CVE-2021-47572: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: net: nexthop: fix null pointer dereference when IPv6 is not enabled When we try to add an IPv6 nexthop and IPv6 is not enabled (!CONFIG_IPV6) we'll hit a NULL pointer dereference[1] in the error path of nh_create_ipv6() due to calling ipv6_stub->fib6_nh_release. The bug has been present since the beginning of IPv6 nexthop gateway support. Commit 1aefd3de7bc6 ("ipv6: Add fib6_nh_init and release to stubs") tells us that only fib6_nh_init has a dummy stub because fib6_nh_release should not be called if fib6_nh_init returns an error, but the commit below added a call to ipv6_stub->fib6_nh_release in its error path. To fix it return the dummy stub's -EAFNOSUPPORT error directly without calling ipv6_stub->fib6_nh_release in nh_create_ipv6()'s error path. [1] Output is a bit truncated, but it clearly shows the error. BUG: kernel NULL pointer dereference, address: 000000000000000000 #PF: supervisor instruction fetch in kernel modede #PF: error_code(0x0010) - not-present pagege PGD 0 P4D 0 Oops: 0010 [#1] PREEMPT SMP NOPTI CPU: 4 PID: 638 Comm: ip Kdump: loaded Not tainted 5.16.0-rc1+ #446 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-4.fc34 04/01/2014 RIP: 0010:0x0 Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6. RSP: 0018:ffff888109f5b8f0 EFLAGS: 00010286^Ac RAX: 0000000000000000 RBX: ffff888109f5ba28 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8881008a2860 RBP: ffff888109f5b9d8 R08: 0000000000000000 R09: 0000000000000000 R10: ffff888109f5b978 R11: ffff888109f5b948 R12: 00000000ffffff9f R13: ffff8881008a2a80 R14: ffff8881008a2860 R15: ffff8881008a2840 FS: 00007f98de70f100(0000) GS:ffff88822bf00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffffffffffd6 CR3: 0000000100efc000 CR4: 00000000000006e0 Call Trace: <TASK> nh_create_ipv6+0xed/0x10c rtm_new_nexthop+0x6d7/0x13f3 ? check_preemption_disabled+0x3d/0xf2 ? lock_is_held_type+0xbe/0xfd rtnetlink_rcv_msg+0x23f/0x26a ? check_preemption_disabled+0x3d/0xf2 ? rtnl_calcit.isra.0+0x147/0x147 netlink_rcv_skb+0x61/0xb2 netlink_unicast+0x100/0x187 netlink_sendmsg+0x37f/0x3a0 ? netlink_unicast+0x187/0x187 sock_sendmsg_nosec+0x67/0x9b ____sys_sendmsg+0x19d/0x1f9 ? copy_msghdr_from_user+0x4c/0x5e ? rcu_read_lock_any_held+0x2a/0x78 ___sys_sendmsg+0x6c/0x8c ? asm_sysvec_apic_timer_interrupt+0x12/0x20 ? lockdep_hardirqs_on+0xd9/0x102 ? sockfd_lookup_light+0x69/0x99 __sys_sendmsg+0x50/0x6e do_syscall_64+0xcb/0xf2 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f98dea28914 Code: 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b5 0f 1f 80 00 00 00 00 48 8d 05 e9 5d 0c 00 8b 00 85 c0 75 13 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 41 54 41 89 d4 55 48 89 f5 53 RSP: 002b:00007fff859f5e68 EFLAGS: 00000246 ORIG_RAX: 000000000000002e2e RAX: ffffffffffffffda RBX: 00000000619cb810 RCX: 00007f98dea28914 RDX: 0000000000000000 RSI: 00007fff859f5ed0 RDI: 0000000000000003 RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000008 R10: fffffffffffffce6 R11: 0000000000000246 R12: 0000000000000001 R13: 000055c0097ae520 R14: 000055c0097957fd R15: 00007fff859f63a0 </TASK> Modules linked in: bridge stp llc bonding virtio_net
AI Analysis
Technical Summary
CVE-2021-47572 is a vulnerability in the Linux kernel related to the handling of IPv6 nexthop objects when IPv6 support is not enabled (i.e., when the kernel is compiled without CONFIG_IPV6). Specifically, the vulnerability arises from a null pointer dereference in the function nh_create_ipv6(). This occurs because the error handling path incorrectly calls ipv6_stub->fib6_nh_release, which is not properly initialized when IPv6 is disabled, leading to a kernel NULL pointer dereference and consequent kernel crash (panic). The root cause is that the dummy stub for fib6_nh_release should not be called if fib6_nh_init returns an error, but the code erroneously calls fib6_nh_release in the error path. This bug has existed since the introduction of IPv6 nexthop gateway support in the Linux kernel. The vulnerability can be triggered when an attempt is made to add an IPv6 nexthop while IPv6 is disabled, causing a denial of service (DoS) due to kernel panic. The provided kernel oops trace confirms the NULL pointer dereference and the crash occurring in the kernel networking code path related to routing netlink messages. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet. The issue is resolved by modifying the error path in nh_create_ipv6() to avoid calling the uninitialized fib6_nh_release stub and instead return an appropriate error code directly.
Potential Impact
The primary impact of CVE-2021-47572 is a denial of service condition caused by a kernel panic triggered when IPv6 nexthop configuration is attempted on a Linux system with IPv6 disabled. For European organizations, this vulnerability could disrupt critical network infrastructure components running Linux kernels affected by this bug, especially network routers, firewalls, or servers handling routing configurations. Systems that process netlink messages for routing updates are at risk of crashing, potentially causing service outages. Although exploitation requires sending crafted netlink messages to the kernel, this can be done locally or potentially remotely if an attacker has access to a privileged network interface or can induce the vulnerable code path. The vulnerability does not appear to allow privilege escalation or code execution but can cause system instability and downtime. Organizations relying on Linux-based network appliances or servers in Europe could face operational disruptions, impacting availability of network services. Given the widespread use of Linux in European data centers, telecom infrastructure, and enterprise environments, the risk of service interruption is significant if unpatched systems are targeted.
Mitigation Recommendations
To mitigate CVE-2021-47572, European organizations should: 1) Apply the official Linux kernel patches that fix the error path in nh_create_ipv6(), ensuring that the fib6_nh_release stub is not called when IPv6 is disabled. 2) Upgrade to a Linux kernel version that includes the fix or backport the patch if using long-term support kernels. 3) Audit network configurations to avoid attempts to add IPv6 nexthops on systems where IPv6 is disabled. 4) Restrict access to netlink sockets and routing configuration interfaces to trusted administrators only, minimizing the risk of malicious or accidental triggering of the vulnerability. 5) Monitor kernel logs and system stability for signs of crashes related to routing updates. 6) Implement network segmentation and access controls to limit exposure of vulnerable systems to untrusted users or networks. 7) For critical infrastructure, consider deploying kernel hardening features and runtime protections that can mitigate the impact of kernel null pointer dereferences. These measures go beyond generic advice by focusing on configuration hygiene, access control, and patch management specific to this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2021-47572: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: net: nexthop: fix null pointer dereference when IPv6 is not enabled When we try to add an IPv6 nexthop and IPv6 is not enabled (!CONFIG_IPV6) we'll hit a NULL pointer dereference[1] in the error path of nh_create_ipv6() due to calling ipv6_stub->fib6_nh_release. The bug has been present since the beginning of IPv6 nexthop gateway support. Commit 1aefd3de7bc6 ("ipv6: Add fib6_nh_init and release to stubs") tells us that only fib6_nh_init has a dummy stub because fib6_nh_release should not be called if fib6_nh_init returns an error, but the commit below added a call to ipv6_stub->fib6_nh_release in its error path. To fix it return the dummy stub's -EAFNOSUPPORT error directly without calling ipv6_stub->fib6_nh_release in nh_create_ipv6()'s error path. [1] Output is a bit truncated, but it clearly shows the error. BUG: kernel NULL pointer dereference, address: 000000000000000000 #PF: supervisor instruction fetch in kernel modede #PF: error_code(0x0010) - not-present pagege PGD 0 P4D 0 Oops: 0010 [#1] PREEMPT SMP NOPTI CPU: 4 PID: 638 Comm: ip Kdump: loaded Not tainted 5.16.0-rc1+ #446 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-4.fc34 04/01/2014 RIP: 0010:0x0 Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6. RSP: 0018:ffff888109f5b8f0 EFLAGS: 00010286^Ac RAX: 0000000000000000 RBX: ffff888109f5ba28 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8881008a2860 RBP: ffff888109f5b9d8 R08: 0000000000000000 R09: 0000000000000000 R10: ffff888109f5b978 R11: ffff888109f5b948 R12: 00000000ffffff9f R13: ffff8881008a2a80 R14: ffff8881008a2860 R15: ffff8881008a2840 FS: 00007f98de70f100(0000) GS:ffff88822bf00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffffffffffd6 CR3: 0000000100efc000 CR4: 00000000000006e0 Call Trace: <TASK> nh_create_ipv6+0xed/0x10c rtm_new_nexthop+0x6d7/0x13f3 ? check_preemption_disabled+0x3d/0xf2 ? lock_is_held_type+0xbe/0xfd rtnetlink_rcv_msg+0x23f/0x26a ? check_preemption_disabled+0x3d/0xf2 ? rtnl_calcit.isra.0+0x147/0x147 netlink_rcv_skb+0x61/0xb2 netlink_unicast+0x100/0x187 netlink_sendmsg+0x37f/0x3a0 ? netlink_unicast+0x187/0x187 sock_sendmsg_nosec+0x67/0x9b ____sys_sendmsg+0x19d/0x1f9 ? copy_msghdr_from_user+0x4c/0x5e ? rcu_read_lock_any_held+0x2a/0x78 ___sys_sendmsg+0x6c/0x8c ? asm_sysvec_apic_timer_interrupt+0x12/0x20 ? lockdep_hardirqs_on+0xd9/0x102 ? sockfd_lookup_light+0x69/0x99 __sys_sendmsg+0x50/0x6e do_syscall_64+0xcb/0xf2 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f98dea28914 Code: 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b5 0f 1f 80 00 00 00 00 48 8d 05 e9 5d 0c 00 8b 00 85 c0 75 13 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 41 54 41 89 d4 55 48 89 f5 53 RSP: 002b:00007fff859f5e68 EFLAGS: 00000246 ORIG_RAX: 000000000000002e2e RAX: ffffffffffffffda RBX: 00000000619cb810 RCX: 00007f98dea28914 RDX: 0000000000000000 RSI: 00007fff859f5ed0 RDI: 0000000000000003 RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000008 R10: fffffffffffffce6 R11: 0000000000000246 R12: 0000000000000001 R13: 000055c0097ae520 R14: 000055c0097957fd R15: 00007fff859f63a0 </TASK> Modules linked in: bridge stp llc bonding virtio_net
AI-Powered Analysis
Technical Analysis
CVE-2021-47572 is a vulnerability in the Linux kernel related to the handling of IPv6 nexthop objects when IPv6 support is not enabled (i.e., when the kernel is compiled without CONFIG_IPV6). Specifically, the vulnerability arises from a null pointer dereference in the function nh_create_ipv6(). This occurs because the error handling path incorrectly calls ipv6_stub->fib6_nh_release, which is not properly initialized when IPv6 is disabled, leading to a kernel NULL pointer dereference and consequent kernel crash (panic). The root cause is that the dummy stub for fib6_nh_release should not be called if fib6_nh_init returns an error, but the code erroneously calls fib6_nh_release in the error path. This bug has existed since the introduction of IPv6 nexthop gateway support in the Linux kernel. The vulnerability can be triggered when an attempt is made to add an IPv6 nexthop while IPv6 is disabled, causing a denial of service (DoS) due to kernel panic. The provided kernel oops trace confirms the NULL pointer dereference and the crash occurring in the kernel networking code path related to routing netlink messages. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet. The issue is resolved by modifying the error path in nh_create_ipv6() to avoid calling the uninitialized fib6_nh_release stub and instead return an appropriate error code directly.
Potential Impact
The primary impact of CVE-2021-47572 is a denial of service condition caused by a kernel panic triggered when IPv6 nexthop configuration is attempted on a Linux system with IPv6 disabled. For European organizations, this vulnerability could disrupt critical network infrastructure components running Linux kernels affected by this bug, especially network routers, firewalls, or servers handling routing configurations. Systems that process netlink messages for routing updates are at risk of crashing, potentially causing service outages. Although exploitation requires sending crafted netlink messages to the kernel, this can be done locally or potentially remotely if an attacker has access to a privileged network interface or can induce the vulnerable code path. The vulnerability does not appear to allow privilege escalation or code execution but can cause system instability and downtime. Organizations relying on Linux-based network appliances or servers in Europe could face operational disruptions, impacting availability of network services. Given the widespread use of Linux in European data centers, telecom infrastructure, and enterprise environments, the risk of service interruption is significant if unpatched systems are targeted.
Mitigation Recommendations
To mitigate CVE-2021-47572, European organizations should: 1) Apply the official Linux kernel patches that fix the error path in nh_create_ipv6(), ensuring that the fib6_nh_release stub is not called when IPv6 is disabled. 2) Upgrade to a Linux kernel version that includes the fix or backport the patch if using long-term support kernels. 3) Audit network configurations to avoid attempts to add IPv6 nexthops on systems where IPv6 is disabled. 4) Restrict access to netlink sockets and routing configuration interfaces to trusted administrators only, minimizing the risk of malicious or accidental triggering of the vulnerability. 5) Monitor kernel logs and system stability for signs of crashes related to routing updates. 6) Implement network segmentation and access controls to limit exposure of vulnerable systems to untrusted users or networks. 7) For critical infrastructure, consider deploying kernel hardening features and runtime protections that can mitigate the impact of kernel null pointer dereferences. These measures go beyond generic advice by focusing on configuration hygiene, access control, and patch management specific to this vulnerability.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-24T15:11:00.729Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9833c4522896dcbe94d4
Added to database: 5/21/2025, 9:09:07 AM
Last enriched: 6/30/2025, 2:54:45 PM
Last updated: 8/5/2025, 9:02:29 AM
Views: 10
Related Threats
Researcher to release exploit for full auth bypass on FortiWeb
HighCVE-2025-9091: Hard-coded Credentials in Tenda AC20
LowCVE-2025-9090: Command Injection in Tenda AC20
MediumCVE-2025-9092: CWE-400 Uncontrolled Resource Consumption in Legion of the Bouncy Castle Inc. Bouncy Castle for Java - BC-FJA 2.1.0
LowCVE-2025-9089: Stack-based Buffer Overflow in Tenda AC20
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.