CVE-2021-47594: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: mptcp: never allow the PM to close a listener subflow Currently, when deleting an endpoint the netlink PM treverses all the local MPTCP sockets, regardless of their status. If an MPTCP listener socket is bound to the IP matching the delete endpoint, the listener TCP socket will be closed. That is unexpected, the PM should only affect data subflows. Additionally, syzbot was able to trigger a NULL ptr dereference due to the above: general protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f] CPU: 1 PID: 6550 Comm: syz-executor122 Not tainted 5.16.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:__lock_acquire+0xd7d/0x54a0 kernel/locking/lockdep.c:4897 Code: 0f 0e 41 be 01 00 00 00 0f 86 c8 00 00 00 89 05 69 cc 0f 0e e9 bd 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 da 48 c1 ea 03 <80> 3c 02 00 0f 85 f3 2f 00 00 48 81 3b 20 75 17 8f 0f 84 52 f3 ff RSP: 0018:ffffc90001f2f818 EFLAGS: 00010016 RAX: dffffc0000000000 RBX: 0000000000000018 RCX: 0000000000000000 RDX: 0000000000000003 RSI: 0000000000000000 RDI: 0000000000000001 RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000001 R10: 0000000000000000 R11: 000000000000000a R12: 0000000000000000 R13: ffff88801b98d700 R14: 0000000000000000 R15: 0000000000000001 FS: 00007f177cd3d700(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f177cd1b268 CR3: 000000001dd55000 CR4: 0000000000350ee0 Call Trace: <TASK> lock_acquire kernel/locking/lockdep.c:5637 [inline] lock_acquire+0x1ab/0x510 kernel/locking/lockdep.c:5602 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0x39/0x50 kernel/locking/spinlock.c:162 finish_wait+0xc0/0x270 kernel/sched/wait.c:400 inet_csk_wait_for_connect net/ipv4/inet_connection_sock.c:464 [inline] inet_csk_accept+0x7de/0x9d0 net/ipv4/inet_connection_sock.c:497 mptcp_accept+0xe5/0x500 net/mptcp/protocol.c:2865 inet_accept+0xe4/0x7b0 net/ipv4/af_inet.c:739 mptcp_stream_accept+0x2e7/0x10e0 net/mptcp/protocol.c:3345 do_accept+0x382/0x510 net/socket.c:1773 __sys_accept4_file+0x7e/0xe0 net/socket.c:1816 __sys_accept4+0xb0/0x100 net/socket.c:1846 __do_sys_accept net/socket.c:1864 [inline] __se_sys_accept net/socket.c:1861 [inline] __x64_sys_accept+0x71/0xb0 net/socket.c:1861 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f177cd8b8e9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f177cd3d308 EFLAGS: 00000246 ORIG_RAX: 000000000000002b RAX: ffffffffffffffda RBX: 00007f177ce13408 RCX: 00007f177cd8b8e9 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 00007f177ce13400 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f177ce1340c R13: 00007f177cde1004 R14: 6d705f706374706d R15: 0000000000022000 </TASK> Fix the issue explicitly skipping MPTCP socket in TCP_LISTEN status.
AI Analysis
Technical Summary
CVE-2021-47594 is a vulnerability in the Linux kernel's implementation of Multipath TCP (MPTCP), specifically related to the path manager (PM) component. The flaw arises because when an endpoint is deleted, the netlink PM traverses all local MPTCP sockets without filtering by their status. Consequently, if an MPTCP listener socket is bound to the IP address of the deleted endpoint, the listener TCP socket is erroneously closed. This behavior is unintended since the PM should only affect data subflows, not listener sockets. This improper handling can lead to unexpected socket closures, disrupting network connections relying on MPTCP. Additionally, the vulnerability can cause a NULL pointer dereference, as demonstrated by syzbot (a kernel fuzzing tool), leading to a general protection fault and kernel crash. The root cause is the failure to explicitly skip MPTCP sockets in the TCP_LISTEN state during endpoint deletion. The vulnerability affects Linux kernel versions prior to the patch that fixes this logic by excluding listener sockets from closure. The issue can cause denial of service (DoS) conditions due to kernel crashes or unexpected socket closures, impacting systems using MPTCP for network communication. The vulnerability does not require user interaction or authentication to be triggered if an attacker can influence endpoint deletion or socket binding. No known exploits are reported in the wild as of the publication date. The technical details include kernel stack traces showing the NULL pointer dereference in kernel locking code during socket operations, highlighting the severity of the crash. This vulnerability is relevant to Linux systems with MPTCP enabled or in use, which is increasingly common in environments requiring resilient or multipath network connections.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to servers and network infrastructure running Linux kernels with MPTCP enabled. Organizations relying on MPTCP for load balancing, redundancy, or improved network throughput could experience unexpected service disruptions due to listener socket closures or kernel crashes. This can affect critical services such as web servers, application servers, and network appliances, leading to denial of service and potential operational downtime. The impact on confidentiality and integrity is limited since the vulnerability primarily causes availability issues. However, availability disruptions in critical infrastructure or cloud services can have cascading effects on business operations and service delivery. Given the widespread use of Linux in European data centers, cloud providers, and enterprise environments, the vulnerability could affect a broad range of sectors including finance, telecommunications, healthcare, and government. The lack of known exploits reduces immediate risk, but the potential for kernel panics and service outages necessitates prompt mitigation. The vulnerability could also be leveraged in targeted attacks to disrupt services or as part of a larger attack chain.
Mitigation Recommendations
European organizations should take the following specific mitigation steps: 1) Identify Linux systems running kernels with MPTCP enabled, especially those in critical network roles or exposed to untrusted networks. 2) Apply the latest Linux kernel patches that explicitly fix this vulnerability by skipping MPTCP listener sockets during endpoint deletion. If vendor-specific kernel updates are not yet available, consider disabling MPTCP functionality temporarily to prevent exploitation. 3) Monitor kernel logs for signs of NULL pointer dereferences or unexpected socket closures related to MPTCP. 4) Implement network segmentation and strict access controls to limit the ability of untrusted users or processes to manipulate MPTCP endpoints or sockets. 5) Use kernel hardening features such as Kernel Address Sanitizer (KASAN) and lock debugging to detect and analyze potential kernel faults early. 6) Incorporate this vulnerability into vulnerability management and incident response plans to ensure rapid detection and remediation. 7) Coordinate with Linux distribution vendors and cloud providers to ensure timely patch deployment. These measures go beyond generic advice by focusing on MPTCP-specific configurations and kernel-level monitoring.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Denmark, Ireland, Italy, Spain
CVE-2021-47594: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: mptcp: never allow the PM to close a listener subflow Currently, when deleting an endpoint the netlink PM treverses all the local MPTCP sockets, regardless of their status. If an MPTCP listener socket is bound to the IP matching the delete endpoint, the listener TCP socket will be closed. That is unexpected, the PM should only affect data subflows. Additionally, syzbot was able to trigger a NULL ptr dereference due to the above: general protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f] CPU: 1 PID: 6550 Comm: syz-executor122 Not tainted 5.16.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:__lock_acquire+0xd7d/0x54a0 kernel/locking/lockdep.c:4897 Code: 0f 0e 41 be 01 00 00 00 0f 86 c8 00 00 00 89 05 69 cc 0f 0e e9 bd 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 da 48 c1 ea 03 <80> 3c 02 00 0f 85 f3 2f 00 00 48 81 3b 20 75 17 8f 0f 84 52 f3 ff RSP: 0018:ffffc90001f2f818 EFLAGS: 00010016 RAX: dffffc0000000000 RBX: 0000000000000018 RCX: 0000000000000000 RDX: 0000000000000003 RSI: 0000000000000000 RDI: 0000000000000001 RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000001 R10: 0000000000000000 R11: 000000000000000a R12: 0000000000000000 R13: ffff88801b98d700 R14: 0000000000000000 R15: 0000000000000001 FS: 00007f177cd3d700(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f177cd1b268 CR3: 000000001dd55000 CR4: 0000000000350ee0 Call Trace: <TASK> lock_acquire kernel/locking/lockdep.c:5637 [inline] lock_acquire+0x1ab/0x510 kernel/locking/lockdep.c:5602 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0x39/0x50 kernel/locking/spinlock.c:162 finish_wait+0xc0/0x270 kernel/sched/wait.c:400 inet_csk_wait_for_connect net/ipv4/inet_connection_sock.c:464 [inline] inet_csk_accept+0x7de/0x9d0 net/ipv4/inet_connection_sock.c:497 mptcp_accept+0xe5/0x500 net/mptcp/protocol.c:2865 inet_accept+0xe4/0x7b0 net/ipv4/af_inet.c:739 mptcp_stream_accept+0x2e7/0x10e0 net/mptcp/protocol.c:3345 do_accept+0x382/0x510 net/socket.c:1773 __sys_accept4_file+0x7e/0xe0 net/socket.c:1816 __sys_accept4+0xb0/0x100 net/socket.c:1846 __do_sys_accept net/socket.c:1864 [inline] __se_sys_accept net/socket.c:1861 [inline] __x64_sys_accept+0x71/0xb0 net/socket.c:1861 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f177cd8b8e9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f177cd3d308 EFLAGS: 00000246 ORIG_RAX: 000000000000002b RAX: ffffffffffffffda RBX: 00007f177ce13408 RCX: 00007f177cd8b8e9 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 00007f177ce13400 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f177ce1340c R13: 00007f177cde1004 R14: 6d705f706374706d R15: 0000000000022000 </TASK> Fix the issue explicitly skipping MPTCP socket in TCP_LISTEN status.
AI-Powered Analysis
Technical Analysis
CVE-2021-47594 is a vulnerability in the Linux kernel's implementation of Multipath TCP (MPTCP), specifically related to the path manager (PM) component. The flaw arises because when an endpoint is deleted, the netlink PM traverses all local MPTCP sockets without filtering by their status. Consequently, if an MPTCP listener socket is bound to the IP address of the deleted endpoint, the listener TCP socket is erroneously closed. This behavior is unintended since the PM should only affect data subflows, not listener sockets. This improper handling can lead to unexpected socket closures, disrupting network connections relying on MPTCP. Additionally, the vulnerability can cause a NULL pointer dereference, as demonstrated by syzbot (a kernel fuzzing tool), leading to a general protection fault and kernel crash. The root cause is the failure to explicitly skip MPTCP sockets in the TCP_LISTEN state during endpoint deletion. The vulnerability affects Linux kernel versions prior to the patch that fixes this logic by excluding listener sockets from closure. The issue can cause denial of service (DoS) conditions due to kernel crashes or unexpected socket closures, impacting systems using MPTCP for network communication. The vulnerability does not require user interaction or authentication to be triggered if an attacker can influence endpoint deletion or socket binding. No known exploits are reported in the wild as of the publication date. The technical details include kernel stack traces showing the NULL pointer dereference in kernel locking code during socket operations, highlighting the severity of the crash. This vulnerability is relevant to Linux systems with MPTCP enabled or in use, which is increasingly common in environments requiring resilient or multipath network connections.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to servers and network infrastructure running Linux kernels with MPTCP enabled. Organizations relying on MPTCP for load balancing, redundancy, or improved network throughput could experience unexpected service disruptions due to listener socket closures or kernel crashes. This can affect critical services such as web servers, application servers, and network appliances, leading to denial of service and potential operational downtime. The impact on confidentiality and integrity is limited since the vulnerability primarily causes availability issues. However, availability disruptions in critical infrastructure or cloud services can have cascading effects on business operations and service delivery. Given the widespread use of Linux in European data centers, cloud providers, and enterprise environments, the vulnerability could affect a broad range of sectors including finance, telecommunications, healthcare, and government. The lack of known exploits reduces immediate risk, but the potential for kernel panics and service outages necessitates prompt mitigation. The vulnerability could also be leveraged in targeted attacks to disrupt services or as part of a larger attack chain.
Mitigation Recommendations
European organizations should take the following specific mitigation steps: 1) Identify Linux systems running kernels with MPTCP enabled, especially those in critical network roles or exposed to untrusted networks. 2) Apply the latest Linux kernel patches that explicitly fix this vulnerability by skipping MPTCP listener sockets during endpoint deletion. If vendor-specific kernel updates are not yet available, consider disabling MPTCP functionality temporarily to prevent exploitation. 3) Monitor kernel logs for signs of NULL pointer dereferences or unexpected socket closures related to MPTCP. 4) Implement network segmentation and strict access controls to limit the ability of untrusted users or processes to manipulate MPTCP endpoints or sockets. 5) Use kernel hardening features such as Kernel Address Sanitizer (KASAN) and lock debugging to detect and analyze potential kernel faults early. 6) Incorporate this vulnerability into vulnerability management and incident response plans to ensure rapid detection and remediation. 7) Coordinate with Linux distribution vendors and cloud providers to ensure timely patch deployment. These measures go beyond generic advice by focusing on MPTCP-specific configurations and kernel-level monitoring.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-24T15:11:00.733Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9833c4522896dcbe954c
Added to database: 5/21/2025, 9:09:07 AM
Last enriched: 6/30/2025, 3:11:33 PM
Last updated: 8/6/2025, 1:44:55 PM
Views: 12
Related Threats
CVE-2025-9091: Hard-coded Credentials in Tenda AC20
LowCVE-2025-9090: Command Injection in Tenda AC20
MediumCVE-2025-9092: CWE-400 Uncontrolled Resource Consumption in Legion of the Bouncy Castle Inc. Bouncy Castle for Java - BC-FJA 2.1.0
LowCVE-2025-9089: Stack-based Buffer Overflow in Tenda AC20
HighCVE-2025-9088: Stack-based Buffer Overflow in Tenda AC20
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.