CVE-2021-47371: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: nexthop: Fix memory leaks in nexthop notification chain listeners syzkaller discovered memory leaks [1] that can be reduced to the following commands: # ip nexthop add id 1 blackhole # devlink dev reload pci/0000:06:00.0 As part of the reload flow, mlxsw will unregister its netdevs and then unregister from the nexthop notification chain. Before unregistering from the notification chain, mlxsw will receive delete notifications for nexthop objects using netdevs registered by mlxsw or their uppers. mlxsw will not receive notifications for nexthops using netdevs that are not dismantled as part of the reload flow. For example, the blackhole nexthop above that internally uses the loopback netdev as its nexthop device. One way to fix this problem is to have listeners flush their nexthop tables after unregistering from the notification chain. This is error-prone as evident by this patch and also not symmetric with the registration path where a listener receives a dump of all the existing nexthops. Therefore, fix this problem by replaying delete notifications for the listener being unregistered. This is symmetric to the registration path and also consistent with the netdev notification chain. The above means that unregister_nexthop_notifier(), like register_nexthop_notifier(), will have to take RTNL in order to iterate over the existing nexthops and that any callers of the function cannot hold RTNL. This is true for mlxsw and netdevsim, but not for the VXLAN driver. To avoid a deadlock, change the latter to unregister its nexthop listener without holding RTNL, making it symmetric to the registration path. [1] unreferenced object 0xffff88806173d600 (size 512): comm "syz-executor.0", pid 1290, jiffies 4295583142 (age 143.507s) hex dump (first 32 bytes): 41 9d 1e 60 80 88 ff ff 08 d6 73 61 80 88 ff ff A..`......sa.... 08 d6 73 61 80 88 ff ff 01 00 00 00 00 00 00 00 ..sa............ backtrace: [<ffffffff81a6b576>] kmemleak_alloc_recursive include/linux/kmemleak.h:43 [inline] [<ffffffff81a6b576>] slab_post_alloc_hook+0x96/0x490 mm/slab.h:522 [<ffffffff81a716d3>] slab_alloc_node mm/slub.c:3206 [inline] [<ffffffff81a716d3>] slab_alloc mm/slub.c:3214 [inline] [<ffffffff81a716d3>] kmem_cache_alloc_trace+0x163/0x370 mm/slub.c:3231 [<ffffffff82e8681a>] kmalloc include/linux/slab.h:591 [inline] [<ffffffff82e8681a>] kzalloc include/linux/slab.h:721 [inline] [<ffffffff82e8681a>] mlxsw_sp_nexthop_obj_group_create drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c:4918 [inline] [<ffffffff82e8681a>] mlxsw_sp_nexthop_obj_new drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c:5054 [inline] [<ffffffff82e8681a>] mlxsw_sp_nexthop_obj_event+0x59a/0x2910 drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c:5239 [<ffffffff813ef67d>] notifier_call_chain+0xbd/0x210 kernel/notifier.c:83 [<ffffffff813f0662>] blocking_notifier_call_chain kernel/notifier.c:318 [inline] [<ffffffff813f0662>] blocking_notifier_call_chain+0x72/0xa0 kernel/notifier.c:306 [<ffffffff8384b9c6>] call_nexthop_notifiers+0x156/0x310 net/ipv4/nexthop.c:244 [<ffffffff83852bd8>] insert_nexthop net/ipv4/nexthop.c:2336 [inline] [<ffffffff83852bd8>] nexthop_add net/ipv4/nexthop.c:2644 [inline] [<ffffffff83852bd8>] rtm_new_nexthop+0x14e8/0x4d10 net/ipv4/nexthop.c:2913 [<ffffffff833e9a78>] rtnetlink_rcv_msg+0x448/0xbf0 net/core/rtnetlink.c:5572 [<ffffffff83608703>] netlink_rcv_skb+0x173/0x480 net/netlink/af_netlink.c:2504 [<ffffffff833de032>] rtnetlink_rcv+0x22/0x30 net/core/rtnetlink.c:5590 [<ffffffff836069de>] netlink_unicast_kernel net/netlink/af_netlink.c:1314 [inline] [<ffffffff836069de>] netlink_unicast+0x5ae/0x7f0 net/netlink/af_netlink.c:1340 [<ffffffff83607501>] netlink_sendmsg+0x8e1/0xe30 net/netlink/af_netlink.c:1929 [<ffffffff832fde84>] sock_sendmsg_nosec net/socket.c:704 [inline ---truncated---
AI Analysis
Technical Summary
CVE-2021-47371 is a high-severity vulnerability in the Linux kernel related to memory leaks in the nexthop notification chain listeners subsystem. The issue arises during the reload flow of certain network drivers, specifically the Mellanox Spectrum (mlxsw) driver, which unregisters its network devices (netdevs) and subsequently unregisters from the nexthop notification chain. During this process, mlxsw receives delete notifications for nexthop objects associated with its registered netdevs or their upper layers. However, it does not receive notifications for nexthops that use netdevs not dismantled during the reload, such as blackhole nexthops that internally use the loopback device. This discrepancy leads to memory leaks because some nexthop objects remain referenced without proper cleanup. The root cause is that listeners do not flush their nexthop tables after unregistering from the notification chain, which is error-prone and asymmetrical compared to the registration path where listeners receive a dump of all existing nexthops. The fix implemented involves replaying delete notifications for the listener being unregistered, making the unregister process symmetric to registration and consistent with netdev notification chains. This requires careful handling of the RTNL (rtnetlink) lock to avoid deadlocks, especially for drivers like VXLAN that previously held RTNL during unregistering. The patch changes VXLAN to unregister its nexthop listener without holding RTNL, aligning with the registration path. The vulnerability was discovered using syzkaller, a kernel fuzzer, which detected unreferenced objects indicating memory leaks. The CVSS v3.1 base score is 7.1 (high), with an attack vector of local (AV:L), low attack complexity (AC:L), requiring low privileges (PR:L), no user interaction (UI:N), unchanged scope (S:U), no confidentiality impact (C:N), but high integrity (I:H) and availability (A:H) impacts. This means exploitation requires local access with some privileges but can cause significant integrity and availability issues, such as resource exhaustion or system instability due to memory leaks in critical networking components. No known exploits are reported in the wild, but the vulnerability affects Linux kernel versions containing the affected commits, particularly those using the mlxsw driver and related networking subsystems. The issue is classified under CWE-400 (Uncontrolled Resource Consumption).
Potential Impact
For European organizations, the impact of CVE-2021-47371 can be significant, especially for those relying on Linux-based infrastructure with Mellanox Spectrum switches or similar hardware using the mlxsw driver. The memory leak can lead to resource exhaustion, causing degraded network performance, denial of service, or system crashes. This can disrupt critical services such as data centers, cloud providers, telecommunications, and enterprises with high network throughput requirements. Given the local attack vector, the threat is more relevant to environments where untrusted or semi-trusted users have local access, such as multi-tenant cloud platforms, shared hosting, or internal networks with insufficient access controls. The high integrity and availability impact means attackers could potentially disrupt routing or network forwarding, affecting business continuity and service availability. European organizations in sectors like finance, healthcare, government, and critical infrastructure that depend on stable and secure Linux networking stacks may face operational risks. Additionally, the complexity of the fix and the need for kernel updates may delay patch deployment, prolonging exposure. However, the lack of known exploits in the wild reduces immediate risk but does not eliminate the need for proactive mitigation.
Mitigation Recommendations
1. Apply Kernel Updates: Organizations should promptly apply Linux kernel patches that address CVE-2021-47371. This involves updating to kernel versions that include the fix for the nexthop notification chain memory leak. 2. Audit Network Drivers: Review the use of mlxsw and related network drivers in the environment. If Mellanox Spectrum hardware or similar devices are in use, prioritize patching those systems. 3. Restrict Local Access: Limit local access to systems running vulnerable kernels. Enforce strict access controls, use multi-factor authentication, and monitor for unauthorized local logins. 4. Monitor Resource Usage: Implement monitoring for unusual memory consumption or network subsystem anomalies that could indicate exploitation attempts or memory leaks. 5. Test Patches in Staging: Due to the complexity of the fix involving RTNL locking and driver behavior, thoroughly test kernel updates in staging environments to avoid regressions or deadlocks. 6. Network Segmentation: Segment critical network infrastructure to reduce the risk of lateral movement by attackers who gain local access. 7. Vendor Coordination: Engage with hardware and Linux distribution vendors to ensure timely receipt of patches and advisories related to this vulnerability. 8. Incident Response Preparedness: Prepare for potential denial-of-service scenarios by having incident response plans that include kernel-level troubleshooting and rollback procedures.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Belgium, Italy
CVE-2021-47371: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: nexthop: Fix memory leaks in nexthop notification chain listeners syzkaller discovered memory leaks [1] that can be reduced to the following commands: # ip nexthop add id 1 blackhole # devlink dev reload pci/0000:06:00.0 As part of the reload flow, mlxsw will unregister its netdevs and then unregister from the nexthop notification chain. Before unregistering from the notification chain, mlxsw will receive delete notifications for nexthop objects using netdevs registered by mlxsw or their uppers. mlxsw will not receive notifications for nexthops using netdevs that are not dismantled as part of the reload flow. For example, the blackhole nexthop above that internally uses the loopback netdev as its nexthop device. One way to fix this problem is to have listeners flush their nexthop tables after unregistering from the notification chain. This is error-prone as evident by this patch and also not symmetric with the registration path where a listener receives a dump of all the existing nexthops. Therefore, fix this problem by replaying delete notifications for the listener being unregistered. This is symmetric to the registration path and also consistent with the netdev notification chain. The above means that unregister_nexthop_notifier(), like register_nexthop_notifier(), will have to take RTNL in order to iterate over the existing nexthops and that any callers of the function cannot hold RTNL. This is true for mlxsw and netdevsim, but not for the VXLAN driver. To avoid a deadlock, change the latter to unregister its nexthop listener without holding RTNL, making it symmetric to the registration path. [1] unreferenced object 0xffff88806173d600 (size 512): comm "syz-executor.0", pid 1290, jiffies 4295583142 (age 143.507s) hex dump (first 32 bytes): 41 9d 1e 60 80 88 ff ff 08 d6 73 61 80 88 ff ff A..`......sa.... 08 d6 73 61 80 88 ff ff 01 00 00 00 00 00 00 00 ..sa............ backtrace: [<ffffffff81a6b576>] kmemleak_alloc_recursive include/linux/kmemleak.h:43 [inline] [<ffffffff81a6b576>] slab_post_alloc_hook+0x96/0x490 mm/slab.h:522 [<ffffffff81a716d3>] slab_alloc_node mm/slub.c:3206 [inline] [<ffffffff81a716d3>] slab_alloc mm/slub.c:3214 [inline] [<ffffffff81a716d3>] kmem_cache_alloc_trace+0x163/0x370 mm/slub.c:3231 [<ffffffff82e8681a>] kmalloc include/linux/slab.h:591 [inline] [<ffffffff82e8681a>] kzalloc include/linux/slab.h:721 [inline] [<ffffffff82e8681a>] mlxsw_sp_nexthop_obj_group_create drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c:4918 [inline] [<ffffffff82e8681a>] mlxsw_sp_nexthop_obj_new drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c:5054 [inline] [<ffffffff82e8681a>] mlxsw_sp_nexthop_obj_event+0x59a/0x2910 drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c:5239 [<ffffffff813ef67d>] notifier_call_chain+0xbd/0x210 kernel/notifier.c:83 [<ffffffff813f0662>] blocking_notifier_call_chain kernel/notifier.c:318 [inline] [<ffffffff813f0662>] blocking_notifier_call_chain+0x72/0xa0 kernel/notifier.c:306 [<ffffffff8384b9c6>] call_nexthop_notifiers+0x156/0x310 net/ipv4/nexthop.c:244 [<ffffffff83852bd8>] insert_nexthop net/ipv4/nexthop.c:2336 [inline] [<ffffffff83852bd8>] nexthop_add net/ipv4/nexthop.c:2644 [inline] [<ffffffff83852bd8>] rtm_new_nexthop+0x14e8/0x4d10 net/ipv4/nexthop.c:2913 [<ffffffff833e9a78>] rtnetlink_rcv_msg+0x448/0xbf0 net/core/rtnetlink.c:5572 [<ffffffff83608703>] netlink_rcv_skb+0x173/0x480 net/netlink/af_netlink.c:2504 [<ffffffff833de032>] rtnetlink_rcv+0x22/0x30 net/core/rtnetlink.c:5590 [<ffffffff836069de>] netlink_unicast_kernel net/netlink/af_netlink.c:1314 [inline] [<ffffffff836069de>] netlink_unicast+0x5ae/0x7f0 net/netlink/af_netlink.c:1340 [<ffffffff83607501>] netlink_sendmsg+0x8e1/0xe30 net/netlink/af_netlink.c:1929 [<ffffffff832fde84>] sock_sendmsg_nosec net/socket.c:704 [inline ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2021-47371 is a high-severity vulnerability in the Linux kernel related to memory leaks in the nexthop notification chain listeners subsystem. The issue arises during the reload flow of certain network drivers, specifically the Mellanox Spectrum (mlxsw) driver, which unregisters its network devices (netdevs) and subsequently unregisters from the nexthop notification chain. During this process, mlxsw receives delete notifications for nexthop objects associated with its registered netdevs or their upper layers. However, it does not receive notifications for nexthops that use netdevs not dismantled during the reload, such as blackhole nexthops that internally use the loopback device. This discrepancy leads to memory leaks because some nexthop objects remain referenced without proper cleanup. The root cause is that listeners do not flush their nexthop tables after unregistering from the notification chain, which is error-prone and asymmetrical compared to the registration path where listeners receive a dump of all existing nexthops. The fix implemented involves replaying delete notifications for the listener being unregistered, making the unregister process symmetric to registration and consistent with netdev notification chains. This requires careful handling of the RTNL (rtnetlink) lock to avoid deadlocks, especially for drivers like VXLAN that previously held RTNL during unregistering. The patch changes VXLAN to unregister its nexthop listener without holding RTNL, aligning with the registration path. The vulnerability was discovered using syzkaller, a kernel fuzzer, which detected unreferenced objects indicating memory leaks. The CVSS v3.1 base score is 7.1 (high), with an attack vector of local (AV:L), low attack complexity (AC:L), requiring low privileges (PR:L), no user interaction (UI:N), unchanged scope (S:U), no confidentiality impact (C:N), but high integrity (I:H) and availability (A:H) impacts. This means exploitation requires local access with some privileges but can cause significant integrity and availability issues, such as resource exhaustion or system instability due to memory leaks in critical networking components. No known exploits are reported in the wild, but the vulnerability affects Linux kernel versions containing the affected commits, particularly those using the mlxsw driver and related networking subsystems. The issue is classified under CWE-400 (Uncontrolled Resource Consumption).
Potential Impact
For European organizations, the impact of CVE-2021-47371 can be significant, especially for those relying on Linux-based infrastructure with Mellanox Spectrum switches or similar hardware using the mlxsw driver. The memory leak can lead to resource exhaustion, causing degraded network performance, denial of service, or system crashes. This can disrupt critical services such as data centers, cloud providers, telecommunications, and enterprises with high network throughput requirements. Given the local attack vector, the threat is more relevant to environments where untrusted or semi-trusted users have local access, such as multi-tenant cloud platforms, shared hosting, or internal networks with insufficient access controls. The high integrity and availability impact means attackers could potentially disrupt routing or network forwarding, affecting business continuity and service availability. European organizations in sectors like finance, healthcare, government, and critical infrastructure that depend on stable and secure Linux networking stacks may face operational risks. Additionally, the complexity of the fix and the need for kernel updates may delay patch deployment, prolonging exposure. However, the lack of known exploits in the wild reduces immediate risk but does not eliminate the need for proactive mitigation.
Mitigation Recommendations
1. Apply Kernel Updates: Organizations should promptly apply Linux kernel patches that address CVE-2021-47371. This involves updating to kernel versions that include the fix for the nexthop notification chain memory leak. 2. Audit Network Drivers: Review the use of mlxsw and related network drivers in the environment. If Mellanox Spectrum hardware or similar devices are in use, prioritize patching those systems. 3. Restrict Local Access: Limit local access to systems running vulnerable kernels. Enforce strict access controls, use multi-factor authentication, and monitor for unauthorized local logins. 4. Monitor Resource Usage: Implement monitoring for unusual memory consumption or network subsystem anomalies that could indicate exploitation attempts or memory leaks. 5. Test Patches in Staging: Due to the complexity of the fix involving RTNL locking and driver behavior, thoroughly test kernel updates in staging environments to avoid regressions or deadlocks. 6. Network Segmentation: Segment critical network infrastructure to reduce the risk of lateral movement by attackers who gain local access. 7. Vendor Coordination: Engage with hardware and Linux distribution vendors to ensure timely receipt of patches and advisories related to this vulnerability. 8. Incident Response Preparedness: Prepare for potential denial-of-service scenarios by having incident response plans that include kernel-level troubleshooting and rollback procedures.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-21T14:58:30.810Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9833c4522896dcbe8f55
Added to database: 5/21/2025, 9:09:07 AM
Last enriched: 7/3/2025, 5:11:02 AM
Last updated: 8/6/2025, 12:53:29 AM
Views: 12
Related Threats
Researcher to release exploit for full auth bypass on FortiWeb
HighCVE-2025-9091: Hard-coded Credentials in Tenda AC20
LowCVE-2025-9090: Command Injection in Tenda AC20
MediumCVE-2025-9092: CWE-400 Uncontrolled Resource Consumption in Legion of the Bouncy Castle Inc. Bouncy Castle for Java - BC-FJA 2.1.0
LowCVE-2025-9089: Stack-based Buffer Overflow in Tenda AC20
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.