CVE-2021-47588: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: sit: do not call ipip6_dev_free() from sit_init_net() ipip6_dev_free is sit dev->priv_destructor, already called by register_netdevice() if something goes wrong. Alternative would be to make ipip6_dev_free() robust against multiple invocations, but other drivers do not implement this strategy. syzbot reported: dst_release underflow WARNING: CPU: 0 PID: 5059 at net/core/dst.c:173 dst_release+0xd8/0xe0 net/core/dst.c:173 Modules linked in: CPU: 1 PID: 5059 Comm: syz-executor.4 Not tainted 5.16.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:dst_release+0xd8/0xe0 net/core/dst.c:173 Code: 4c 89 f2 89 d9 31 c0 5b 41 5e 5d e9 da d5 44 f9 e8 1d 90 5f f9 c6 05 87 48 c6 05 01 48 c7 c7 80 44 99 8b 31 c0 e8 e8 67 29 f9 <0f> 0b eb 85 0f 1f 40 00 53 48 89 fb e8 f7 8f 5f f9 48 83 c3 a8 48 RSP: 0018:ffffc9000aa5faa0 EFLAGS: 00010246 RAX: d6894a925dd15a00 RBX: 00000000ffffffff RCX: 0000000000040000 RDX: ffffc90005e19000 RSI: 000000000003ffff RDI: 0000000000040000 RBP: 0000000000000000 R08: ffffffff816a1f42 R09: ffffed1017344f2c R10: ffffed1017344f2c R11: 0000000000000000 R12: 0000607f462b1358 R13: 1ffffffff1bfd305 R14: ffffe8ffffcb1358 R15: dffffc0000000000 FS: 00007f66c71a2700(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f88aaed5058 CR3: 0000000023e0f000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> dst_cache_destroy+0x107/0x1e0 net/core/dst_cache.c:160 ipip6_dev_free net/ipv6/sit.c:1414 [inline] sit_init_net+0x229/0x550 net/ipv6/sit.c:1936 ops_init+0x313/0x430 net/core/net_namespace.c:140 setup_net+0x35b/0x9d0 net/core/net_namespace.c:326 copy_net_ns+0x359/0x5c0 net/core/net_namespace.c:470 create_new_namespaces+0x4ce/0xa00 kernel/nsproxy.c:110 unshare_nsproxy_namespaces+0x11e/0x180 kernel/nsproxy.c:226 ksys_unshare+0x57d/0xb50 kernel/fork.c:3075 __do_sys_unshare kernel/fork.c:3146 [inline] __se_sys_unshare kernel/fork.c:3144 [inline] __x64_sys_unshare+0x34/0x40 kernel/fork.c:3144 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f66c882ce99 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f66c71a2168 EFLAGS: 00000246 ORIG_RAX: 0000000000000110 RAX: ffffffffffffffda RBX: 00007f66c893ff60 RCX: 00007f66c882ce99 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000048040200 RBP: 00007f66c8886ff1 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fff6634832f R14: 00007f66c71a2300 R15: 0000000000022000 </TASK>
AI Analysis
Technical Summary
CVE-2021-47588 is a vulnerability identified in the Linux kernel, specifically related to the sit (Simple Internet Transition) module which handles IPv6-in-IPv4 tunneling. The issue arises from improper handling of the ipip6_dev_free() function call within the sit_init_net() initialization routine. The vulnerability is caused by ipip6_dev_free(), which is the private destructor for the sit device, being called multiple times erroneously. The Linux kernel's network device registration process already invokes this destructor if an error occurs, so the additional call from sit_init_net() leads to a double free or use-after-free condition. This improper memory management can cause a dst_release underflow, as reported by syzbot, a kernel fuzzing tool. The underflow manifests as a warning and potential crash in the net/core/dst.c component, which manages destination cache entries for networking. The root cause is that ipip6_dev_free() is not robust against multiple invocations, unlike other drivers that implement protections against such scenarios. The vulnerability was detected in Linux kernel versions around 5.16.0-rc5 and earlier, and it affects the sit module's network namespace initialization path. Exploitation would likely require local access and the ability to trigger network namespace creation or unsharing operations, which invoke sit_init_net(). While no known exploits are reported in the wild, the flaw could lead to kernel crashes (denial of service) or potentially memory corruption that might be leveraged for privilege escalation or arbitrary code execution under certain conditions. The vulnerability is technical and subtle, involving kernel internals related to network device lifecycle management and namespace isolation.
Potential Impact
For European organizations, the impact of CVE-2021-47588 primarily concerns systems running vulnerable Linux kernel versions with the sit module enabled. This includes servers, cloud infrastructure, and embedded devices that utilize IPv6 tunneling for network communication or isolation. The vulnerability could lead to denial of service through kernel crashes, disrupting critical services and operations. In more severe cases, if exploited for memory corruption, it could allow attackers to escalate privileges or execute arbitrary code, compromising system confidentiality and integrity. Organizations relying on Linux-based cloud platforms, virtualization, container orchestration, or network namespace features are particularly at risk. Disruption of network namespaces could affect multi-tenant environments and containerized applications, impacting service availability. Given the widespread use of Linux in European data centers, telecommunications, and industrial control systems, unpatched systems could face operational interruptions and increased risk of targeted attacks exploiting this kernel flaw.
Mitigation Recommendations
To mitigate CVE-2021-47588, European organizations should: 1) Apply the latest Linux kernel patches that address the sit module's improper destructor invocation. Since no patch links are provided, organizations should monitor official Linux kernel repositories and distributions for updates incorporating this fix. 2) Disable the sit module if IPv6-in-IPv4 tunneling is not required, reducing the attack surface. This can be done by blacklisting the module or recompiling the kernel without sit support. 3) Restrict local user access and privilege escalation paths to prevent untrusted users from triggering network namespace creation or unshare operations. 4) Employ kernel hardening techniques such as Kernel Address Space Layout Randomization (KASLR), Kernel Page Table Isolation (KPTI), and seccomp filters to limit the impact of potential exploitation. 5) Monitor system logs for dst_release warnings or kernel crashes indicative of attempts to exploit this vulnerability. 6) In containerized or virtualized environments, enforce strict namespace and capability restrictions to minimize exposure. 7) Conduct thorough testing of kernel updates in staging environments before deployment to avoid service disruptions.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2021-47588: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: sit: do not call ipip6_dev_free() from sit_init_net() ipip6_dev_free is sit dev->priv_destructor, already called by register_netdevice() if something goes wrong. Alternative would be to make ipip6_dev_free() robust against multiple invocations, but other drivers do not implement this strategy. syzbot reported: dst_release underflow WARNING: CPU: 0 PID: 5059 at net/core/dst.c:173 dst_release+0xd8/0xe0 net/core/dst.c:173 Modules linked in: CPU: 1 PID: 5059 Comm: syz-executor.4 Not tainted 5.16.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:dst_release+0xd8/0xe0 net/core/dst.c:173 Code: 4c 89 f2 89 d9 31 c0 5b 41 5e 5d e9 da d5 44 f9 e8 1d 90 5f f9 c6 05 87 48 c6 05 01 48 c7 c7 80 44 99 8b 31 c0 e8 e8 67 29 f9 <0f> 0b eb 85 0f 1f 40 00 53 48 89 fb e8 f7 8f 5f f9 48 83 c3 a8 48 RSP: 0018:ffffc9000aa5faa0 EFLAGS: 00010246 RAX: d6894a925dd15a00 RBX: 00000000ffffffff RCX: 0000000000040000 RDX: ffffc90005e19000 RSI: 000000000003ffff RDI: 0000000000040000 RBP: 0000000000000000 R08: ffffffff816a1f42 R09: ffffed1017344f2c R10: ffffed1017344f2c R11: 0000000000000000 R12: 0000607f462b1358 R13: 1ffffffff1bfd305 R14: ffffe8ffffcb1358 R15: dffffc0000000000 FS: 00007f66c71a2700(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f88aaed5058 CR3: 0000000023e0f000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> dst_cache_destroy+0x107/0x1e0 net/core/dst_cache.c:160 ipip6_dev_free net/ipv6/sit.c:1414 [inline] sit_init_net+0x229/0x550 net/ipv6/sit.c:1936 ops_init+0x313/0x430 net/core/net_namespace.c:140 setup_net+0x35b/0x9d0 net/core/net_namespace.c:326 copy_net_ns+0x359/0x5c0 net/core/net_namespace.c:470 create_new_namespaces+0x4ce/0xa00 kernel/nsproxy.c:110 unshare_nsproxy_namespaces+0x11e/0x180 kernel/nsproxy.c:226 ksys_unshare+0x57d/0xb50 kernel/fork.c:3075 __do_sys_unshare kernel/fork.c:3146 [inline] __se_sys_unshare kernel/fork.c:3144 [inline] __x64_sys_unshare+0x34/0x40 kernel/fork.c:3144 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f66c882ce99 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f66c71a2168 EFLAGS: 00000246 ORIG_RAX: 0000000000000110 RAX: ffffffffffffffda RBX: 00007f66c893ff60 RCX: 00007f66c882ce99 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000048040200 RBP: 00007f66c8886ff1 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fff6634832f R14: 00007f66c71a2300 R15: 0000000000022000 </TASK>
AI-Powered Analysis
Technical Analysis
CVE-2021-47588 is a vulnerability identified in the Linux kernel, specifically related to the sit (Simple Internet Transition) module which handles IPv6-in-IPv4 tunneling. The issue arises from improper handling of the ipip6_dev_free() function call within the sit_init_net() initialization routine. The vulnerability is caused by ipip6_dev_free(), which is the private destructor for the sit device, being called multiple times erroneously. The Linux kernel's network device registration process already invokes this destructor if an error occurs, so the additional call from sit_init_net() leads to a double free or use-after-free condition. This improper memory management can cause a dst_release underflow, as reported by syzbot, a kernel fuzzing tool. The underflow manifests as a warning and potential crash in the net/core/dst.c component, which manages destination cache entries for networking. The root cause is that ipip6_dev_free() is not robust against multiple invocations, unlike other drivers that implement protections against such scenarios. The vulnerability was detected in Linux kernel versions around 5.16.0-rc5 and earlier, and it affects the sit module's network namespace initialization path. Exploitation would likely require local access and the ability to trigger network namespace creation or unsharing operations, which invoke sit_init_net(). While no known exploits are reported in the wild, the flaw could lead to kernel crashes (denial of service) or potentially memory corruption that might be leveraged for privilege escalation or arbitrary code execution under certain conditions. The vulnerability is technical and subtle, involving kernel internals related to network device lifecycle management and namespace isolation.
Potential Impact
For European organizations, the impact of CVE-2021-47588 primarily concerns systems running vulnerable Linux kernel versions with the sit module enabled. This includes servers, cloud infrastructure, and embedded devices that utilize IPv6 tunneling for network communication or isolation. The vulnerability could lead to denial of service through kernel crashes, disrupting critical services and operations. In more severe cases, if exploited for memory corruption, it could allow attackers to escalate privileges or execute arbitrary code, compromising system confidentiality and integrity. Organizations relying on Linux-based cloud platforms, virtualization, container orchestration, or network namespace features are particularly at risk. Disruption of network namespaces could affect multi-tenant environments and containerized applications, impacting service availability. Given the widespread use of Linux in European data centers, telecommunications, and industrial control systems, unpatched systems could face operational interruptions and increased risk of targeted attacks exploiting this kernel flaw.
Mitigation Recommendations
To mitigate CVE-2021-47588, European organizations should: 1) Apply the latest Linux kernel patches that address the sit module's improper destructor invocation. Since no patch links are provided, organizations should monitor official Linux kernel repositories and distributions for updates incorporating this fix. 2) Disable the sit module if IPv6-in-IPv4 tunneling is not required, reducing the attack surface. This can be done by blacklisting the module or recompiling the kernel without sit support. 3) Restrict local user access and privilege escalation paths to prevent untrusted users from triggering network namespace creation or unshare operations. 4) Employ kernel hardening techniques such as Kernel Address Space Layout Randomization (KASLR), Kernel Page Table Isolation (KPTI), and seccomp filters to limit the impact of potential exploitation. 5) Monitor system logs for dst_release warnings or kernel crashes indicative of attempts to exploit this vulnerability. 6) In containerized or virtualized environments, enforce strict namespace and capability restrictions to minimize exposure. 7) Conduct thorough testing of kernel updates in staging environments before deployment to avoid service disruptions.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-24T15:11:00.732Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9822c4522896dcbde184
Added to database: 5/21/2025, 9:08:50 AM
Last enriched: 6/28/2025, 5:26:16 AM
Last updated: 8/18/2025, 11:32:06 PM
Views: 13
Related Threats
CVE-2025-8218: CWE-269 Improper Privilege Management in imithemes Real Spaces - WordPress Properties Directory Theme
HighCVE-2025-6758: CWE-269 Improper Privilege Management in imithemes Real Spaces - WordPress Properties Directory Theme
CriticalCVE-2025-54336: n/a
UnknownCVE-2025-9140: SQL Injection in Shanghai Lingdang Information Technology Lingdang CRM
MediumCVE-2025-50567: n/a
UnknownActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.