CVE-2021-47395: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: mac80211: limit injected vht mcs/nss in ieee80211_parse_tx_radiotap Limit max values for vht mcs and nss in ieee80211_parse_tx_radiotap routine in order to fix the following warning reported by syzbot: WARNING: CPU: 0 PID: 10717 at include/net/mac80211.h:989 ieee80211_rate_set_vht include/net/mac80211.h:989 [inline] WARNING: CPU: 0 PID: 10717 at include/net/mac80211.h:989 ieee80211_parse_tx_radiotap+0x101e/0x12d0 net/mac80211/tx.c:2244 Modules linked in: CPU: 0 PID: 10717 Comm: syz-executor.5 Not tainted 5.14.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:ieee80211_rate_set_vht include/net/mac80211.h:989 [inline] RIP: 0010:ieee80211_parse_tx_radiotap+0x101e/0x12d0 net/mac80211/tx.c:2244 RSP: 0018:ffffc9000186f3e8 EFLAGS: 00010216 RAX: 0000000000000618 RBX: ffff88804ef76500 RCX: ffffc900143a5000 RDX: 0000000000040000 RSI: ffffffff888f478e RDI: 0000000000000003 RBP: 00000000ffffffff R08: 0000000000000000 R09: 0000000000000100 R10: ffffffff888f46f9 R11: 0000000000000000 R12: 00000000fffffff8 R13: ffff88804ef7653c R14: 0000000000000001 R15: 0000000000000004 FS: 00007fbf5718f700(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000001b2de23000 CR3: 000000006a671000 CR4: 00000000001506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600 Call Trace: ieee80211_monitor_select_queue+0xa6/0x250 net/mac80211/iface.c:740 netdev_core_pick_tx+0x169/0x2e0 net/core/dev.c:4089 __dev_queue_xmit+0x6f9/0x3710 net/core/dev.c:4165 __bpf_tx_skb net/core/filter.c:2114 [inline] __bpf_redirect_no_mac net/core/filter.c:2139 [inline] __bpf_redirect+0x5ba/0xd20 net/core/filter.c:2162 ____bpf_clone_redirect net/core/filter.c:2429 [inline] bpf_clone_redirect+0x2ae/0x420 net/core/filter.c:2401 bpf_prog_eeb6f53a69e5c6a2+0x59/0x234 bpf_dispatcher_nop_func include/linux/bpf.h:717 [inline] __bpf_prog_run include/linux/filter.h:624 [inline] bpf_prog_run include/linux/filter.h:631 [inline] bpf_test_run+0x381/0xa30 net/bpf/test_run.c:119 bpf_prog_test_run_skb+0xb84/0x1ee0 net/bpf/test_run.c:663 bpf_prog_test_run kernel/bpf/syscall.c:3307 [inline] __sys_bpf+0x2137/0x5df0 kernel/bpf/syscall.c:4605 __do_sys_bpf kernel/bpf/syscall.c:4691 [inline] __se_sys_bpf kernel/bpf/syscall.c:4689 [inline] __x64_sys_bpf+0x75/0xb0 kernel/bpf/syscall.c:4689 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x4665f9
AI Analysis
Technical Summary
CVE-2021-47395 is a vulnerability identified in the Linux kernel's mac80211 subsystem, specifically within the ieee80211_parse_tx_radiotap routine. This vulnerability arises due to insufficient validation of the Very High Throughput (VHT) Modulation and Coding Scheme (MCS) and Number of Spatial Streams (NSS) values injected via radiotap headers. Radiotap headers are used for injecting additional metadata into 802.11 frames, often utilized in wireless packet injection and monitoring tools. The vulnerability was discovered following warnings generated by the syzbot fuzzing infrastructure, which highlighted improper handling of out-of-range or malformed VHT MCS/NSS values. The root cause is that the ieee80211_parse_tx_radiotap function did not adequately limit the maximum values for these parameters, potentially leading to undefined behavior or kernel warnings. The vulnerability is located in the mac80211 wireless networking stack, which is responsible for managing Wi-Fi protocol operations in the Linux kernel. The detailed kernel trace shows the issue occurs during the processing of injected frames, which could be exploited by an attacker capable of injecting crafted radiotap frames to trigger the flaw. While the vulnerability does not appear to have a known exploit in the wild, it could be leveraged for denial of service (DoS) attacks by causing kernel warnings or crashes, potentially impacting system stability. The vulnerability affects Linux kernel version 5.14.0-syzkaller and likely other versions with similar mac80211 implementations. The fix involves limiting the maximum allowed values for VHT MCS and NSS in the parsing routine to prevent out-of-bound accesses or invalid state transitions. No CVSS score is provided, but the vulnerability is primarily a robustness issue in the wireless stack that could be triggered by local or network-based attackers with the ability to inject frames. It does not appear to allow privilege escalation or remote code execution directly but may cause system instability or denial of service.
Potential Impact
For European organizations, the impact of CVE-2021-47395 depends largely on their use of Linux-based systems with wireless networking capabilities, particularly those utilizing the mac80211 stack for Wi-Fi communications. Organizations operating wireless infrastructure, embedded devices, or IoT systems running vulnerable Linux kernels could face risks of service disruption due to kernel warnings or crashes triggered by crafted wireless frames. This could lead to denial of service conditions affecting network availability, potentially disrupting business operations reliant on wireless connectivity. Critical infrastructure sectors such as telecommunications, manufacturing, and transportation that deploy Linux-based wireless devices may be particularly sensitive to such disruptions. However, since exploitation requires the ability to inject malicious radiotap frames, the attack surface is somewhat limited to environments where attackers can transmit crafted Wi-Fi frames within radio range. The vulnerability does not appear to allow unauthorized access or data compromise directly but could be used as part of a broader attack chain to degrade system reliability or availability. Given the widespread use of Linux in European enterprise and public sector environments, especially in network infrastructure and embedded systems, the vulnerability warrants timely remediation to maintain operational stability and security.
Mitigation Recommendations
1. Apply Kernel Updates: Organizations should promptly update Linux kernels to versions where this vulnerability is patched. Monitoring vendor advisories and applying security patches is critical. 2. Wireless Network Segmentation: Limit exposure of vulnerable wireless devices by segmenting wireless networks and restricting access to trusted users and devices only. 3. Frame Injection Controls: Deploy wireless intrusion detection/prevention systems (WIDS/WIPS) capable of detecting and blocking malformed or suspicious radiotap frames to reduce the risk of exploitation. 4. Harden Wireless Interfaces: Disable unnecessary wireless interfaces or features that allow frame injection if not required for business operations. 5. Monitor System Logs: Implement monitoring of kernel logs for warnings or errors related to ieee80211 or mac80211 subsystems to detect potential exploitation attempts early. 6. Incident Response Preparedness: Prepare response plans for potential denial of service incidents affecting wireless infrastructure, including fallback connectivity options. 7. Vendor Coordination: For embedded or IoT devices using Linux kernels, coordinate with vendors to ensure timely firmware updates addressing this vulnerability. These measures go beyond generic advice by focusing on controlling the attack vector (frame injection), monitoring for exploitation signs, and ensuring patch management in wireless environments.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2021-47395: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: mac80211: limit injected vht mcs/nss in ieee80211_parse_tx_radiotap Limit max values for vht mcs and nss in ieee80211_parse_tx_radiotap routine in order to fix the following warning reported by syzbot: WARNING: CPU: 0 PID: 10717 at include/net/mac80211.h:989 ieee80211_rate_set_vht include/net/mac80211.h:989 [inline] WARNING: CPU: 0 PID: 10717 at include/net/mac80211.h:989 ieee80211_parse_tx_radiotap+0x101e/0x12d0 net/mac80211/tx.c:2244 Modules linked in: CPU: 0 PID: 10717 Comm: syz-executor.5 Not tainted 5.14.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:ieee80211_rate_set_vht include/net/mac80211.h:989 [inline] RIP: 0010:ieee80211_parse_tx_radiotap+0x101e/0x12d0 net/mac80211/tx.c:2244 RSP: 0018:ffffc9000186f3e8 EFLAGS: 00010216 RAX: 0000000000000618 RBX: ffff88804ef76500 RCX: ffffc900143a5000 RDX: 0000000000040000 RSI: ffffffff888f478e RDI: 0000000000000003 RBP: 00000000ffffffff R08: 0000000000000000 R09: 0000000000000100 R10: ffffffff888f46f9 R11: 0000000000000000 R12: 00000000fffffff8 R13: ffff88804ef7653c R14: 0000000000000001 R15: 0000000000000004 FS: 00007fbf5718f700(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000001b2de23000 CR3: 000000006a671000 CR4: 00000000001506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600 Call Trace: ieee80211_monitor_select_queue+0xa6/0x250 net/mac80211/iface.c:740 netdev_core_pick_tx+0x169/0x2e0 net/core/dev.c:4089 __dev_queue_xmit+0x6f9/0x3710 net/core/dev.c:4165 __bpf_tx_skb net/core/filter.c:2114 [inline] __bpf_redirect_no_mac net/core/filter.c:2139 [inline] __bpf_redirect+0x5ba/0xd20 net/core/filter.c:2162 ____bpf_clone_redirect net/core/filter.c:2429 [inline] bpf_clone_redirect+0x2ae/0x420 net/core/filter.c:2401 bpf_prog_eeb6f53a69e5c6a2+0x59/0x234 bpf_dispatcher_nop_func include/linux/bpf.h:717 [inline] __bpf_prog_run include/linux/filter.h:624 [inline] bpf_prog_run include/linux/filter.h:631 [inline] bpf_test_run+0x381/0xa30 net/bpf/test_run.c:119 bpf_prog_test_run_skb+0xb84/0x1ee0 net/bpf/test_run.c:663 bpf_prog_test_run kernel/bpf/syscall.c:3307 [inline] __sys_bpf+0x2137/0x5df0 kernel/bpf/syscall.c:4605 __do_sys_bpf kernel/bpf/syscall.c:4691 [inline] __se_sys_bpf kernel/bpf/syscall.c:4689 [inline] __x64_sys_bpf+0x75/0xb0 kernel/bpf/syscall.c:4689 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x4665f9
AI-Powered Analysis
Technical Analysis
CVE-2021-47395 is a vulnerability identified in the Linux kernel's mac80211 subsystem, specifically within the ieee80211_parse_tx_radiotap routine. This vulnerability arises due to insufficient validation of the Very High Throughput (VHT) Modulation and Coding Scheme (MCS) and Number of Spatial Streams (NSS) values injected via radiotap headers. Radiotap headers are used for injecting additional metadata into 802.11 frames, often utilized in wireless packet injection and monitoring tools. The vulnerability was discovered following warnings generated by the syzbot fuzzing infrastructure, which highlighted improper handling of out-of-range or malformed VHT MCS/NSS values. The root cause is that the ieee80211_parse_tx_radiotap function did not adequately limit the maximum values for these parameters, potentially leading to undefined behavior or kernel warnings. The vulnerability is located in the mac80211 wireless networking stack, which is responsible for managing Wi-Fi protocol operations in the Linux kernel. The detailed kernel trace shows the issue occurs during the processing of injected frames, which could be exploited by an attacker capable of injecting crafted radiotap frames to trigger the flaw. While the vulnerability does not appear to have a known exploit in the wild, it could be leveraged for denial of service (DoS) attacks by causing kernel warnings or crashes, potentially impacting system stability. The vulnerability affects Linux kernel version 5.14.0-syzkaller and likely other versions with similar mac80211 implementations. The fix involves limiting the maximum allowed values for VHT MCS and NSS in the parsing routine to prevent out-of-bound accesses or invalid state transitions. No CVSS score is provided, but the vulnerability is primarily a robustness issue in the wireless stack that could be triggered by local or network-based attackers with the ability to inject frames. It does not appear to allow privilege escalation or remote code execution directly but may cause system instability or denial of service.
Potential Impact
For European organizations, the impact of CVE-2021-47395 depends largely on their use of Linux-based systems with wireless networking capabilities, particularly those utilizing the mac80211 stack for Wi-Fi communications. Organizations operating wireless infrastructure, embedded devices, or IoT systems running vulnerable Linux kernels could face risks of service disruption due to kernel warnings or crashes triggered by crafted wireless frames. This could lead to denial of service conditions affecting network availability, potentially disrupting business operations reliant on wireless connectivity. Critical infrastructure sectors such as telecommunications, manufacturing, and transportation that deploy Linux-based wireless devices may be particularly sensitive to such disruptions. However, since exploitation requires the ability to inject malicious radiotap frames, the attack surface is somewhat limited to environments where attackers can transmit crafted Wi-Fi frames within radio range. The vulnerability does not appear to allow unauthorized access or data compromise directly but could be used as part of a broader attack chain to degrade system reliability or availability. Given the widespread use of Linux in European enterprise and public sector environments, especially in network infrastructure and embedded systems, the vulnerability warrants timely remediation to maintain operational stability and security.
Mitigation Recommendations
1. Apply Kernel Updates: Organizations should promptly update Linux kernels to versions where this vulnerability is patched. Monitoring vendor advisories and applying security patches is critical. 2. Wireless Network Segmentation: Limit exposure of vulnerable wireless devices by segmenting wireless networks and restricting access to trusted users and devices only. 3. Frame Injection Controls: Deploy wireless intrusion detection/prevention systems (WIDS/WIPS) capable of detecting and blocking malformed or suspicious radiotap frames to reduce the risk of exploitation. 4. Harden Wireless Interfaces: Disable unnecessary wireless interfaces or features that allow frame injection if not required for business operations. 5. Monitor System Logs: Implement monitoring of kernel logs for warnings or errors related to ieee80211 or mac80211 subsystems to detect potential exploitation attempts early. 6. Incident Response Preparedness: Prepare response plans for potential denial of service incidents affecting wireless infrastructure, including fallback connectivity options. 7. Vendor Coordination: For embedded or IoT devices using Linux kernels, coordinate with vendors to ensure timely firmware updates addressing this vulnerability. These measures go beyond generic advice by focusing on controlling the attack vector (frame injection), monitoring for exploitation signs, and ensuring patch management in wireless environments.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-21T14:58:30.814Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9833c4522896dcbe8fc0
Added to database: 5/21/2025, 9:09:07 AM
Last enriched: 6/30/2025, 12:25:18 PM
Last updated: 8/16/2025, 1:07:34 AM
Views: 16
Related Threats
CVE-2025-41242: Vulnerability in VMware Spring Framework
MediumCVE-2025-47206: CWE-787 in QNAP Systems Inc. File Station 5
HighCVE-2025-5296: CWE-59 Improper Link Resolution Before File Access ('Link Following') in Schneider Electric SESU
HighCVE-2025-6625: CWE-20 Improper Input Validation in Schneider Electric Modicon M340
HighCVE-2025-57703: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Delta Electronics DIAEnergie
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.