CVE-2021-47592: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: net: stmmac: fix tc flower deletion for VLAN priority Rx steering To replicate the issue:- 1) Add 1 flower filter for VLAN Priority based frame steering:- $ IFDEVNAME=eth0 $ tc qdisc add dev $IFDEVNAME ingress $ tc qdisc add dev $IFDEVNAME root mqprio num_tc 8 \ map 0 1 2 3 4 5 6 7 0 0 0 0 0 0 0 0 \ queues 1@0 1@1 1@2 1@3 1@4 1@5 1@6 1@7 hw 0 $ tc filter add dev $IFDEVNAME parent ffff: protocol 802.1Q \ flower vlan_prio 0 hw_tc 0 2) Get the 'pref' id $ tc filter show dev $IFDEVNAME ingress 3) Delete a specific tc flower record (say pref 49151) $ tc filter del dev $IFDEVNAME parent ffff: pref 49151 From dmesg, we will observe kernel NULL pointer ooops [ 197.170464] BUG: kernel NULL pointer dereference, address: 0000000000000000 [ 197.171367] #PF: supervisor read access in kernel mode [ 197.171367] #PF: error_code(0x0000) - not-present page [ 197.171367] PGD 0 P4D 0 [ 197.171367] Oops: 0000 [#1] PREEMPT SMP NOPTI <snip> [ 197.171367] RIP: 0010:tc_setup_cls+0x20b/0x4a0 [stmmac] <snip> [ 197.171367] Call Trace: [ 197.171367] <TASK> [ 197.171367] ? __stmmac_disable_all_queues+0xa8/0xe0 [stmmac] [ 197.171367] stmmac_setup_tc_block_cb+0x70/0x110 [stmmac] [ 197.171367] tc_setup_cb_destroy+0xb3/0x180 [ 197.171367] fl_hw_destroy_filter+0x94/0xc0 [cls_flower] The above issue is due to previous incorrect implementation of tc_del_vlan_flow(), shown below, that uses flow_cls_offload_flow_rule() to get struct flow_rule *rule which is no longer valid for tc filter delete operation. struct flow_rule *rule = flow_cls_offload_flow_rule(cls); struct flow_dissector *dissector = rule->match.dissector; So, to ensure tc_del_vlan_flow() deletes the right VLAN cls record for earlier configured RX queue (configured by hw_tc) in tc_add_vlan_flow(), this patch introduces stmmac_rfs_entry as driver-side flow_cls_offload record for 'RX frame steering' tc flower, currently used for VLAN priority. The implementation has taken consideration for future extension to include other type RX frame steering such as EtherType based. v2: - Clean up overly extensive backtrace and rewrite git message to better explain the kernel NULL pointer issue.
AI Analysis
Technical Summary
CVE-2021-47592 is a medium-severity vulnerability in the Linux kernel's stmmac network driver, specifically related to the handling of traffic control (tc) flower filters for VLAN priority-based receive (Rx) frame steering. The vulnerability arises from a NULL pointer dereference triggered when deleting a tc flower filter configured for VLAN priority Rx steering. The root cause is an incorrect implementation in the tc_del_vlan_flow() function, which attempts to retrieve a flow_rule pointer via flow_cls_offload_flow_rule(cls) that is no longer valid during filter deletion. This leads to a kernel NULL pointer dereference and consequent kernel oops, causing a denial of service (DoS) by crashing the kernel. The issue manifests when a user adds a flower filter for VLAN priority frame steering on an Ethernet device, then deletes a specific tc flower record, resulting in a kernel crash observable in dmesg logs. The patch introduces a driver-side flow_cls_offload record (stmmac_rfs_entry) to correctly track and delete VLAN classification records associated with hardware traffic classes (hw_tc), preventing invalid pointer dereferences. This fix also lays groundwork for future extensions to support other Rx frame steering types such as EtherType-based filtering. The vulnerability requires local privileges with the ability to configure tc filters on the affected network interface and does not require user interaction. The CVSS v3.1 score is 5.5 (medium), reflecting local attack vector, low complexity, low privileges required, no user interaction, unchanged scope, no confidentiality or integrity impact, but high impact on availability due to kernel crashes. No known exploits are reported in the wild as of publication.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running vulnerable Linux kernel versions with the stmmac driver enabled and using VLAN priority Rx steering via tc flower filters. The impact is a denial of service through kernel crashes, which can disrupt network connectivity and availability of critical services relying on affected Linux hosts or network appliances. This is particularly relevant for organizations with infrastructure using embedded Linux devices, industrial control systems, or network equipment employing the stmmac driver for Ethernet interfaces. The vulnerability does not expose data confidentiality or integrity but can cause service outages, potentially affecting operational continuity. In sectors such as telecommunications, manufacturing, and critical infrastructure, where Linux-based network devices are common, this could lead to significant operational disruptions. However, exploitation requires local privileges to configure tc filters, limiting remote exploitation risk. The absence of known exploits reduces immediate threat but patching remains important to prevent potential DoS attacks by malicious insiders or compromised local users.
Mitigation Recommendations
European organizations should take the following specific mitigation steps: 1) Identify Linux systems using the stmmac driver and verify kernel versions against the patched versions addressing CVE-2021-47592. 2) Apply the official Linux kernel patches or upgrade to a kernel version that includes the fix to prevent NULL pointer dereference during tc flower filter deletion. 3) Restrict local user privileges to prevent unauthorized configuration of tc filters, limiting the ability to trigger the vulnerability. 4) Monitor system logs (dmesg) for kernel oops or crashes related to tc flower filter operations as indicators of attempted exploitation or misconfiguration. 5) For embedded or specialized devices where kernel upgrades are challenging, consider disabling VLAN priority Rx steering or tc flower filters if not required. 6) Incorporate this vulnerability into vulnerability management and patching cycles, prioritizing systems critical to network operations and industrial control. 7) Educate system administrators on safe usage of tc filters and the risks of improper deletion commands. These measures go beyond generic advice by focusing on driver-specific configurations, privilege restrictions, and operational monitoring tailored to this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Sweden, Finland
CVE-2021-47592: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: net: stmmac: fix tc flower deletion for VLAN priority Rx steering To replicate the issue:- 1) Add 1 flower filter for VLAN Priority based frame steering:- $ IFDEVNAME=eth0 $ tc qdisc add dev $IFDEVNAME ingress $ tc qdisc add dev $IFDEVNAME root mqprio num_tc 8 \ map 0 1 2 3 4 5 6 7 0 0 0 0 0 0 0 0 \ queues 1@0 1@1 1@2 1@3 1@4 1@5 1@6 1@7 hw 0 $ tc filter add dev $IFDEVNAME parent ffff: protocol 802.1Q \ flower vlan_prio 0 hw_tc 0 2) Get the 'pref' id $ tc filter show dev $IFDEVNAME ingress 3) Delete a specific tc flower record (say pref 49151) $ tc filter del dev $IFDEVNAME parent ffff: pref 49151 From dmesg, we will observe kernel NULL pointer ooops [ 197.170464] BUG: kernel NULL pointer dereference, address: 0000000000000000 [ 197.171367] #PF: supervisor read access in kernel mode [ 197.171367] #PF: error_code(0x0000) - not-present page [ 197.171367] PGD 0 P4D 0 [ 197.171367] Oops: 0000 [#1] PREEMPT SMP NOPTI <snip> [ 197.171367] RIP: 0010:tc_setup_cls+0x20b/0x4a0 [stmmac] <snip> [ 197.171367] Call Trace: [ 197.171367] <TASK> [ 197.171367] ? __stmmac_disable_all_queues+0xa8/0xe0 [stmmac] [ 197.171367] stmmac_setup_tc_block_cb+0x70/0x110 [stmmac] [ 197.171367] tc_setup_cb_destroy+0xb3/0x180 [ 197.171367] fl_hw_destroy_filter+0x94/0xc0 [cls_flower] The above issue is due to previous incorrect implementation of tc_del_vlan_flow(), shown below, that uses flow_cls_offload_flow_rule() to get struct flow_rule *rule which is no longer valid for tc filter delete operation. struct flow_rule *rule = flow_cls_offload_flow_rule(cls); struct flow_dissector *dissector = rule->match.dissector; So, to ensure tc_del_vlan_flow() deletes the right VLAN cls record for earlier configured RX queue (configured by hw_tc) in tc_add_vlan_flow(), this patch introduces stmmac_rfs_entry as driver-side flow_cls_offload record for 'RX frame steering' tc flower, currently used for VLAN priority. The implementation has taken consideration for future extension to include other type RX frame steering such as EtherType based. v2: - Clean up overly extensive backtrace and rewrite git message to better explain the kernel NULL pointer issue.
AI-Powered Analysis
Technical Analysis
CVE-2021-47592 is a medium-severity vulnerability in the Linux kernel's stmmac network driver, specifically related to the handling of traffic control (tc) flower filters for VLAN priority-based receive (Rx) frame steering. The vulnerability arises from a NULL pointer dereference triggered when deleting a tc flower filter configured for VLAN priority Rx steering. The root cause is an incorrect implementation in the tc_del_vlan_flow() function, which attempts to retrieve a flow_rule pointer via flow_cls_offload_flow_rule(cls) that is no longer valid during filter deletion. This leads to a kernel NULL pointer dereference and consequent kernel oops, causing a denial of service (DoS) by crashing the kernel. The issue manifests when a user adds a flower filter for VLAN priority frame steering on an Ethernet device, then deletes a specific tc flower record, resulting in a kernel crash observable in dmesg logs. The patch introduces a driver-side flow_cls_offload record (stmmac_rfs_entry) to correctly track and delete VLAN classification records associated with hardware traffic classes (hw_tc), preventing invalid pointer dereferences. This fix also lays groundwork for future extensions to support other Rx frame steering types such as EtherType-based filtering. The vulnerability requires local privileges with the ability to configure tc filters on the affected network interface and does not require user interaction. The CVSS v3.1 score is 5.5 (medium), reflecting local attack vector, low complexity, low privileges required, no user interaction, unchanged scope, no confidentiality or integrity impact, but high impact on availability due to kernel crashes. No known exploits are reported in the wild as of publication.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running vulnerable Linux kernel versions with the stmmac driver enabled and using VLAN priority Rx steering via tc flower filters. The impact is a denial of service through kernel crashes, which can disrupt network connectivity and availability of critical services relying on affected Linux hosts or network appliances. This is particularly relevant for organizations with infrastructure using embedded Linux devices, industrial control systems, or network equipment employing the stmmac driver for Ethernet interfaces. The vulnerability does not expose data confidentiality or integrity but can cause service outages, potentially affecting operational continuity. In sectors such as telecommunications, manufacturing, and critical infrastructure, where Linux-based network devices are common, this could lead to significant operational disruptions. However, exploitation requires local privileges to configure tc filters, limiting remote exploitation risk. The absence of known exploits reduces immediate threat but patching remains important to prevent potential DoS attacks by malicious insiders or compromised local users.
Mitigation Recommendations
European organizations should take the following specific mitigation steps: 1) Identify Linux systems using the stmmac driver and verify kernel versions against the patched versions addressing CVE-2021-47592. 2) Apply the official Linux kernel patches or upgrade to a kernel version that includes the fix to prevent NULL pointer dereference during tc flower filter deletion. 3) Restrict local user privileges to prevent unauthorized configuration of tc filters, limiting the ability to trigger the vulnerability. 4) Monitor system logs (dmesg) for kernel oops or crashes related to tc flower filter operations as indicators of attempted exploitation or misconfiguration. 5) For embedded or specialized devices where kernel upgrades are challenging, consider disabling VLAN priority Rx steering or tc flower filters if not required. 6) Incorporate this vulnerability into vulnerability management and patching cycles, prioritizing systems critical to network operations and industrial control. 7) Educate system administrators on safe usage of tc filters and the risks of improper deletion commands. These measures go beyond generic advice by focusing on driver-specific configurations, privilege restrictions, and operational monitoring tailored to this vulnerability.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-24T15:11:00.733Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9833c4522896dcbe9544
Added to database: 5/21/2025, 9:09:07 AM
Last enriched: 6/30/2025, 3:10:43 PM
Last updated: 8/5/2025, 2:32:30 PM
Views: 12
Related Threats
CVE-2025-9053: SQL Injection in projectworlds Travel Management System
MediumCVE-2025-9052: SQL Injection in projectworlds Travel Management System
MediumCVE-2025-9019: Heap-based Buffer Overflow in tcpreplay
LowCVE-2025-9017: Cross Site Scripting in PHPGurukul Zoo Management System
MediumCVE-2025-9051: SQL Injection in projectworlds Travel Management System
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.