CVE-2021-47555: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: net: vlan: fix underflow for the real_dev refcnt Inject error before dev_hold(real_dev) in register_vlan_dev(), and execute the following testcase: ip link add dev dummy1 type dummy ip link add name dummy1.100 link dummy1 type vlan id 100 ip link del dev dummy1 When the dummy netdevice is removed, we will get a WARNING as following: ======================================================================= refcount_t: decrement hit 0; leaking memory. WARNING: CPU: 2 PID: 0 at lib/refcount.c:31 refcount_warn_saturate+0xbf/0x1e0 and an endless loop of: ======================================================================= unregister_netdevice: waiting for dummy1 to become free. Usage count = -1073741824 That is because dev_put(real_dev) in vlan_dev_free() be called without dev_hold(real_dev) in register_vlan_dev(). It makes the refcnt of real_dev underflow. Move the dev_hold(real_dev) to vlan_dev_init() which is the call-back of ndo_init(). That makes dev_hold() and dev_put() for vlan's real_dev symmetrical.
AI Analysis
Technical Summary
CVE-2021-47555 is a medium-severity vulnerability in the Linux kernel's networking subsystem, specifically related to VLAN (Virtual LAN) device handling. The issue arises from an improper reference count management for the underlying real network device (real_dev) when VLAN devices are registered and unregistered. In the vulnerable code path, the function register_vlan_dev() fails to increment the reference count of the real_dev via dev_hold(real_dev) before it is used, while the corresponding decrement dev_put(real_dev) is called during vlan_dev_free(). This asymmetry causes the reference count to underflow, leading to a negative usage count. When the dummy network device is removed, this results in a warning about refcount underflow and an endless loop during the unregister_netdevice process, as the system waits indefinitely for the device to become free. The root cause is that dev_put() is called without a matching dev_hold(), causing the reference counter to decrement below zero. The fix involves moving the dev_hold(real_dev) call to vlan_dev_init(), which is the ndo_init() callback, ensuring that dev_hold() and dev_put() calls are symmetrical and the reference count is correctly maintained. This vulnerability can cause denial of service conditions due to kernel warnings and indefinite loops in device unregistration, potentially impacting system stability and availability. The CVSS v3.1 base score is 4.4 (medium), reflecting local attack vector, low complexity, requiring privileges, no user interaction, and limited confidentiality impact but availability impact due to potential hangs. No known exploits in the wild have been reported as of the publication date.
Potential Impact
For European organizations, this vulnerability primarily poses a risk to the availability and stability of Linux-based systems that utilize VLAN networking, which is common in enterprise and data center environments. Systems running affected Linux kernel versions may experience kernel warnings and indefinite loops during network device removal, potentially leading to denial of service or degraded network functionality. This can disrupt critical network segmentation, impacting services relying on VLAN isolation such as multi-tenant cloud environments, enterprise internal networks, and industrial control systems. Although the confidentiality and integrity impacts are low, the availability impact can affect operational continuity, especially in environments with dynamic network device management or automated network orchestration. Organizations with Linux-based infrastructure in networking roles, including telecom providers, cloud service operators, and large enterprises, should be aware of this risk. The requirement for local privileges to exploit limits remote attack potential, but insider threats or compromised accounts could trigger the issue. Given the widespread use of Linux in European IT infrastructure, the vulnerability could have broad operational implications if unpatched.
Mitigation Recommendations
1. Apply the official Linux kernel patches that address CVE-2021-47555 as soon as they become available from trusted sources or Linux distribution vendors. 2. For environments where immediate patching is not feasible, avoid dynamic creation and deletion of VLAN devices on affected systems to reduce the risk of triggering the vulnerability. 3. Implement strict access controls and monitoring to limit local privileged user actions that could exploit this vulnerability. 4. Use kernel live patching solutions where supported to minimize downtime while applying fixes. 5. Monitor system logs for refcount warnings or unregister_netdevice loops as early indicators of exploitation or triggering conditions. 6. In virtualized or containerized environments, isolate network device management to reduce the blast radius of potential exploitation. 7. Regularly update Linux kernel versions to benefit from ongoing security improvements and fixes. 8. Conduct thorough testing of network device management automation scripts to ensure they do not inadvertently trigger the vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2021-47555: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: net: vlan: fix underflow for the real_dev refcnt Inject error before dev_hold(real_dev) in register_vlan_dev(), and execute the following testcase: ip link add dev dummy1 type dummy ip link add name dummy1.100 link dummy1 type vlan id 100 ip link del dev dummy1 When the dummy netdevice is removed, we will get a WARNING as following: ======================================================================= refcount_t: decrement hit 0; leaking memory. WARNING: CPU: 2 PID: 0 at lib/refcount.c:31 refcount_warn_saturate+0xbf/0x1e0 and an endless loop of: ======================================================================= unregister_netdevice: waiting for dummy1 to become free. Usage count = -1073741824 That is because dev_put(real_dev) in vlan_dev_free() be called without dev_hold(real_dev) in register_vlan_dev(). It makes the refcnt of real_dev underflow. Move the dev_hold(real_dev) to vlan_dev_init() which is the call-back of ndo_init(). That makes dev_hold() and dev_put() for vlan's real_dev symmetrical.
AI-Powered Analysis
Technical Analysis
CVE-2021-47555 is a medium-severity vulnerability in the Linux kernel's networking subsystem, specifically related to VLAN (Virtual LAN) device handling. The issue arises from an improper reference count management for the underlying real network device (real_dev) when VLAN devices are registered and unregistered. In the vulnerable code path, the function register_vlan_dev() fails to increment the reference count of the real_dev via dev_hold(real_dev) before it is used, while the corresponding decrement dev_put(real_dev) is called during vlan_dev_free(). This asymmetry causes the reference count to underflow, leading to a negative usage count. When the dummy network device is removed, this results in a warning about refcount underflow and an endless loop during the unregister_netdevice process, as the system waits indefinitely for the device to become free. The root cause is that dev_put() is called without a matching dev_hold(), causing the reference counter to decrement below zero. The fix involves moving the dev_hold(real_dev) call to vlan_dev_init(), which is the ndo_init() callback, ensuring that dev_hold() and dev_put() calls are symmetrical and the reference count is correctly maintained. This vulnerability can cause denial of service conditions due to kernel warnings and indefinite loops in device unregistration, potentially impacting system stability and availability. The CVSS v3.1 base score is 4.4 (medium), reflecting local attack vector, low complexity, requiring privileges, no user interaction, and limited confidentiality impact but availability impact due to potential hangs. No known exploits in the wild have been reported as of the publication date.
Potential Impact
For European organizations, this vulnerability primarily poses a risk to the availability and stability of Linux-based systems that utilize VLAN networking, which is common in enterprise and data center environments. Systems running affected Linux kernel versions may experience kernel warnings and indefinite loops during network device removal, potentially leading to denial of service or degraded network functionality. This can disrupt critical network segmentation, impacting services relying on VLAN isolation such as multi-tenant cloud environments, enterprise internal networks, and industrial control systems. Although the confidentiality and integrity impacts are low, the availability impact can affect operational continuity, especially in environments with dynamic network device management or automated network orchestration. Organizations with Linux-based infrastructure in networking roles, including telecom providers, cloud service operators, and large enterprises, should be aware of this risk. The requirement for local privileges to exploit limits remote attack potential, but insider threats or compromised accounts could trigger the issue. Given the widespread use of Linux in European IT infrastructure, the vulnerability could have broad operational implications if unpatched.
Mitigation Recommendations
1. Apply the official Linux kernel patches that address CVE-2021-47555 as soon as they become available from trusted sources or Linux distribution vendors. 2. For environments where immediate patching is not feasible, avoid dynamic creation and deletion of VLAN devices on affected systems to reduce the risk of triggering the vulnerability. 3. Implement strict access controls and monitoring to limit local privileged user actions that could exploit this vulnerability. 4. Use kernel live patching solutions where supported to minimize downtime while applying fixes. 5. Monitor system logs for refcount warnings or unregister_netdevice loops as early indicators of exploitation or triggering conditions. 6. In virtualized or containerized environments, isolate network device management to reduce the blast radius of potential exploitation. 7. Regularly update Linux kernel versions to benefit from ongoing security improvements and fixes. 8. Conduct thorough testing of network device management automation scripts to ensure they do not inadvertently trigger the vulnerability.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-24T15:02:54.833Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9822c4522896dcbde178
Added to database: 5/21/2025, 9:08:50 AM
Last enriched: 6/28/2025, 5:25:54 AM
Last updated: 8/6/2025, 1:44:37 PM
Views: 15
Related Threats
CVE-2025-8878: CWE-94 Improper Control of Generation of Code ('Code Injection') in properfraction Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
MediumCVE-2025-8143: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pencidesign Soledad
MediumCVE-2025-8142: CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') in pencidesign Soledad
HighCVE-2025-8105: CWE-94 Improper Control of Generation of Code ('Code Injection') in pencidesign Soledad
HighCVE-2025-8719: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in reubenthiessen Translate This gTranslate Shortcode
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.