CVE-2021-47557: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_ets: don't peek at classes beyond 'nbands' when the number of DRR classes decreases, the round-robin active list can contain elements that have already been freed in ets_qdisc_change(). As a consequence, it's possible to see a NULL dereference crash, caused by the attempt to call cl->qdisc->ops->peek(cl->qdisc) when cl->qdisc is NULL: BUG: kernel NULL pointer dereference, address: 0000000000000018 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 1 PID: 910 Comm: mausezahn Not tainted 5.16.0-rc1+ #475 Hardware name: Red Hat KVM, BIOS 1.11.1-4.module+el8.1.0+4066+0f1aadab 04/01/2014 RIP: 0010:ets_qdisc_dequeue+0x129/0x2c0 [sch_ets] Code: c5 01 41 39 ad e4 02 00 00 0f 87 18 ff ff ff 49 8b 85 c0 02 00 00 49 39 c4 0f 84 ba 00 00 00 49 8b ad c0 02 00 00 48 8b 7d 10 <48> 8b 47 18 48 8b 40 38 0f ae e8 ff d0 48 89 c3 48 85 c0 0f 84 9d RSP: 0000:ffffbb36c0b5fdd8 EFLAGS: 00010287 RAX: ffff956678efed30 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000002 RSI: ffffffff9b938dc9 RDI: 0000000000000000 RBP: ffff956678efed30 R08: e2f3207fe360129c R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000001 R12: ffff956678efeac0 R13: ffff956678efe800 R14: ffff956611545000 R15: ffff95667ac8f100 FS: 00007f2aa9120740(0000) GS:ffff95667b800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000018 CR3: 000000011070c000 CR4: 0000000000350ee0 Call Trace: <TASK> qdisc_peek_dequeued+0x29/0x70 [sch_ets] tbf_dequeue+0x22/0x260 [sch_tbf] __qdisc_run+0x7f/0x630 net_tx_action+0x290/0x4c0 __do_softirq+0xee/0x4f8 irq_exit_rcu+0xf4/0x130 sysvec_apic_timer_interrupt+0x52/0xc0 asm_sysvec_apic_timer_interrupt+0x12/0x20 RIP: 0033:0x7f2aa7fc9ad4 Code: b9 ff ff 48 8b 54 24 18 48 83 c4 08 48 89 ee 48 89 df 5b 5d e9 ed fc ff ff 0f 1f 00 66 2e 0f 1f 84 00 00 00 00 00 f3 0f 1e fa <53> 48 83 ec 10 48 8b 05 10 64 33 00 48 8b 00 48 85 c0 0f 85 84 00 RSP: 002b:00007ffe5d33fab8 EFLAGS: 00000202 RAX: 0000000000000002 RBX: 0000561f72c31460 RCX: 0000561f72c31720 RDX: 0000000000000002 RSI: 0000561f72c31722 RDI: 0000561f72c31720 RBP: 000000000000002a R08: 00007ffe5d33fa40 R09: 0000000000000014 R10: 0000000000000000 R11: 0000000000000246 R12: 0000561f7187e380 R13: 0000000000000000 R14: 0000000000000000 R15: 0000561f72c31460 </TASK> Modules linked in: sch_ets sch_tbf dummy rfkill iTCO_wdt intel_rapl_msr iTCO_vendor_support intel_rapl_common joydev virtio_balloon lpc_ich i2c_i801 i2c_smbus pcspkr ip_tables xfs libcrc32c crct10dif_pclmul crc32_pclmul crc32c_intel ahci libahci ghash_clmulni_intel serio_raw libata virtio_blk virtio_console virtio_net net_failover failover sunrpc dm_mirror dm_region_hash dm_log dm_mod CR2: 0000000000000018 Ensuring that 'alist' was never zeroed [1] was not sufficient, we need to remove from the active list those elements that are no more SP nor DRR. [1] https://lore.kernel.org/netdev/60d274838bf09777f0371253416e8af71360bc08.1633609148.git.dcaratti@redhat.com/ v3: fix race between ets_qdisc_change() and ets_qdisc_dequeue() delisting DRR classes beyond 'nbands' in ets_qdisc_change() with the qdisc lock acquired, thanks to Cong Wang. v2: when a NULL qdisc is found in the DRR active list, try to dequeue skb from the next list item.
AI Analysis
Technical Summary
CVE-2021-47557 is a vulnerability identified in the Linux kernel's network scheduling subsystem, specifically within the 'sch_ets' (Earliest Time First Scheduler) queuing discipline implementation. The flaw arises when the number of Deficit Round Robin (DRR) classes decreases, causing the round-robin active list to retain references to classes that have already been freed. This leads to a NULL pointer dereference when the kernel attempts to invoke the 'peek' operation on a qdisc (queueing discipline) pointer that has become NULL. The vulnerability manifests as a kernel NULL pointer dereference, resulting in a kernel crash (BUG) and a potential denial of service (DoS) condition. The root cause is a race condition and improper cleanup in the ets_qdisc_change() function, which fails to remove invalid classes from the active list, allowing subsequent calls in ets_qdisc_dequeue() to access freed memory. The issue was addressed by ensuring that elements no longer part of the SP (Strict Priority) or DRR classes are removed from the active list while holding the qdisc lock, preventing access to invalid pointers. The vulnerability affects Linux kernel versions including commit dcc68b4d8084e1ac9af0d4022d6b1aff6a139a33 and likely related versions around that timeframe. Exploitation does not appear to be widespread or documented in the wild. The vulnerability requires local or network conditions that allow manipulation of the network scheduler classes, and it results in a kernel panic or crash rather than remote code execution. The technical details include kernel oops logs showing the NULL dereference at address 0x18 and call traces within the sch_ets module. The vulnerability was patched with changes to the active list management and synchronization to prevent race conditions between ets_qdisc_change() and ets_qdisc_dequeue().
Potential Impact
For European organizations, this vulnerability primarily poses a risk of denial of service on Linux-based systems that utilize the affected network scheduling components. Systems running vulnerable Linux kernel versions with the sch_ets queuing discipline enabled could experience kernel crashes, leading to service interruptions. This can affect servers, network appliances, and virtualized environments relying on Linux kernels for networking performance and traffic shaping. Critical infrastructure, cloud service providers, and enterprises with Linux-based networking equipment or virtual machines could see degraded availability or forced reboots. While the vulnerability does not enable privilege escalation or remote code execution, the resulting instability can disrupt business operations, especially in environments requiring high availability and network performance guarantees. Given the widespread use of Linux in European data centers, telecommunications, and industrial control systems, the impact could be significant if unpatched. However, exploitation requires specific conditions related to network scheduler configuration, somewhat limiting the attack surface. The absence of known exploits in the wild reduces immediate risk but does not eliminate the need for prompt remediation to maintain operational stability and security compliance.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions that include the patch for CVE-2021-47557. Specifically, they should: 1) Identify all systems running affected Linux kernel versions, focusing on those using the sch_ets queuing discipline for network traffic management. 2) Apply vendor-provided kernel updates or patches that address the race condition and active list cleanup in the sch_ets module. 3) Review network scheduler configurations to minimize unnecessary complexity in DRR classes and avoid dynamic changes that could trigger the vulnerability. 4) Implement monitoring for kernel oops or crash logs indicative of this vulnerability to detect potential exploitation attempts. 5) In virtualized or containerized environments, ensure hypervisors and container runtimes are updated to prevent propagation of kernel crashes. 6) Consider temporary mitigation by disabling or replacing the sch_ets queuing discipline with alternative schedulers if patching is delayed. 7) Maintain robust backup and recovery procedures to quickly restore services in case of DoS incidents. These steps go beyond generic advice by focusing on scheduler-specific configurations and proactive detection of kernel instability related to this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2021-47557: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_ets: don't peek at classes beyond 'nbands' when the number of DRR classes decreases, the round-robin active list can contain elements that have already been freed in ets_qdisc_change(). As a consequence, it's possible to see a NULL dereference crash, caused by the attempt to call cl->qdisc->ops->peek(cl->qdisc) when cl->qdisc is NULL: BUG: kernel NULL pointer dereference, address: 0000000000000018 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 1 PID: 910 Comm: mausezahn Not tainted 5.16.0-rc1+ #475 Hardware name: Red Hat KVM, BIOS 1.11.1-4.module+el8.1.0+4066+0f1aadab 04/01/2014 RIP: 0010:ets_qdisc_dequeue+0x129/0x2c0 [sch_ets] Code: c5 01 41 39 ad e4 02 00 00 0f 87 18 ff ff ff 49 8b 85 c0 02 00 00 49 39 c4 0f 84 ba 00 00 00 49 8b ad c0 02 00 00 48 8b 7d 10 <48> 8b 47 18 48 8b 40 38 0f ae e8 ff d0 48 89 c3 48 85 c0 0f 84 9d RSP: 0000:ffffbb36c0b5fdd8 EFLAGS: 00010287 RAX: ffff956678efed30 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000002 RSI: ffffffff9b938dc9 RDI: 0000000000000000 RBP: ffff956678efed30 R08: e2f3207fe360129c R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000001 R12: ffff956678efeac0 R13: ffff956678efe800 R14: ffff956611545000 R15: ffff95667ac8f100 FS: 00007f2aa9120740(0000) GS:ffff95667b800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000018 CR3: 000000011070c000 CR4: 0000000000350ee0 Call Trace: <TASK> qdisc_peek_dequeued+0x29/0x70 [sch_ets] tbf_dequeue+0x22/0x260 [sch_tbf] __qdisc_run+0x7f/0x630 net_tx_action+0x290/0x4c0 __do_softirq+0xee/0x4f8 irq_exit_rcu+0xf4/0x130 sysvec_apic_timer_interrupt+0x52/0xc0 asm_sysvec_apic_timer_interrupt+0x12/0x20 RIP: 0033:0x7f2aa7fc9ad4 Code: b9 ff ff 48 8b 54 24 18 48 83 c4 08 48 89 ee 48 89 df 5b 5d e9 ed fc ff ff 0f 1f 00 66 2e 0f 1f 84 00 00 00 00 00 f3 0f 1e fa <53> 48 83 ec 10 48 8b 05 10 64 33 00 48 8b 00 48 85 c0 0f 85 84 00 RSP: 002b:00007ffe5d33fab8 EFLAGS: 00000202 RAX: 0000000000000002 RBX: 0000561f72c31460 RCX: 0000561f72c31720 RDX: 0000000000000002 RSI: 0000561f72c31722 RDI: 0000561f72c31720 RBP: 000000000000002a R08: 00007ffe5d33fa40 R09: 0000000000000014 R10: 0000000000000000 R11: 0000000000000246 R12: 0000561f7187e380 R13: 0000000000000000 R14: 0000000000000000 R15: 0000561f72c31460 </TASK> Modules linked in: sch_ets sch_tbf dummy rfkill iTCO_wdt intel_rapl_msr iTCO_vendor_support intel_rapl_common joydev virtio_balloon lpc_ich i2c_i801 i2c_smbus pcspkr ip_tables xfs libcrc32c crct10dif_pclmul crc32_pclmul crc32c_intel ahci libahci ghash_clmulni_intel serio_raw libata virtio_blk virtio_console virtio_net net_failover failover sunrpc dm_mirror dm_region_hash dm_log dm_mod CR2: 0000000000000018 Ensuring that 'alist' was never zeroed [1] was not sufficient, we need to remove from the active list those elements that are no more SP nor DRR. [1] https://lore.kernel.org/netdev/60d274838bf09777f0371253416e8af71360bc08.1633609148.git.dcaratti@redhat.com/ v3: fix race between ets_qdisc_change() and ets_qdisc_dequeue() delisting DRR classes beyond 'nbands' in ets_qdisc_change() with the qdisc lock acquired, thanks to Cong Wang. v2: when a NULL qdisc is found in the DRR active list, try to dequeue skb from the next list item.
AI-Powered Analysis
Technical Analysis
CVE-2021-47557 is a vulnerability identified in the Linux kernel's network scheduling subsystem, specifically within the 'sch_ets' (Earliest Time First Scheduler) queuing discipline implementation. The flaw arises when the number of Deficit Round Robin (DRR) classes decreases, causing the round-robin active list to retain references to classes that have already been freed. This leads to a NULL pointer dereference when the kernel attempts to invoke the 'peek' operation on a qdisc (queueing discipline) pointer that has become NULL. The vulnerability manifests as a kernel NULL pointer dereference, resulting in a kernel crash (BUG) and a potential denial of service (DoS) condition. The root cause is a race condition and improper cleanup in the ets_qdisc_change() function, which fails to remove invalid classes from the active list, allowing subsequent calls in ets_qdisc_dequeue() to access freed memory. The issue was addressed by ensuring that elements no longer part of the SP (Strict Priority) or DRR classes are removed from the active list while holding the qdisc lock, preventing access to invalid pointers. The vulnerability affects Linux kernel versions including commit dcc68b4d8084e1ac9af0d4022d6b1aff6a139a33 and likely related versions around that timeframe. Exploitation does not appear to be widespread or documented in the wild. The vulnerability requires local or network conditions that allow manipulation of the network scheduler classes, and it results in a kernel panic or crash rather than remote code execution. The technical details include kernel oops logs showing the NULL dereference at address 0x18 and call traces within the sch_ets module. The vulnerability was patched with changes to the active list management and synchronization to prevent race conditions between ets_qdisc_change() and ets_qdisc_dequeue().
Potential Impact
For European organizations, this vulnerability primarily poses a risk of denial of service on Linux-based systems that utilize the affected network scheduling components. Systems running vulnerable Linux kernel versions with the sch_ets queuing discipline enabled could experience kernel crashes, leading to service interruptions. This can affect servers, network appliances, and virtualized environments relying on Linux kernels for networking performance and traffic shaping. Critical infrastructure, cloud service providers, and enterprises with Linux-based networking equipment or virtual machines could see degraded availability or forced reboots. While the vulnerability does not enable privilege escalation or remote code execution, the resulting instability can disrupt business operations, especially in environments requiring high availability and network performance guarantees. Given the widespread use of Linux in European data centers, telecommunications, and industrial control systems, the impact could be significant if unpatched. However, exploitation requires specific conditions related to network scheduler configuration, somewhat limiting the attack surface. The absence of known exploits in the wild reduces immediate risk but does not eliminate the need for prompt remediation to maintain operational stability and security compliance.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions that include the patch for CVE-2021-47557. Specifically, they should: 1) Identify all systems running affected Linux kernel versions, focusing on those using the sch_ets queuing discipline for network traffic management. 2) Apply vendor-provided kernel updates or patches that address the race condition and active list cleanup in the sch_ets module. 3) Review network scheduler configurations to minimize unnecessary complexity in DRR classes and avoid dynamic changes that could trigger the vulnerability. 4) Implement monitoring for kernel oops or crash logs indicative of this vulnerability to detect potential exploitation attempts. 5) In virtualized or containerized environments, ensure hypervisors and container runtimes are updated to prevent propagation of kernel crashes. 6) Consider temporary mitigation by disabling or replacing the sch_ets queuing discipline with alternative schedulers if patching is delayed. 7) Maintain robust backup and recovery procedures to quickly restore services in case of DoS incidents. These steps go beyond generic advice by focusing on scheduler-specific configurations and proactive detection of kernel instability related to this vulnerability.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-24T15:02:54.834Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9833c4522896dcbe9459
Added to database: 5/21/2025, 9:09:07 AM
Last enriched: 6/30/2025, 2:40:20 PM
Last updated: 7/26/2025, 12:37:09 AM
Views: 8
Related Threats
CVE-2025-54885: CWE-331: Insufficient Entropy in simbo1905 thinbus-srp-npm
MediumCVE-2025-54882: CWE-522: Insufficiently Protected Credentials in himmelblau-idm himmelblau
HighCVE-2025-54799: CWE-319: Cleartext Transmission of Sensitive Information in go-acme lego
LowCVE-2025-54798: CWE-59: Improper Link Resolution Before File Access ('Link Following') in raszi node-tmp
LowCVE-2025-46387: CWE-639 Authorization Bypass Through User-Controlled Key in Emby MediaBrowser
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.