CVE-2021-47515: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: seg6: fix the iif in the IPv6 socket control block When an IPv4 packet is received, the ip_rcv_core(...) sets the receiving interface index into the IPv4 socket control block (v5.16-rc4, net/ipv4/ip_input.c line 510): IPCB(skb)->iif = skb->skb_iif; If that IPv4 packet is meant to be encapsulated in an outer IPv6+SRH header, the seg6_do_srh_encap(...) performs the required encapsulation. In this case, the seg6_do_srh_encap function clears the IPv6 socket control block (v5.16-rc4 net/ipv6/seg6_iptunnel.c line 163): memset(IP6CB(skb), 0, sizeof(*IP6CB(skb))); The memset(...) was introduced in commit ef489749aae5 ("ipv6: sr: clear IP6CB(skb) on SRH ip4ip6 encapsulation") a long time ago (2019-01-29). Since the IPv6 socket control block and the IPv4 socket control block share the same memory area (skb->cb), the receiving interface index info is lost (IP6CB(skb)->iif is set to zero). As a side effect, that condition triggers a NULL pointer dereference if commit 0857d6f8c759 ("ipv6: When forwarding count rx stats on the orig netdev") is applied. To fix that issue, we set the IP6CB(skb)->iif with the index of the receiving interface once again.
AI Analysis
Technical Summary
CVE-2021-47515 is a vulnerability in the Linux kernel related to the handling of IPv4 packets encapsulated within IPv6 Segment Routing Header (SRH) tunnels. Specifically, the issue arises from the interaction between the IPv4 and IPv6 socket control blocks (IPCB and IP6CB) which share the same memory area (skb->cb). When an IPv4 packet is received, the receiving interface index (iif) is set in the IPv4 socket control block. However, if the packet is encapsulated in an IPv6+SRH header, the function seg6_do_srh_encap clears the IPv6 socket control block memory area using memset, inadvertently erasing the iif information. This loss of the receiving interface index can lead to a NULL pointer dereference when certain forwarding statistics code paths are executed, specifically after commit 0857d6f8c759 was applied. The root cause is the clearing of the shared memory area without preserving the iif field, causing the kernel to lose track of the interface on which the packet was received. The fix involves explicitly restoring the iif field in the IPv6 socket control block after the memset operation to maintain correct interface tracking. This vulnerability affects Linux kernel versions containing the specified commits and is related to the segment routing IPv6 (seg6) implementation and IPv4-in-IPv6 encapsulation. While no known exploits are reported in the wild, the flaw can cause kernel crashes due to NULL pointer dereferences, potentially leading to denial of service (DoS) conditions on affected systems.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running affected Linux kernel versions with segment routing IPv6 features enabled, especially in environments utilizing IPv4-in-IPv6 encapsulation. The impact includes potential denial of service through kernel crashes triggered by crafted network packets, which could disrupt critical network infrastructure, servers, or services relying on Linux-based systems. Organizations operating data centers, cloud services, or network equipment that leverage advanced IPv6 routing features may experience service outages or degraded network performance. Although the vulnerability does not appear to allow remote code execution or privilege escalation, the resulting instability could be exploited to cause operational disruptions. Given the increasing adoption of IPv6 and segment routing in European telecom and enterprise networks, the vulnerability could affect ISPs, cloud providers, and enterprises with complex network topologies. The absence of known exploits reduces immediate risk, but the vulnerability should be addressed promptly to prevent potential exploitation or accidental crashes.
Mitigation Recommendations
European organizations should take the following specific actions: 1) Identify and inventory Linux systems running kernel versions containing the affected commits, focusing on those using IPv6 segment routing and IPv4-in-IPv6 encapsulation features. 2) Apply the latest Linux kernel patches or updates that include the fix for CVE-2021-47515 as soon as they become available from trusted Linux distributions or upstream sources. 3) If immediate patching is not feasible, consider disabling segment routing IPv6 features or IPv4-in-IPv6 encapsulation on critical systems to reduce exposure. 4) Monitor network traffic for unusual IPv4-in-IPv6 encapsulated packets that could trigger the vulnerability, using advanced network monitoring tools capable of inspecting IPv6 SRH headers. 5) Implement robust kernel crash monitoring and automated recovery mechanisms to minimize downtime in case of exploitation or accidental triggering. 6) Engage with Linux distribution vendors and security mailing lists to stay informed about patch releases and related advisories. 7) For environments using custom or embedded Linux kernels, coordinate with vendors or internal development teams to backport the fix promptly.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2021-47515: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: seg6: fix the iif in the IPv6 socket control block When an IPv4 packet is received, the ip_rcv_core(...) sets the receiving interface index into the IPv4 socket control block (v5.16-rc4, net/ipv4/ip_input.c line 510): IPCB(skb)->iif = skb->skb_iif; If that IPv4 packet is meant to be encapsulated in an outer IPv6+SRH header, the seg6_do_srh_encap(...) performs the required encapsulation. In this case, the seg6_do_srh_encap function clears the IPv6 socket control block (v5.16-rc4 net/ipv6/seg6_iptunnel.c line 163): memset(IP6CB(skb), 0, sizeof(*IP6CB(skb))); The memset(...) was introduced in commit ef489749aae5 ("ipv6: sr: clear IP6CB(skb) on SRH ip4ip6 encapsulation") a long time ago (2019-01-29). Since the IPv6 socket control block and the IPv4 socket control block share the same memory area (skb->cb), the receiving interface index info is lost (IP6CB(skb)->iif is set to zero). As a side effect, that condition triggers a NULL pointer dereference if commit 0857d6f8c759 ("ipv6: When forwarding count rx stats on the orig netdev") is applied. To fix that issue, we set the IP6CB(skb)->iif with the index of the receiving interface once again.
AI-Powered Analysis
Technical Analysis
CVE-2021-47515 is a vulnerability in the Linux kernel related to the handling of IPv4 packets encapsulated within IPv6 Segment Routing Header (SRH) tunnels. Specifically, the issue arises from the interaction between the IPv4 and IPv6 socket control blocks (IPCB and IP6CB) which share the same memory area (skb->cb). When an IPv4 packet is received, the receiving interface index (iif) is set in the IPv4 socket control block. However, if the packet is encapsulated in an IPv6+SRH header, the function seg6_do_srh_encap clears the IPv6 socket control block memory area using memset, inadvertently erasing the iif information. This loss of the receiving interface index can lead to a NULL pointer dereference when certain forwarding statistics code paths are executed, specifically after commit 0857d6f8c759 was applied. The root cause is the clearing of the shared memory area without preserving the iif field, causing the kernel to lose track of the interface on which the packet was received. The fix involves explicitly restoring the iif field in the IPv6 socket control block after the memset operation to maintain correct interface tracking. This vulnerability affects Linux kernel versions containing the specified commits and is related to the segment routing IPv6 (seg6) implementation and IPv4-in-IPv6 encapsulation. While no known exploits are reported in the wild, the flaw can cause kernel crashes due to NULL pointer dereferences, potentially leading to denial of service (DoS) conditions on affected systems.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running affected Linux kernel versions with segment routing IPv6 features enabled, especially in environments utilizing IPv4-in-IPv6 encapsulation. The impact includes potential denial of service through kernel crashes triggered by crafted network packets, which could disrupt critical network infrastructure, servers, or services relying on Linux-based systems. Organizations operating data centers, cloud services, or network equipment that leverage advanced IPv6 routing features may experience service outages or degraded network performance. Although the vulnerability does not appear to allow remote code execution or privilege escalation, the resulting instability could be exploited to cause operational disruptions. Given the increasing adoption of IPv6 and segment routing in European telecom and enterprise networks, the vulnerability could affect ISPs, cloud providers, and enterprises with complex network topologies. The absence of known exploits reduces immediate risk, but the vulnerability should be addressed promptly to prevent potential exploitation or accidental crashes.
Mitigation Recommendations
European organizations should take the following specific actions: 1) Identify and inventory Linux systems running kernel versions containing the affected commits, focusing on those using IPv6 segment routing and IPv4-in-IPv6 encapsulation features. 2) Apply the latest Linux kernel patches or updates that include the fix for CVE-2021-47515 as soon as they become available from trusted Linux distributions or upstream sources. 3) If immediate patching is not feasible, consider disabling segment routing IPv6 features or IPv4-in-IPv6 encapsulation on critical systems to reduce exposure. 4) Monitor network traffic for unusual IPv4-in-IPv6 encapsulated packets that could trigger the vulnerability, using advanced network monitoring tools capable of inspecting IPv6 SRH headers. 5) Implement robust kernel crash monitoring and automated recovery mechanisms to minimize downtime in case of exploitation or accidental triggering. 6) Engage with Linux distribution vendors and security mailing lists to stay informed about patch releases and related advisories. 7) For environments using custom or embedded Linux kernels, coordinate with vendors or internal development teams to backport the fix promptly.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-24T15:02:54.824Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9822c4522896dcbde146
Added to database: 5/21/2025, 9:08:50 AM
Last enriched: 6/28/2025, 5:25:03 AM
Last updated: 8/12/2025, 8:55:08 AM
Views: 12
Related Threats
CVE-2025-49559: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22) in Adobe Adobe Commerce
MediumCVE-2025-49558: Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367) in Adobe Adobe Commerce
MediumCVE-2025-49557: Cross-site Scripting (Stored XSS) (CWE-79) in Adobe Adobe Commerce
HighCVE-2025-49556: Incorrect Authorization (CWE-863) in Adobe Adobe Commerce
HighCVE-2025-49555: Cross-Site Request Forgery (CSRF) (CWE-352) in Adobe Adobe Commerce
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.