CVE-2021-47363: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: nexthop: Fix division by zero while replacing a resilient group The resilient nexthop group torture tests in fib_nexthop.sh exposed a possible division by zero while replacing a resilient group [1]. The division by zero occurs when the data path sees a resilient nexthop group with zero buckets. The tests replace a resilient nexthop group in a loop while traffic is forwarded through it. The tests do not specify the number of buckets while performing the replacement, resulting in the kernel allocating a stub resilient table (i.e, 'struct nh_res_table') with zero buckets. This table should never be visible to the data path, but the old nexthop group (i.e., 'oldg') might still be used by the data path when the stub table is assigned to it. Fix this by only assigning the stub table to the old nexthop group after making sure the group is no longer used by the data path. Tested with fib_nexthops.sh: Tests passed: 222 Tests failed: 0 [1] divide error: 0000 [#1] PREEMPT SMP KASAN CPU: 0 PID: 1850 Comm: ping Not tainted 5.14.0-custom-10271-ga86eb53057fe #1107 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-4.fc34 04/01/2014 RIP: 0010:nexthop_select_path+0x2d2/0x1a80 [...] Call Trace: fib_select_multipath+0x79b/0x1530 fib_select_path+0x8fb/0x1c10 ip_route_output_key_hash_rcu+0x1198/0x2da0 ip_route_output_key_hash+0x190/0x340 ip_route_output_flow+0x21/0x120 raw_sendmsg+0x91d/0x2e10 inet_sendmsg+0x9e/0xe0 __sys_sendto+0x23d/0x360 __x64_sys_sendto+0xe1/0x1b0 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae
AI Analysis
Technical Summary
CVE-2021-47363 is a vulnerability identified in the Linux kernel's networking subsystem, specifically within the nexthop resilient group implementation. The issue arises from a division by zero error that occurs when the kernel attempts to replace a resilient nexthop group with a stub resilient table that has zero buckets. This situation can happen during the execution of the fib_nexthop.sh torture tests, which repeatedly replace a resilient nexthop group while forwarding traffic. The tests do not specify the number of buckets during replacement, leading the kernel to allocate a stub table with zero buckets. Although this stub table should not be visible to the data path, the old nexthop group may still be in use by the data path when the stub table is assigned, triggering a division by zero error. This error manifests as a kernel crash (divide error) and can cause a denial of service (DoS) by crashing the kernel or disrupting network traffic forwarding. The fix involves ensuring that the stub table is only assigned to the old nexthop group after confirming it is no longer used by the data path, preventing the division by zero condition. The vulnerability was tested with 222 passing tests and zero failures, indicating the fix's effectiveness. The vulnerability affects Linux kernel versions prior to the patch and is relevant to systems using resilient nexthop groups for multipath routing and traffic forwarding. No known exploits are reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to network infrastructure and servers running vulnerable Linux kernel versions that utilize resilient nexthop groups for routing. The division by zero error can lead to kernel panics and system crashes, resulting in denial of service conditions that disrupt network connectivity and critical services. This can affect data center operations, cloud service providers, telecom infrastructure, and enterprises relying on Linux-based routing or multipath forwarding. The impact on confidentiality and integrity is limited as this is not a direct code execution or privilege escalation vulnerability, but availability can be significantly affected. Organizations with high network traffic and complex routing setups are more susceptible. The lack of known exploits reduces immediate risk, but unpatched systems remain vulnerable to potential future attacks or accidental triggering of the bug through malformed routing configurations or stress testing. Given the widespread use of Linux in European IT infrastructure, the vulnerability could affect a broad range of sectors including finance, government, telecommunications, and critical infrastructure.
Mitigation Recommendations
European organizations should promptly identify Linux systems running kernel versions affected by this vulnerability and apply the official patches provided by Linux kernel maintainers. Since the issue is in the kernel networking code, updating to the latest stable kernel release that includes the fix is essential. For environments where immediate patching is challenging, mitigating exposure by limiting the use of resilient nexthop groups or disabling multipath routing features temporarily can reduce risk. Network administrators should audit routing configurations to ensure no zero-bucket resilient nexthop groups are configured or in use. Monitoring kernel logs for divide errors or unusual network stack crashes can help detect attempts to trigger the vulnerability. Additionally, organizations should implement robust change management and testing procedures for kernel updates to avoid service disruptions. Coordination with Linux distribution vendors for timely security updates and applying those updates in a controlled manner is recommended. Finally, network segmentation and redundancy can help minimize the impact of potential DoS conditions caused by this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland, Sweden, Belgium, Finland
CVE-2021-47363: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: nexthop: Fix division by zero while replacing a resilient group The resilient nexthop group torture tests in fib_nexthop.sh exposed a possible division by zero while replacing a resilient group [1]. The division by zero occurs when the data path sees a resilient nexthop group with zero buckets. The tests replace a resilient nexthop group in a loop while traffic is forwarded through it. The tests do not specify the number of buckets while performing the replacement, resulting in the kernel allocating a stub resilient table (i.e, 'struct nh_res_table') with zero buckets. This table should never be visible to the data path, but the old nexthop group (i.e., 'oldg') might still be used by the data path when the stub table is assigned to it. Fix this by only assigning the stub table to the old nexthop group after making sure the group is no longer used by the data path. Tested with fib_nexthops.sh: Tests passed: 222 Tests failed: 0 [1] divide error: 0000 [#1] PREEMPT SMP KASAN CPU: 0 PID: 1850 Comm: ping Not tainted 5.14.0-custom-10271-ga86eb53057fe #1107 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-4.fc34 04/01/2014 RIP: 0010:nexthop_select_path+0x2d2/0x1a80 [...] Call Trace: fib_select_multipath+0x79b/0x1530 fib_select_path+0x8fb/0x1c10 ip_route_output_key_hash_rcu+0x1198/0x2da0 ip_route_output_key_hash+0x190/0x340 ip_route_output_flow+0x21/0x120 raw_sendmsg+0x91d/0x2e10 inet_sendmsg+0x9e/0xe0 __sys_sendto+0x23d/0x360 __x64_sys_sendto+0xe1/0x1b0 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae
AI-Powered Analysis
Technical Analysis
CVE-2021-47363 is a vulnerability identified in the Linux kernel's networking subsystem, specifically within the nexthop resilient group implementation. The issue arises from a division by zero error that occurs when the kernel attempts to replace a resilient nexthop group with a stub resilient table that has zero buckets. This situation can happen during the execution of the fib_nexthop.sh torture tests, which repeatedly replace a resilient nexthop group while forwarding traffic. The tests do not specify the number of buckets during replacement, leading the kernel to allocate a stub table with zero buckets. Although this stub table should not be visible to the data path, the old nexthop group may still be in use by the data path when the stub table is assigned, triggering a division by zero error. This error manifests as a kernel crash (divide error) and can cause a denial of service (DoS) by crashing the kernel or disrupting network traffic forwarding. The fix involves ensuring that the stub table is only assigned to the old nexthop group after confirming it is no longer used by the data path, preventing the division by zero condition. The vulnerability was tested with 222 passing tests and zero failures, indicating the fix's effectiveness. The vulnerability affects Linux kernel versions prior to the patch and is relevant to systems using resilient nexthop groups for multipath routing and traffic forwarding. No known exploits are reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to network infrastructure and servers running vulnerable Linux kernel versions that utilize resilient nexthop groups for routing. The division by zero error can lead to kernel panics and system crashes, resulting in denial of service conditions that disrupt network connectivity and critical services. This can affect data center operations, cloud service providers, telecom infrastructure, and enterprises relying on Linux-based routing or multipath forwarding. The impact on confidentiality and integrity is limited as this is not a direct code execution or privilege escalation vulnerability, but availability can be significantly affected. Organizations with high network traffic and complex routing setups are more susceptible. The lack of known exploits reduces immediate risk, but unpatched systems remain vulnerable to potential future attacks or accidental triggering of the bug through malformed routing configurations or stress testing. Given the widespread use of Linux in European IT infrastructure, the vulnerability could affect a broad range of sectors including finance, government, telecommunications, and critical infrastructure.
Mitigation Recommendations
European organizations should promptly identify Linux systems running kernel versions affected by this vulnerability and apply the official patches provided by Linux kernel maintainers. Since the issue is in the kernel networking code, updating to the latest stable kernel release that includes the fix is essential. For environments where immediate patching is challenging, mitigating exposure by limiting the use of resilient nexthop groups or disabling multipath routing features temporarily can reduce risk. Network administrators should audit routing configurations to ensure no zero-bucket resilient nexthop groups are configured or in use. Monitoring kernel logs for divide errors or unusual network stack crashes can help detect attempts to trigger the vulnerability. Additionally, organizations should implement robust change management and testing procedures for kernel updates to avoid service disruptions. Coordination with Linux distribution vendors for timely security updates and applying those updates in a controlled manner is recommended. Finally, network segmentation and redundancy can help minimize the impact of potential DoS conditions caused by this vulnerability.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-21T14:58:30.809Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9833c4522896dcbe8f28
Added to database: 5/21/2025, 9:09:07 AM
Last enriched: 6/30/2025, 11:57:59 AM
Last updated: 8/6/2025, 1:46:41 PM
Views: 12
Related Threats
CVE-2025-54864: CWE-306: Missing Authentication for Critical Function in NixOS hydra
MediumCVE-2025-54800: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in NixOS hydra
HighCVE-2025-8452: CWE-538 Insertion of Sensitive Information into Externally-Accessible File or Directory in Brother Industries, Ltd HL-L8260CDN
MediumCVE-2025-5468: CWE-61: UNIX Symbolic Link in Ivanti Connect Secure
MediumCVE-2025-5466: CWE-776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') in Ivanti Connect Secure
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.