CVE-2021-47304: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: tcp: fix tcp_init_transfer() to not reset icsk_ca_initialized This commit fixes a bug (found by syzkaller) that could cause spurious double-initializations for congestion control modules, which could cause memory leaks or other problems for congestion control modules (like CDG) that allocate memory in their init functions. The buggy scenario constructed by syzkaller was something like: (1) create a TCP socket (2) initiate a TFO connect via sendto() (3) while socket is in TCP_SYN_SENT, call setsockopt(TCP_CONGESTION), which calls: tcp_set_congestion_control() -> tcp_reinit_congestion_control() -> tcp_init_congestion_control() (4) receive ACK, connection is established, call tcp_init_transfer(), set icsk_ca_initialized=0 (without first calling cc->release()), call tcp_init_congestion_control() again. Note that in this sequence tcp_init_congestion_control() is called twice without a cc->release() call in between. Thus, for CC modules that allocate memory in their init() function, e.g, CDG, a memory leak may occur. The syzkaller tool managed to find a reproducer that triggered such a leak in CDG. The bug was introduced when that commit 8919a9b31eb4 ("tcp: Only init congestion control if not initialized already") introduced icsk_ca_initialized and set icsk_ca_initialized to 0 in tcp_init_transfer(), missing the possibility for a sequence like the one above, where a process could call setsockopt(TCP_CONGESTION) in state TCP_SYN_SENT (i.e. after the connect() or TFO open sendmsg()), which would call tcp_init_congestion_control(). It did not intend to reset any initialization that the user had already explicitly made; it just missed the possibility of that particular sequence (which syzkaller managed to find).
AI Analysis
Technical Summary
CVE-2021-47304 is a vulnerability in the Linux kernel's TCP congestion control initialization logic. The issue arises from a bug in the tcp_init_transfer() function, which resets the icsk_ca_initialized flag improperly during TCP connection establishment. Specifically, when a TCP socket is created and a TCP Fast Open (TFO) connect is initiated via sendto(), if a setsockopt() call to change the TCP congestion control algorithm (TCP_CONGESTION) occurs while the socket is in the TCP_SYN_SENT state, the kernel calls tcp_init_congestion_control() twice without releasing the previously allocated congestion control module resources. This double initialization can cause memory leaks or other undefined behavior in congestion control modules that allocate memory during their init functions, such as the CDG module. The root cause is that tcp_init_transfer() resets the icsk_ca_initialized flag to zero without first calling the release method of the congestion control module, leading to resource leaks. The bug was introduced by a previous commit that aimed to avoid reinitializing congestion control if already initialized but missed this particular sequence involving TFO and setsockopt calls during connection establishment. The vulnerability was discovered by the syzkaller fuzzing tool, which also produced a reproducer triggering the memory leak in the CDG congestion control module. No known exploits are reported in the wild, and no CVSS score has been assigned yet. The vulnerability affects Linux kernel versions containing the faulty commit 8919a9b31eb4fb4c0a93e5fb350a626924302aa6. This flaw impacts the kernel's TCP stack, a critical component for network communication, and could lead to resource exhaustion or instability in affected systems under specific conditions.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running affected Linux kernel versions with TCP congestion control modules that allocate memory during initialization, such as CDG. The impact includes potential memory leaks that could degrade system performance or cause instability in network communication services. This is particularly concerning for servers and network infrastructure devices handling high volumes of TCP connections or using TCP Fast Open, such as web servers, application servers, and network appliances. While no direct remote code execution or privilege escalation is indicated, the memory leak could be exploited in a denial-of-service (DoS) scenario by triggering repeated connection attempts with setsockopt calls, leading to resource exhaustion. Organizations relying heavily on Linux-based infrastructure for critical services may experience degraded availability or require increased maintenance to mitigate system instability. The lack of known exploits reduces immediate risk, but the vulnerability's presence in the kernel TCP stack means that attackers with network access could attempt to exploit it. European entities in sectors such as finance, telecommunications, and government, which often use Linux servers and network devices, should be particularly vigilant. Additionally, the use of TCP Fast Open in modern applications increases the attack surface. The vulnerability does not appear to compromise confidentiality or integrity directly but can impact availability and reliability of network services.
Mitigation Recommendations
To mitigate this vulnerability, European organizations should prioritize updating their Linux kernels to versions where this bug is fixed. Applying the latest stable kernel patches from trusted Linux distributions is the most effective measure. For environments where immediate patching is not feasible, organizations should consider disabling TCP Fast Open if it is not required, as this feature is involved in the vulnerability trigger sequence. Additionally, restricting or monitoring the use of setsockopt calls to change TCP congestion control algorithms during connection establishment could reduce exploitation risk. Network administrators should implement monitoring for unusual TCP connection patterns or repeated setsockopt invocations that could indicate attempts to trigger the bug. For critical systems, consider isolating vulnerable hosts behind firewalls or network segmentation to limit exposure. Regularly audit and update congestion control modules, especially those like CDG that allocate memory during initialization. Finally, maintain robust system resource monitoring to detect early signs of memory leaks or resource exhaustion, enabling proactive incident response.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2021-47304: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: tcp: fix tcp_init_transfer() to not reset icsk_ca_initialized This commit fixes a bug (found by syzkaller) that could cause spurious double-initializations for congestion control modules, which could cause memory leaks or other problems for congestion control modules (like CDG) that allocate memory in their init functions. The buggy scenario constructed by syzkaller was something like: (1) create a TCP socket (2) initiate a TFO connect via sendto() (3) while socket is in TCP_SYN_SENT, call setsockopt(TCP_CONGESTION), which calls: tcp_set_congestion_control() -> tcp_reinit_congestion_control() -> tcp_init_congestion_control() (4) receive ACK, connection is established, call tcp_init_transfer(), set icsk_ca_initialized=0 (without first calling cc->release()), call tcp_init_congestion_control() again. Note that in this sequence tcp_init_congestion_control() is called twice without a cc->release() call in between. Thus, for CC modules that allocate memory in their init() function, e.g, CDG, a memory leak may occur. The syzkaller tool managed to find a reproducer that triggered such a leak in CDG. The bug was introduced when that commit 8919a9b31eb4 ("tcp: Only init congestion control if not initialized already") introduced icsk_ca_initialized and set icsk_ca_initialized to 0 in tcp_init_transfer(), missing the possibility for a sequence like the one above, where a process could call setsockopt(TCP_CONGESTION) in state TCP_SYN_SENT (i.e. after the connect() or TFO open sendmsg()), which would call tcp_init_congestion_control(). It did not intend to reset any initialization that the user had already explicitly made; it just missed the possibility of that particular sequence (which syzkaller managed to find).
AI-Powered Analysis
Technical Analysis
CVE-2021-47304 is a vulnerability in the Linux kernel's TCP congestion control initialization logic. The issue arises from a bug in the tcp_init_transfer() function, which resets the icsk_ca_initialized flag improperly during TCP connection establishment. Specifically, when a TCP socket is created and a TCP Fast Open (TFO) connect is initiated via sendto(), if a setsockopt() call to change the TCP congestion control algorithm (TCP_CONGESTION) occurs while the socket is in the TCP_SYN_SENT state, the kernel calls tcp_init_congestion_control() twice without releasing the previously allocated congestion control module resources. This double initialization can cause memory leaks or other undefined behavior in congestion control modules that allocate memory during their init functions, such as the CDG module. The root cause is that tcp_init_transfer() resets the icsk_ca_initialized flag to zero without first calling the release method of the congestion control module, leading to resource leaks. The bug was introduced by a previous commit that aimed to avoid reinitializing congestion control if already initialized but missed this particular sequence involving TFO and setsockopt calls during connection establishment. The vulnerability was discovered by the syzkaller fuzzing tool, which also produced a reproducer triggering the memory leak in the CDG congestion control module. No known exploits are reported in the wild, and no CVSS score has been assigned yet. The vulnerability affects Linux kernel versions containing the faulty commit 8919a9b31eb4fb4c0a93e5fb350a626924302aa6. This flaw impacts the kernel's TCP stack, a critical component for network communication, and could lead to resource exhaustion or instability in affected systems under specific conditions.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running affected Linux kernel versions with TCP congestion control modules that allocate memory during initialization, such as CDG. The impact includes potential memory leaks that could degrade system performance or cause instability in network communication services. This is particularly concerning for servers and network infrastructure devices handling high volumes of TCP connections or using TCP Fast Open, such as web servers, application servers, and network appliances. While no direct remote code execution or privilege escalation is indicated, the memory leak could be exploited in a denial-of-service (DoS) scenario by triggering repeated connection attempts with setsockopt calls, leading to resource exhaustion. Organizations relying heavily on Linux-based infrastructure for critical services may experience degraded availability or require increased maintenance to mitigate system instability. The lack of known exploits reduces immediate risk, but the vulnerability's presence in the kernel TCP stack means that attackers with network access could attempt to exploit it. European entities in sectors such as finance, telecommunications, and government, which often use Linux servers and network devices, should be particularly vigilant. Additionally, the use of TCP Fast Open in modern applications increases the attack surface. The vulnerability does not appear to compromise confidentiality or integrity directly but can impact availability and reliability of network services.
Mitigation Recommendations
To mitigate this vulnerability, European organizations should prioritize updating their Linux kernels to versions where this bug is fixed. Applying the latest stable kernel patches from trusted Linux distributions is the most effective measure. For environments where immediate patching is not feasible, organizations should consider disabling TCP Fast Open if it is not required, as this feature is involved in the vulnerability trigger sequence. Additionally, restricting or monitoring the use of setsockopt calls to change TCP congestion control algorithms during connection establishment could reduce exploitation risk. Network administrators should implement monitoring for unusual TCP connection patterns or repeated setsockopt invocations that could indicate attempts to trigger the bug. For critical systems, consider isolating vulnerable hosts behind firewalls or network segmentation to limit exposure. Regularly audit and update congestion control modules, especially those like CDG that allocate memory during initialization. Finally, maintain robust system resource monitoring to detect early signs of memory leaks or resource exhaustion, enabling proactive incident response.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-21T13:27:52.133Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9835c4522896dcbea39d
Added to database: 5/21/2025, 9:09:09 AM
Last enriched: 6/26/2025, 11:07:39 AM
Last updated: 7/29/2025, 3:44:52 PM
Views: 11
Related Threats
CVE-2025-9022: SQL Injection in SourceCodester Online Bank Management System
MediumCVE-2025-9021: SQL Injection in SourceCodester Online Bank Management System
MediumCVE-2025-9020: Use After Free in PX4 PX4-Autopilot
LowCVE-2025-8604: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in wptb WP Table Builder – WordPress Table Plugin
MediumCVE-2025-9016: Uncontrolled Search Path in Mechrevo Control Center GX V2
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.