CVE-2021-47597: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: inet_diag: fix kernel-infoleak for UDP sockets KMSAN reported a kernel-infoleak [1], that can exploited by unpriv users. After analysis it turned out UDP was not initializing r->idiag_expires. Other users of inet_sk_diag_fill() might make the same mistake in the future, so fix this in inet_sk_diag_fill(). [1] BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:121 [inline] BUG: KMSAN: kernel-infoleak in copyout lib/iov_iter.c:156 [inline] BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x69d/0x25c0 lib/iov_iter.c:670 instrument_copy_to_user include/linux/instrumented.h:121 [inline] copyout lib/iov_iter.c:156 [inline] _copy_to_iter+0x69d/0x25c0 lib/iov_iter.c:670 copy_to_iter include/linux/uio.h:155 [inline] simple_copy_to_iter+0xf3/0x140 net/core/datagram.c:519 __skb_datagram_iter+0x2cb/0x1280 net/core/datagram.c:425 skb_copy_datagram_iter+0xdc/0x270 net/core/datagram.c:533 skb_copy_datagram_msg include/linux/skbuff.h:3657 [inline] netlink_recvmsg+0x660/0x1c60 net/netlink/af_netlink.c:1974 sock_recvmsg_nosec net/socket.c:944 [inline] sock_recvmsg net/socket.c:962 [inline] sock_read_iter+0x5a9/0x630 net/socket.c:1035 call_read_iter include/linux/fs.h:2156 [inline] new_sync_read fs/read_write.c:400 [inline] vfs_read+0x1631/0x1980 fs/read_write.c:481 ksys_read+0x28c/0x520 fs/read_write.c:619 __do_sys_read fs/read_write.c:629 [inline] __se_sys_read fs/read_write.c:627 [inline] __x64_sys_read+0xdb/0x120 fs/read_write.c:627 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82 entry_SYSCALL_64_after_hwframe+0x44/0xae Uninit was created at: slab_post_alloc_hook mm/slab.h:524 [inline] slab_alloc_node mm/slub.c:3251 [inline] __kmalloc_node_track_caller+0xe0c/0x1510 mm/slub.c:4974 kmalloc_reserve net/core/skbuff.c:354 [inline] __alloc_skb+0x545/0xf90 net/core/skbuff.c:426 alloc_skb include/linux/skbuff.h:1126 [inline] netlink_dump+0x3d5/0x16a0 net/netlink/af_netlink.c:2245 __netlink_dump_start+0xd1c/0xee0 net/netlink/af_netlink.c:2370 netlink_dump_start include/linux/netlink.h:254 [inline] inet_diag_handler_cmd+0x2e7/0x400 net/ipv4/inet_diag.c:1343 sock_diag_rcv_msg+0x24a/0x620 netlink_rcv_skb+0x447/0x800 net/netlink/af_netlink.c:2491 sock_diag_rcv+0x63/0x80 net/core/sock_diag.c:276 netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline] netlink_unicast+0x1095/0x1360 net/netlink/af_netlink.c:1345 netlink_sendmsg+0x16f3/0x1870 net/netlink/af_netlink.c:1916 sock_sendmsg_nosec net/socket.c:704 [inline] sock_sendmsg net/socket.c:724 [inline] sock_write_iter+0x594/0x690 net/socket.c:1057 do_iter_readv_writev+0xa7f/0xc70 do_iter_write+0x52c/0x1500 fs/read_write.c:851 vfs_writev fs/read_write.c:924 [inline] do_writev+0x63f/0xe30 fs/read_write.c:967 __do_sys_writev fs/read_write.c:1040 [inline] __se_sys_writev fs/read_write.c:1037 [inline] __x64_sys_writev+0xe5/0x120 fs/read_write.c:1037 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82 entry_SYSCALL_64_after_hwframe+0x44/0xae Bytes 68-71 of 312 are uninitialized Memory access of size 312 starts at ffff88812ab54000 Data copied to user address 0000000020001440 CPU: 1 PID: 6365 Comm: syz-executor801 Not tainted 5.16.0-rc3-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
AI Analysis
Technical Summary
CVE-2021-47597 is a vulnerability in the Linux kernel related to an information leak in the inet_diag subsystem for UDP sockets. The issue arises because the UDP socket diagnostic code did not properly initialize the idiag_expires field in the kernel data structure used to report socket information to user space. This uninitialized memory can be copied to user space during diagnostic queries, leading to a kernel information leak. The vulnerability was detected by Kernel Memory Sanitizer (KMSAN), which flagged uninitialized memory usage in functions involved in copying kernel data to user space, specifically in netlink socket diagnostic operations. The root cause is that UDP socket diagnostic code failed to initialize certain fields, allowing residual kernel memory contents to be exposed. This flaw can be exploited by unprivileged users to read kernel memory contents, potentially revealing sensitive information such as kernel pointers or other data that could aid in further exploitation or bypass of kernel security mechanisms. The vulnerability affects Linux kernel versions prior to the fix and is present in the inet_diag and netlink diagnostic code paths. The vulnerability does not require elevated privileges beyond unprivileged user access and does not require user interaction beyond issuing diagnostic queries. Although no known exploits are reported in the wild, the flaw represents a subtle but impactful kernel information leak. The vulnerability was fixed by ensuring proper initialization of the idiag_expires field in inet_sk_diag_fill() and related diagnostic functions to prevent leaking uninitialized kernel memory to user space. This vulnerability highlights the importance of careful memory initialization in kernel diagnostic code to prevent information disclosure. The affected Linux kernel versions include those prior to the patch commit identified by the given hashes, and the issue was publicly disclosed in June 2024.
Potential Impact
For European organizations, this vulnerability poses a risk primarily in environments running vulnerable Linux kernel versions, especially on servers, cloud infrastructure, and embedded devices using UDP sockets and diagnostic tools. The information leak could allow unprivileged local users or attackers with limited access to glean sensitive kernel memory contents, potentially facilitating privilege escalation or bypassing kernel security features such as KASLR (Kernel Address Space Layout Randomization). This could lead to further compromise of critical systems, data breaches, or disruption of services. Organizations relying on Linux-based infrastructure for critical services, including telecommunications, finance, government, and cloud providers, may be at risk if they have not applied patches. The vulnerability could also be leveraged in multi-tenant cloud environments where unprivileged users share kernel resources, increasing the risk of cross-tenant information leakage. Although the vulnerability does not directly allow remote code execution or denial of service, the information disclosure can be a stepping stone for more severe attacks. Therefore, the impact on confidentiality is moderate to high, while integrity and availability impacts are indirect but possible if combined with other exploits.
Mitigation Recommendations
European organizations should take the following specific mitigation steps: 1) Identify all Linux systems running kernel versions prior to the fix for CVE-2021-47597, focusing on servers, cloud instances, and embedded devices using UDP sockets. 2) Apply the official Linux kernel patches that initialize the idiag_expires field properly, or upgrade to a kernel version that includes the fix. 3) For environments where immediate patching is not feasible, restrict unprivileged user access to diagnostic interfaces such as netlink sockets and inet_diag tools to limit exposure. 4) Monitor kernel logs and audit diagnostic socket usage to detect unusual or unauthorized queries that might indicate exploitation attempts. 5) Employ kernel hardening techniques such as Kernel Page Table Isolation (KPTI) and enable Kernel Memory Sanitizer (KMSAN) in development or testing environments to detect similar issues proactively. 6) Coordinate with cloud providers to ensure underlying infrastructure is patched and secure. 7) Educate system administrators about the risks of kernel information leaks and the importance of timely patching. These targeted actions go beyond generic advice by focusing on UDP socket diagnostic interfaces and unprivileged user access controls.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Estonia, Poland, Italy, Spain
CVE-2021-47597: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: inet_diag: fix kernel-infoleak for UDP sockets KMSAN reported a kernel-infoleak [1], that can exploited by unpriv users. After analysis it turned out UDP was not initializing r->idiag_expires. Other users of inet_sk_diag_fill() might make the same mistake in the future, so fix this in inet_sk_diag_fill(). [1] BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:121 [inline] BUG: KMSAN: kernel-infoleak in copyout lib/iov_iter.c:156 [inline] BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x69d/0x25c0 lib/iov_iter.c:670 instrument_copy_to_user include/linux/instrumented.h:121 [inline] copyout lib/iov_iter.c:156 [inline] _copy_to_iter+0x69d/0x25c0 lib/iov_iter.c:670 copy_to_iter include/linux/uio.h:155 [inline] simple_copy_to_iter+0xf3/0x140 net/core/datagram.c:519 __skb_datagram_iter+0x2cb/0x1280 net/core/datagram.c:425 skb_copy_datagram_iter+0xdc/0x270 net/core/datagram.c:533 skb_copy_datagram_msg include/linux/skbuff.h:3657 [inline] netlink_recvmsg+0x660/0x1c60 net/netlink/af_netlink.c:1974 sock_recvmsg_nosec net/socket.c:944 [inline] sock_recvmsg net/socket.c:962 [inline] sock_read_iter+0x5a9/0x630 net/socket.c:1035 call_read_iter include/linux/fs.h:2156 [inline] new_sync_read fs/read_write.c:400 [inline] vfs_read+0x1631/0x1980 fs/read_write.c:481 ksys_read+0x28c/0x520 fs/read_write.c:619 __do_sys_read fs/read_write.c:629 [inline] __se_sys_read fs/read_write.c:627 [inline] __x64_sys_read+0xdb/0x120 fs/read_write.c:627 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82 entry_SYSCALL_64_after_hwframe+0x44/0xae Uninit was created at: slab_post_alloc_hook mm/slab.h:524 [inline] slab_alloc_node mm/slub.c:3251 [inline] __kmalloc_node_track_caller+0xe0c/0x1510 mm/slub.c:4974 kmalloc_reserve net/core/skbuff.c:354 [inline] __alloc_skb+0x545/0xf90 net/core/skbuff.c:426 alloc_skb include/linux/skbuff.h:1126 [inline] netlink_dump+0x3d5/0x16a0 net/netlink/af_netlink.c:2245 __netlink_dump_start+0xd1c/0xee0 net/netlink/af_netlink.c:2370 netlink_dump_start include/linux/netlink.h:254 [inline] inet_diag_handler_cmd+0x2e7/0x400 net/ipv4/inet_diag.c:1343 sock_diag_rcv_msg+0x24a/0x620 netlink_rcv_skb+0x447/0x800 net/netlink/af_netlink.c:2491 sock_diag_rcv+0x63/0x80 net/core/sock_diag.c:276 netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline] netlink_unicast+0x1095/0x1360 net/netlink/af_netlink.c:1345 netlink_sendmsg+0x16f3/0x1870 net/netlink/af_netlink.c:1916 sock_sendmsg_nosec net/socket.c:704 [inline] sock_sendmsg net/socket.c:724 [inline] sock_write_iter+0x594/0x690 net/socket.c:1057 do_iter_readv_writev+0xa7f/0xc70 do_iter_write+0x52c/0x1500 fs/read_write.c:851 vfs_writev fs/read_write.c:924 [inline] do_writev+0x63f/0xe30 fs/read_write.c:967 __do_sys_writev fs/read_write.c:1040 [inline] __se_sys_writev fs/read_write.c:1037 [inline] __x64_sys_writev+0xe5/0x120 fs/read_write.c:1037 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82 entry_SYSCALL_64_after_hwframe+0x44/0xae Bytes 68-71 of 312 are uninitialized Memory access of size 312 starts at ffff88812ab54000 Data copied to user address 0000000020001440 CPU: 1 PID: 6365 Comm: syz-executor801 Not tainted 5.16.0-rc3-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
AI-Powered Analysis
Technical Analysis
CVE-2021-47597 is a vulnerability in the Linux kernel related to an information leak in the inet_diag subsystem for UDP sockets. The issue arises because the UDP socket diagnostic code did not properly initialize the idiag_expires field in the kernel data structure used to report socket information to user space. This uninitialized memory can be copied to user space during diagnostic queries, leading to a kernel information leak. The vulnerability was detected by Kernel Memory Sanitizer (KMSAN), which flagged uninitialized memory usage in functions involved in copying kernel data to user space, specifically in netlink socket diagnostic operations. The root cause is that UDP socket diagnostic code failed to initialize certain fields, allowing residual kernel memory contents to be exposed. This flaw can be exploited by unprivileged users to read kernel memory contents, potentially revealing sensitive information such as kernel pointers or other data that could aid in further exploitation or bypass of kernel security mechanisms. The vulnerability affects Linux kernel versions prior to the fix and is present in the inet_diag and netlink diagnostic code paths. The vulnerability does not require elevated privileges beyond unprivileged user access and does not require user interaction beyond issuing diagnostic queries. Although no known exploits are reported in the wild, the flaw represents a subtle but impactful kernel information leak. The vulnerability was fixed by ensuring proper initialization of the idiag_expires field in inet_sk_diag_fill() and related diagnostic functions to prevent leaking uninitialized kernel memory to user space. This vulnerability highlights the importance of careful memory initialization in kernel diagnostic code to prevent information disclosure. The affected Linux kernel versions include those prior to the patch commit identified by the given hashes, and the issue was publicly disclosed in June 2024.
Potential Impact
For European organizations, this vulnerability poses a risk primarily in environments running vulnerable Linux kernel versions, especially on servers, cloud infrastructure, and embedded devices using UDP sockets and diagnostic tools. The information leak could allow unprivileged local users or attackers with limited access to glean sensitive kernel memory contents, potentially facilitating privilege escalation or bypassing kernel security features such as KASLR (Kernel Address Space Layout Randomization). This could lead to further compromise of critical systems, data breaches, or disruption of services. Organizations relying on Linux-based infrastructure for critical services, including telecommunications, finance, government, and cloud providers, may be at risk if they have not applied patches. The vulnerability could also be leveraged in multi-tenant cloud environments where unprivileged users share kernel resources, increasing the risk of cross-tenant information leakage. Although the vulnerability does not directly allow remote code execution or denial of service, the information disclosure can be a stepping stone for more severe attacks. Therefore, the impact on confidentiality is moderate to high, while integrity and availability impacts are indirect but possible if combined with other exploits.
Mitigation Recommendations
European organizations should take the following specific mitigation steps: 1) Identify all Linux systems running kernel versions prior to the fix for CVE-2021-47597, focusing on servers, cloud instances, and embedded devices using UDP sockets. 2) Apply the official Linux kernel patches that initialize the idiag_expires field properly, or upgrade to a kernel version that includes the fix. 3) For environments where immediate patching is not feasible, restrict unprivileged user access to diagnostic interfaces such as netlink sockets and inet_diag tools to limit exposure. 4) Monitor kernel logs and audit diagnostic socket usage to detect unusual or unauthorized queries that might indicate exploitation attempts. 5) Employ kernel hardening techniques such as Kernel Page Table Isolation (KPTI) and enable Kernel Memory Sanitizer (KMSAN) in development or testing environments to detect similar issues proactively. 6) Coordinate with cloud providers to ensure underlying infrastructure is patched and secure. 7) Educate system administrators about the risks of kernel information leaks and the importance of timely patching. These targeted actions go beyond generic advice by focusing on UDP socket diagnostic interfaces and unprivileged user access controls.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-24T15:11:00.734Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9833c4522896dcbe9558
Added to database: 5/21/2025, 9:09:07 AM
Last enriched: 6/30/2025, 3:12:44 PM
Last updated: 8/12/2025, 8:19:48 AM
Views: 16
Related Threats
CVE-2025-8293: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Theerawat Patthawee Intl DateTime Calendar
MediumCVE-2025-7686: CWE-352 Cross-Site Request Forgery (CSRF) in lmyoaoa weichuncai(WP伪春菜)
MediumCVE-2025-7684: CWE-352 Cross-Site Request Forgery (CSRF) in remysharp Last.fm Recent Album Artwork
MediumCVE-2025-7683: CWE-352 Cross-Site Request Forgery (CSRF) in janyksteenbeek LatestCheckins
MediumCVE-2025-7668: CWE-352 Cross-Site Request Forgery (CSRF) in timothyja Linux Promotional Plugin
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.