CVE-2021-47394: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: unlink table before deleting it syzbot reports following UAF: BUG: KASAN: use-after-free in memcmp+0x18f/0x1c0 lib/string.c:955 nla_strcmp+0xf2/0x130 lib/nlattr.c:836 nft_table_lookup.part.0+0x1a2/0x460 net/netfilter/nf_tables_api.c:570 nft_table_lookup net/netfilter/nf_tables_api.c:4064 [inline] nf_tables_getset+0x1b3/0x860 net/netfilter/nf_tables_api.c:4064 nfnetlink_rcv_msg+0x659/0x13f0 net/netfilter/nfnetlink.c:285 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2504 Problem is that all get operations are lockless, so the commit_mutex held by nft_rcv_nl_event() isn't enough to stop a parallel GET request from doing read-accesses to the table object even after synchronize_rcu(). To avoid this, unlink the table first and store the table objects in on-stack scratch space.
AI Analysis
Technical Summary
CVE-2021-47394 is a use-after-free (UAF) vulnerability in the Linux kernel's netfilter subsystem, specifically within the nftables API. The vulnerability arises due to improper handling of table unlinking before deletion. The root cause is that get operations on nftables tables are lockless, meaning they do not acquire locks to ensure exclusive access. Although the commit_mutex lock is held by nft_rcv_nl_event() during certain operations, it is insufficient to prevent concurrent GET requests from accessing the table object after it has been logically deleted but before it is fully freed. This leads to a race condition where a GET request can perform read accesses on a freed table object, causing a use-after-free condition. The kernel's KASAN (Kernel Address Sanitizer) detected this issue during fuzz testing by syzbot, with the problematic code paths involving memcmp in lib/string.c and nla_strcmp in lib/nlattr.c, culminating in nft_table_lookup in net/netfilter/nf_tables_api.c. The fix involves unlinking the table first and storing table objects in on-stack scratch space to prevent concurrent access to freed memory. This vulnerability affects Linux kernel versions prior to the patch and is relevant to systems using nftables for packet filtering and firewalling. No known exploits are reported in the wild as of the publication date.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to servers and network infrastructure running Linux kernels with nftables enabled. Exploitation could lead to kernel crashes (denial of service) or potentially privilege escalation if an attacker can manipulate the use-after-free to execute arbitrary code in kernel context. This could compromise confidentiality, integrity, and availability of critical network services. Given the widespread use of Linux in European data centers, cloud providers, and enterprise environments, the impact could be significant, especially for organizations relying on nftables for firewalling and network filtering. Disruption of network security controls or kernel instability could lead to service outages or breaches. However, the absence of known exploits and the complexity of triggering this race condition somewhat limit immediate risk. Still, the vulnerability should be treated seriously due to the kernel-level impact and potential for escalation.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions that include the patch for CVE-2021-47394. Since the vulnerability involves kernel-level race conditions, applying vendor-provided kernel updates is the most effective mitigation. Organizations should audit their use of nftables and consider temporarily disabling or restricting nftables usage if patching is delayed, especially on critical network infrastructure. Employing kernel hardening features such as KASAN during testing phases can help detect similar issues proactively. Network segmentation and strict access controls can reduce the attack surface by limiting who can send netlink messages that trigger nftables operations. Monitoring kernel logs for unusual crashes or KASAN alerts can provide early warning of exploitation attempts. Finally, organizations should maintain robust incident response plans to quickly address any kernel-level compromises.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2021-47394: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: unlink table before deleting it syzbot reports following UAF: BUG: KASAN: use-after-free in memcmp+0x18f/0x1c0 lib/string.c:955 nla_strcmp+0xf2/0x130 lib/nlattr.c:836 nft_table_lookup.part.0+0x1a2/0x460 net/netfilter/nf_tables_api.c:570 nft_table_lookup net/netfilter/nf_tables_api.c:4064 [inline] nf_tables_getset+0x1b3/0x860 net/netfilter/nf_tables_api.c:4064 nfnetlink_rcv_msg+0x659/0x13f0 net/netfilter/nfnetlink.c:285 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2504 Problem is that all get operations are lockless, so the commit_mutex held by nft_rcv_nl_event() isn't enough to stop a parallel GET request from doing read-accesses to the table object even after synchronize_rcu(). To avoid this, unlink the table first and store the table objects in on-stack scratch space.
AI-Powered Analysis
Technical Analysis
CVE-2021-47394 is a use-after-free (UAF) vulnerability in the Linux kernel's netfilter subsystem, specifically within the nftables API. The vulnerability arises due to improper handling of table unlinking before deletion. The root cause is that get operations on nftables tables are lockless, meaning they do not acquire locks to ensure exclusive access. Although the commit_mutex lock is held by nft_rcv_nl_event() during certain operations, it is insufficient to prevent concurrent GET requests from accessing the table object after it has been logically deleted but before it is fully freed. This leads to a race condition where a GET request can perform read accesses on a freed table object, causing a use-after-free condition. The kernel's KASAN (Kernel Address Sanitizer) detected this issue during fuzz testing by syzbot, with the problematic code paths involving memcmp in lib/string.c and nla_strcmp in lib/nlattr.c, culminating in nft_table_lookup in net/netfilter/nf_tables_api.c. The fix involves unlinking the table first and storing table objects in on-stack scratch space to prevent concurrent access to freed memory. This vulnerability affects Linux kernel versions prior to the patch and is relevant to systems using nftables for packet filtering and firewalling. No known exploits are reported in the wild as of the publication date.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to servers and network infrastructure running Linux kernels with nftables enabled. Exploitation could lead to kernel crashes (denial of service) or potentially privilege escalation if an attacker can manipulate the use-after-free to execute arbitrary code in kernel context. This could compromise confidentiality, integrity, and availability of critical network services. Given the widespread use of Linux in European data centers, cloud providers, and enterprise environments, the impact could be significant, especially for organizations relying on nftables for firewalling and network filtering. Disruption of network security controls or kernel instability could lead to service outages or breaches. However, the absence of known exploits and the complexity of triggering this race condition somewhat limit immediate risk. Still, the vulnerability should be treated seriously due to the kernel-level impact and potential for escalation.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions that include the patch for CVE-2021-47394. Since the vulnerability involves kernel-level race conditions, applying vendor-provided kernel updates is the most effective mitigation. Organizations should audit their use of nftables and consider temporarily disabling or restricting nftables usage if patching is delayed, especially on critical network infrastructure. Employing kernel hardening features such as KASAN during testing phases can help detect similar issues proactively. Network segmentation and strict access controls can reduce the attack surface by limiting who can send netlink messages that trigger nftables operations. Monitoring kernel logs for unusual crashes or KASAN alerts can provide early warning of exploitation attempts. Finally, organizations should maintain robust incident response plans to quickly address any kernel-level compromises.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-21T14:58:30.814Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9833c4522896dcbe8fbc
Added to database: 5/21/2025, 9:09:07 AM
Last enriched: 6/30/2025, 12:25:04 PM
Last updated: 8/11/2025, 11:28:13 PM
Views: 11
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.