CVE-2021-47448: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: mptcp: fix possible stall on recvmsg() recvmsg() can enter an infinite loop if the caller provides the MSG_WAITALL, the data present in the receive queue is not sufficient to fulfill the request, and no more data is received by the peer. When the above happens, mptcp_wait_data() will always return with no wait, as the MPTCP_DATA_READY flag checked by such function is set and never cleared in such code path. Leveraging the above syzbot was able to trigger an RCU stall: rcu: INFO: rcu_preempt self-detected stall on CPU rcu: 0-...!: (10499 ticks this GP) idle=0af/1/0x4000000000000000 softirq=10678/10678 fqs=1 (t=10500 jiffies g=13089 q=109) rcu: rcu_preempt kthread starved for 10497 jiffies! g13089 f0x0 RCU_GP_WAIT_FQS(5) ->state=0x0 ->cpu=1 rcu: Unless rcu_preempt kthread gets sufficient CPU time, OOM is now expected behavior. rcu: RCU grace-period kthread stack dump: task:rcu_preempt state:R running task stack:28696 pid: 14 ppid: 2 flags:0x00004000 Call Trace: context_switch kernel/sched/core.c:4955 [inline] __schedule+0x940/0x26f0 kernel/sched/core.c:6236 schedule+0xd3/0x270 kernel/sched/core.c:6315 schedule_timeout+0x14a/0x2a0 kernel/time/timer.c:1881 rcu_gp_fqs_loop+0x186/0x810 kernel/rcu/tree.c:1955 rcu_gp_kthread+0x1de/0x320 kernel/rcu/tree.c:2128 kthread+0x405/0x4f0 kernel/kthread.c:327 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 rcu: Stack dump where RCU GP kthread last ran: Sending NMI from CPU 0 to CPUs 1: NMI backtrace for cpu 1 CPU: 1 PID: 8510 Comm: syz-executor827 Not tainted 5.15.0-rc2-next-20210920-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:bytes_is_nonzero mm/kasan/generic.c:84 [inline] RIP: 0010:memory_is_nonzero mm/kasan/generic.c:102 [inline] RIP: 0010:memory_is_poisoned_n mm/kasan/generic.c:128 [inline] RIP: 0010:memory_is_poisoned mm/kasan/generic.c:159 [inline] RIP: 0010:check_region_inline mm/kasan/generic.c:180 [inline] RIP: 0010:kasan_check_range+0xc8/0x180 mm/kasan/generic.c:189 Code: 38 00 74 ed 48 8d 50 08 eb 09 48 83 c0 01 48 39 d0 74 7a 80 38 00 74 f2 48 89 c2 b8 01 00 00 00 48 85 d2 75 56 5b 5d 41 5c c3 <48> 85 d2 74 5e 48 01 ea eb 09 48 83 c0 01 48 39 d0 74 50 80 38 00 RSP: 0018:ffffc9000cd676c8 EFLAGS: 00000283 RAX: ffffed100e9a110e RBX: ffffed100e9a110f RCX: ffffffff88ea062a RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffff888074d08870 RBP: ffffed100e9a110e R08: 0000000000000001 R09: ffff888074d08877 R10: ffffed100e9a110e R11: 0000000000000000 R12: ffff888074d08000 R13: ffff888074d08000 R14: ffff888074d08088 R15: ffff888074d08000 FS: 0000555556d8e300(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000 S: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000180 CR3: 0000000068909000 CR4: 00000000001506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: instrument_atomic_read_write include/linux/instrumented.h:101 [inline] test_and_clear_bit include/asm-generic/bitops/instrumented-atomic.h:83 [inline] mptcp_release_cb+0x14a/0x210 net/mptcp/protocol.c:3016 release_sock+0xb4/0x1b0 net/core/sock.c:3204 mptcp_wait_data net/mptcp/protocol.c:1770 [inline] mptcp_recvmsg+0xfd1/0x27b0 net/mptcp/protocol.c:2080 inet6_recvmsg+0x11b/0x5e0 net/ipv6/af_inet6.c:659 sock_recvmsg_nosec net/socket.c:944 [inline] ____sys_recvmsg+0x527/0x600 net/socket.c:2626 ___sys_recvmsg+0x127/0x200 net/socket.c:2670 do_recvmmsg+0x24d/0x6d0 net/socket.c:2764 __sys_recvmmsg net/socket.c:2843 [inline] __do_sys_recvmmsg net/socket.c:2866 [inline] __se_sys_recvmmsg net/socket.c:2859 [inline] __x64_sys_recvmmsg+0x20b/0x260 net/socket.c:2859 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7fc200d2 ---truncated---
AI Analysis
Technical Summary
CVE-2021-47448 is a vulnerability in the Linux kernel's implementation of Multipath TCP (MPTCP), specifically related to the recvmsg() system call. The flaw occurs when recvmsg() is called with the MSG_WAITALL flag, which instructs the kernel to wait until the full requested amount of data is received. If the data available in the receive queue is insufficient and the peer stops sending data, the recvmsg() call can enter an infinite loop. This happens because the internal function mptcp_wait_data() incorrectly returns immediately without waiting, due to the MPTCP_DATA_READY flag being set and never cleared in this code path. This leads to a stall condition where the kernel's RCU (Read-Copy-Update) grace period kthread becomes starved of CPU time, triggering an RCU stall warning and potentially causing a system hang or out-of-memory (OOM) condition. The vulnerability was discovered and triggered by syzbot, an automated kernel fuzzer, which demonstrated the RCU stall and kernel thread starvation. The issue affects Linux kernel versions containing the vulnerable MPTCP code and can cause denial of service (DoS) by stalling kernel threads critical for system operation. No known exploits are reported in the wild, and no CVSS score has been assigned yet. However, the technical details indicate a kernel-level resource starvation leading to system instability or crash, which is a serious reliability and availability concern for affected systems.
Potential Impact
For European organizations, this vulnerability poses a significant risk to the availability and stability of Linux-based systems that utilize Multipath TCP, particularly in environments where MSG_WAITALL is used in network communication. Systems running vulnerable Linux kernels may experience hangs or crashes due to kernel thread starvation, leading to denial of service conditions. This can disrupt critical services, especially in sectors relying heavily on Linux servers such as telecommunications, cloud service providers, financial institutions, and public infrastructure. The impact is heightened in data centers and cloud environments where Linux is prevalent and MPTCP may be used to optimize network throughput and redundancy. The vulnerability could also affect embedded Linux devices and network appliances used in industrial and enterprise settings across Europe, potentially causing operational disruptions. Although exploitation requires specific conditions and no active exploits are known, the risk of unintentional system hangs or crashes due to this bug remains a concern for system reliability and uptime.
Mitigation Recommendations
To mitigate this vulnerability, European organizations should: 1) Apply the latest Linux kernel patches that address CVE-2021-47448 as soon as they become available from their Linux distribution vendors or upstream kernel sources. 2) Temporarily avoid using the MSG_WAITALL flag with recvmsg() on systems where MPTCP is enabled, if possible, to reduce the risk of triggering the infinite loop. 3) Monitor kernel logs for RCU stall warnings and unusual kernel thread behavior, which could indicate attempts to exploit or accidental triggering of the vulnerability. 4) Implement robust kernel and system monitoring to detect and respond quickly to system hangs or resource starvation events. 5) For critical infrastructure, consider isolating or limiting MPTCP usage until patches are applied. 6) Engage with Linux distribution security advisories and maintain an up-to-date inventory of affected kernel versions in use. 7) Test kernel updates in staging environments to ensure stability before deployment in production.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland
CVE-2021-47448: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: mptcp: fix possible stall on recvmsg() recvmsg() can enter an infinite loop if the caller provides the MSG_WAITALL, the data present in the receive queue is not sufficient to fulfill the request, and no more data is received by the peer. When the above happens, mptcp_wait_data() will always return with no wait, as the MPTCP_DATA_READY flag checked by such function is set and never cleared in such code path. Leveraging the above syzbot was able to trigger an RCU stall: rcu: INFO: rcu_preempt self-detected stall on CPU rcu: 0-...!: (10499 ticks this GP) idle=0af/1/0x4000000000000000 softirq=10678/10678 fqs=1 (t=10500 jiffies g=13089 q=109) rcu: rcu_preempt kthread starved for 10497 jiffies! g13089 f0x0 RCU_GP_WAIT_FQS(5) ->state=0x0 ->cpu=1 rcu: Unless rcu_preempt kthread gets sufficient CPU time, OOM is now expected behavior. rcu: RCU grace-period kthread stack dump: task:rcu_preempt state:R running task stack:28696 pid: 14 ppid: 2 flags:0x00004000 Call Trace: context_switch kernel/sched/core.c:4955 [inline] __schedule+0x940/0x26f0 kernel/sched/core.c:6236 schedule+0xd3/0x270 kernel/sched/core.c:6315 schedule_timeout+0x14a/0x2a0 kernel/time/timer.c:1881 rcu_gp_fqs_loop+0x186/0x810 kernel/rcu/tree.c:1955 rcu_gp_kthread+0x1de/0x320 kernel/rcu/tree.c:2128 kthread+0x405/0x4f0 kernel/kthread.c:327 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 rcu: Stack dump where RCU GP kthread last ran: Sending NMI from CPU 0 to CPUs 1: NMI backtrace for cpu 1 CPU: 1 PID: 8510 Comm: syz-executor827 Not tainted 5.15.0-rc2-next-20210920-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:bytes_is_nonzero mm/kasan/generic.c:84 [inline] RIP: 0010:memory_is_nonzero mm/kasan/generic.c:102 [inline] RIP: 0010:memory_is_poisoned_n mm/kasan/generic.c:128 [inline] RIP: 0010:memory_is_poisoned mm/kasan/generic.c:159 [inline] RIP: 0010:check_region_inline mm/kasan/generic.c:180 [inline] RIP: 0010:kasan_check_range+0xc8/0x180 mm/kasan/generic.c:189 Code: 38 00 74 ed 48 8d 50 08 eb 09 48 83 c0 01 48 39 d0 74 7a 80 38 00 74 f2 48 89 c2 b8 01 00 00 00 48 85 d2 75 56 5b 5d 41 5c c3 <48> 85 d2 74 5e 48 01 ea eb 09 48 83 c0 01 48 39 d0 74 50 80 38 00 RSP: 0018:ffffc9000cd676c8 EFLAGS: 00000283 RAX: ffffed100e9a110e RBX: ffffed100e9a110f RCX: ffffffff88ea062a RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffff888074d08870 RBP: ffffed100e9a110e R08: 0000000000000001 R09: ffff888074d08877 R10: ffffed100e9a110e R11: 0000000000000000 R12: ffff888074d08000 R13: ffff888074d08000 R14: ffff888074d08088 R15: ffff888074d08000 FS: 0000555556d8e300(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000 S: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000180 CR3: 0000000068909000 CR4: 00000000001506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: instrument_atomic_read_write include/linux/instrumented.h:101 [inline] test_and_clear_bit include/asm-generic/bitops/instrumented-atomic.h:83 [inline] mptcp_release_cb+0x14a/0x210 net/mptcp/protocol.c:3016 release_sock+0xb4/0x1b0 net/core/sock.c:3204 mptcp_wait_data net/mptcp/protocol.c:1770 [inline] mptcp_recvmsg+0xfd1/0x27b0 net/mptcp/protocol.c:2080 inet6_recvmsg+0x11b/0x5e0 net/ipv6/af_inet6.c:659 sock_recvmsg_nosec net/socket.c:944 [inline] ____sys_recvmsg+0x527/0x600 net/socket.c:2626 ___sys_recvmsg+0x127/0x200 net/socket.c:2670 do_recvmmsg+0x24d/0x6d0 net/socket.c:2764 __sys_recvmmsg net/socket.c:2843 [inline] __do_sys_recvmmsg net/socket.c:2866 [inline] __se_sys_recvmmsg net/socket.c:2859 [inline] __x64_sys_recvmmsg+0x20b/0x260 net/socket.c:2859 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7fc200d2 ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2021-47448 is a vulnerability in the Linux kernel's implementation of Multipath TCP (MPTCP), specifically related to the recvmsg() system call. The flaw occurs when recvmsg() is called with the MSG_WAITALL flag, which instructs the kernel to wait until the full requested amount of data is received. If the data available in the receive queue is insufficient and the peer stops sending data, the recvmsg() call can enter an infinite loop. This happens because the internal function mptcp_wait_data() incorrectly returns immediately without waiting, due to the MPTCP_DATA_READY flag being set and never cleared in this code path. This leads to a stall condition where the kernel's RCU (Read-Copy-Update) grace period kthread becomes starved of CPU time, triggering an RCU stall warning and potentially causing a system hang or out-of-memory (OOM) condition. The vulnerability was discovered and triggered by syzbot, an automated kernel fuzzer, which demonstrated the RCU stall and kernel thread starvation. The issue affects Linux kernel versions containing the vulnerable MPTCP code and can cause denial of service (DoS) by stalling kernel threads critical for system operation. No known exploits are reported in the wild, and no CVSS score has been assigned yet. However, the technical details indicate a kernel-level resource starvation leading to system instability or crash, which is a serious reliability and availability concern for affected systems.
Potential Impact
For European organizations, this vulnerability poses a significant risk to the availability and stability of Linux-based systems that utilize Multipath TCP, particularly in environments where MSG_WAITALL is used in network communication. Systems running vulnerable Linux kernels may experience hangs or crashes due to kernel thread starvation, leading to denial of service conditions. This can disrupt critical services, especially in sectors relying heavily on Linux servers such as telecommunications, cloud service providers, financial institutions, and public infrastructure. The impact is heightened in data centers and cloud environments where Linux is prevalent and MPTCP may be used to optimize network throughput and redundancy. The vulnerability could also affect embedded Linux devices and network appliances used in industrial and enterprise settings across Europe, potentially causing operational disruptions. Although exploitation requires specific conditions and no active exploits are known, the risk of unintentional system hangs or crashes due to this bug remains a concern for system reliability and uptime.
Mitigation Recommendations
To mitigate this vulnerability, European organizations should: 1) Apply the latest Linux kernel patches that address CVE-2021-47448 as soon as they become available from their Linux distribution vendors or upstream kernel sources. 2) Temporarily avoid using the MSG_WAITALL flag with recvmsg() on systems where MPTCP is enabled, if possible, to reduce the risk of triggering the infinite loop. 3) Monitor kernel logs for RCU stall warnings and unusual kernel thread behavior, which could indicate attempts to exploit or accidental triggering of the vulnerability. 4) Implement robust kernel and system monitoring to detect and respond quickly to system hangs or resource starvation events. 5) For critical infrastructure, consider isolating or limiting MPTCP usage until patches are applied. 6) Engage with Linux distribution security advisories and maintain an up-to-date inventory of affected kernel versions in use. 7) Test kernel updates in staging environments to ensure stability before deployment in production.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-21T14:58:30.832Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9833c4522896dcbe9185
Added to database: 5/21/2025, 9:09:07 AM
Last enriched: 6/30/2025, 1:12:57 PM
Last updated: 8/5/2025, 12:43:27 AM
Views: 10
Related Threats
CVE-2025-8824: Stack-based Buffer Overflow in Linksys RE6250
HighCVE-2025-8823: OS Command Injection in Linksys RE6250
MediumCVE-2025-8822: Stack-based Buffer Overflow in Linksys RE6250
HighCVE-2025-8821: OS Command Injection in Linksys RE6250
MediumCVE-2025-8817: Stack-based Buffer Overflow in Linksys RE6250
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.