HighCVE-2025-8041: Incorrect URL truncation in Firefox for Android in Mozilla Firefox
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.