CVE-2021-47418: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: net_sched: fix NULL deref in fifo_set_limit() syzbot reported another NULL deref in fifo_set_limit() [1] I could repro the issue with : unshare -n tc qd add dev lo root handle 1:0 tbf limit 200000 burst 70000 rate 100Mbit tc qd replace dev lo parent 1:0 pfifo_fast tc qd change dev lo root handle 1:0 tbf limit 300000 burst 70000 rate 100Mbit pfifo_fast does not have a change() operation. Make fifo_set_limit() more robust about this. [1] BUG: kernel NULL pointer dereference, address: 0000000000000000 PGD 1cf99067 P4D 1cf99067 PUD 7ca49067 PMD 0 Oops: 0010 [#1] PREEMPT SMP KASAN CPU: 1 PID: 14443 Comm: syz-executor959 Not tainted 5.15.0-rc3-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:0x0 Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6. RSP: 0018:ffffc9000e2f7310 EFLAGS: 00010246 RAX: dffffc0000000000 RBX: ffffffff8d6ecc00 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffff888024c27910 RDI: ffff888071e34000 RBP: ffff888071e34000 R08: 0000000000000001 R09: ffffffff8fcfb947 R10: 0000000000000001 R11: 0000000000000000 R12: ffff888024c27910 R13: ffff888071e34018 R14: 0000000000000000 R15: ffff88801ef74800 FS: 00007f321d897700(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffffffffffd6 CR3: 00000000722c3000 CR4: 00000000003506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: fifo_set_limit net/sched/sch_fifo.c:242 [inline] fifo_set_limit+0x198/0x210 net/sched/sch_fifo.c:227 tbf_change+0x6ec/0x16d0 net/sched/sch_tbf.c:418 qdisc_change net/sched/sch_api.c:1332 [inline] tc_modify_qdisc+0xd9a/0x1a60 net/sched/sch_api.c:1634 rtnetlink_rcv_msg+0x413/0xb80 net/core/rtnetlink.c:5572 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2504 netlink_unicast_kernel net/netlink/af_netlink.c:1314 [inline] netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1340 netlink_sendmsg+0x86d/0xdb0 net/netlink/af_netlink.c:1929 sock_sendmsg_nosec net/socket.c:704 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:724 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2409 ___sys_sendmsg+0xf3/0x170 net/socket.c:2463 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2492 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae
AI Analysis
Technical Summary
CVE-2021-47418 is a vulnerability identified in the Linux kernel's network scheduler subsystem, specifically within the fifo_set_limit() function used in managing queuing disciplines (qdiscs) for network traffic control. The issue arises due to a NULL pointer dereference in fifo_set_limit(), which occurs when the function attempts to access or modify a qdisc that lacks a change() operation, such as pfifo_fast. This leads to a kernel NULL pointer dereference and consequently a kernel panic or system crash (denial of service). The vulnerability was discovered and reproduced using specific traffic control (tc) commands involving the loopback interface and the tbf and pfifo_fast qdiscs. The kernel oops log indicates that the fault occurs at a NULL address, triggered during the execution of fifo_set_limit(), which is called as part of qdisc change operations. The root cause is insufficient robustness in fifo_set_limit() when handling qdiscs without a change() callback, leading to dereferencing a NULL pointer. This vulnerability affects Linux kernel versions prior to the patch that improves fifo_set_limit() to safely handle such cases. No evidence of exploitation in the wild has been reported, and no CVSS score has been assigned yet. The vulnerability requires local access to execute the tc commands, implying that an attacker must have the ability to run privileged or network namespace commands on the target system to trigger the issue.
Potential Impact
For European organizations, the impact of CVE-2021-47418 primarily involves potential denial of service (DoS) conditions on Linux systems running vulnerable kernel versions. Since Linux is widely used in servers, cloud infrastructure, and embedded devices across Europe, exploitation could lead to unexpected system crashes, service interruptions, and potential downtime. This is particularly critical for organizations relying on Linux-based network appliances, routers, or virtualized environments where traffic control qdiscs are configured. Although the vulnerability does not directly allow privilege escalation or remote code execution, the resulting kernel panic could disrupt critical services, impacting availability and operational continuity. Organizations in sectors such as finance, telecommunications, government, and cloud service providers in Europe could face operational risks if vulnerable systems are exploited. The requirement for local or containerized namespace access limits remote exploitation but does not eliminate risk in multi-tenant or shared environments where attackers might gain such access.
Mitigation Recommendations
To mitigate CVE-2021-47418, European organizations should: 1) Apply the latest Linux kernel patches that address the fifo_set_limit() NULL pointer dereference, ensuring all affected systems are updated promptly. 2) Review and restrict the use of traffic control (tc) commands and network namespace manipulations to trusted administrators only, minimizing the risk of local exploitation. 3) Implement strict access controls and monitoring on systems that allow unprivileged users to create or modify network namespaces or qdiscs. 4) Employ kernel hardening techniques such as Kernel Address Sanitizer (KASAN) and kernel lockdown features where applicable to detect and prevent exploitation attempts. 5) In containerized or virtualized environments, enforce strict isolation and limit capabilities related to network configuration to reduce attack surface. 6) Monitor system logs and kernel oops reports for signs of crashes or suspicious activity related to network scheduling components. 7) Conduct regular vulnerability assessments and penetration tests focusing on local privilege and namespace escalation vectors to identify potential exploitation paths.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2021-47418: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: net_sched: fix NULL deref in fifo_set_limit() syzbot reported another NULL deref in fifo_set_limit() [1] I could repro the issue with : unshare -n tc qd add dev lo root handle 1:0 tbf limit 200000 burst 70000 rate 100Mbit tc qd replace dev lo parent 1:0 pfifo_fast tc qd change dev lo root handle 1:0 tbf limit 300000 burst 70000 rate 100Mbit pfifo_fast does not have a change() operation. Make fifo_set_limit() more robust about this. [1] BUG: kernel NULL pointer dereference, address: 0000000000000000 PGD 1cf99067 P4D 1cf99067 PUD 7ca49067 PMD 0 Oops: 0010 [#1] PREEMPT SMP KASAN CPU: 1 PID: 14443 Comm: syz-executor959 Not tainted 5.15.0-rc3-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:0x0 Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6. RSP: 0018:ffffc9000e2f7310 EFLAGS: 00010246 RAX: dffffc0000000000 RBX: ffffffff8d6ecc00 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffff888024c27910 RDI: ffff888071e34000 RBP: ffff888071e34000 R08: 0000000000000001 R09: ffffffff8fcfb947 R10: 0000000000000001 R11: 0000000000000000 R12: ffff888024c27910 R13: ffff888071e34018 R14: 0000000000000000 R15: ffff88801ef74800 FS: 00007f321d897700(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffffffffffd6 CR3: 00000000722c3000 CR4: 00000000003506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: fifo_set_limit net/sched/sch_fifo.c:242 [inline] fifo_set_limit+0x198/0x210 net/sched/sch_fifo.c:227 tbf_change+0x6ec/0x16d0 net/sched/sch_tbf.c:418 qdisc_change net/sched/sch_api.c:1332 [inline] tc_modify_qdisc+0xd9a/0x1a60 net/sched/sch_api.c:1634 rtnetlink_rcv_msg+0x413/0xb80 net/core/rtnetlink.c:5572 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2504 netlink_unicast_kernel net/netlink/af_netlink.c:1314 [inline] netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1340 netlink_sendmsg+0x86d/0xdb0 net/netlink/af_netlink.c:1929 sock_sendmsg_nosec net/socket.c:704 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:724 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2409 ___sys_sendmsg+0xf3/0x170 net/socket.c:2463 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2492 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae
AI-Powered Analysis
Technical Analysis
CVE-2021-47418 is a vulnerability identified in the Linux kernel's network scheduler subsystem, specifically within the fifo_set_limit() function used in managing queuing disciplines (qdiscs) for network traffic control. The issue arises due to a NULL pointer dereference in fifo_set_limit(), which occurs when the function attempts to access or modify a qdisc that lacks a change() operation, such as pfifo_fast. This leads to a kernel NULL pointer dereference and consequently a kernel panic or system crash (denial of service). The vulnerability was discovered and reproduced using specific traffic control (tc) commands involving the loopback interface and the tbf and pfifo_fast qdiscs. The kernel oops log indicates that the fault occurs at a NULL address, triggered during the execution of fifo_set_limit(), which is called as part of qdisc change operations. The root cause is insufficient robustness in fifo_set_limit() when handling qdiscs without a change() callback, leading to dereferencing a NULL pointer. This vulnerability affects Linux kernel versions prior to the patch that improves fifo_set_limit() to safely handle such cases. No evidence of exploitation in the wild has been reported, and no CVSS score has been assigned yet. The vulnerability requires local access to execute the tc commands, implying that an attacker must have the ability to run privileged or network namespace commands on the target system to trigger the issue.
Potential Impact
For European organizations, the impact of CVE-2021-47418 primarily involves potential denial of service (DoS) conditions on Linux systems running vulnerable kernel versions. Since Linux is widely used in servers, cloud infrastructure, and embedded devices across Europe, exploitation could lead to unexpected system crashes, service interruptions, and potential downtime. This is particularly critical for organizations relying on Linux-based network appliances, routers, or virtualized environments where traffic control qdiscs are configured. Although the vulnerability does not directly allow privilege escalation or remote code execution, the resulting kernel panic could disrupt critical services, impacting availability and operational continuity. Organizations in sectors such as finance, telecommunications, government, and cloud service providers in Europe could face operational risks if vulnerable systems are exploited. The requirement for local or containerized namespace access limits remote exploitation but does not eliminate risk in multi-tenant or shared environments where attackers might gain such access.
Mitigation Recommendations
To mitigate CVE-2021-47418, European organizations should: 1) Apply the latest Linux kernel patches that address the fifo_set_limit() NULL pointer dereference, ensuring all affected systems are updated promptly. 2) Review and restrict the use of traffic control (tc) commands and network namespace manipulations to trusted administrators only, minimizing the risk of local exploitation. 3) Implement strict access controls and monitoring on systems that allow unprivileged users to create or modify network namespaces or qdiscs. 4) Employ kernel hardening techniques such as Kernel Address Sanitizer (KASAN) and kernel lockdown features where applicable to detect and prevent exploitation attempts. 5) In containerized or virtualized environments, enforce strict isolation and limit capabilities related to network configuration to reduce attack surface. 6) Monitor system logs and kernel oops reports for signs of crashes or suspicious activity related to network scheduling components. 7) Conduct regular vulnerability assessments and penetration tests focusing on local privilege and namespace escalation vectors to identify potential exploitation paths.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-21T14:58:30.818Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9833c4522896dcbe90bd
Added to database: 5/21/2025, 9:09:07 AM
Last enriched: 6/30/2025, 12:41:25 PM
Last updated: 7/31/2025, 12:16:36 PM
Views: 12
Related Threats
CVE-2025-49895: CWE-352 Cross-Site Request Forgery (CSRF) in iThemes ServerBuddy by PluginBuddy.com
HighCVE-2025-55284: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in anthropics claude-code
HighCVE-2025-55286: CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer in vancluever z2d
HighCVE-2025-52621: CWE-346 Origin Validation Error in HCL Software BigFix SaaS Remediate
MediumCVE-2025-52620: CWE-20 Improper Input Validation in HCL Software BigFix SaaS Remediate
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.