CVE-2021-47598: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: sch_cake: do not call cake_destroy() from cake_init() qdiscs are not supposed to call their own destroy() method from init(), because core stack already does that. syzbot was able to trigger use after free: DEBUG_LOCKS_WARN_ON(lock->magic != lock) WARNING: CPU: 0 PID: 21902 at kernel/locking/mutex.c:586 __mutex_lock_common kernel/locking/mutex.c:586 [inline] WARNING: CPU: 0 PID: 21902 at kernel/locking/mutex.c:586 __mutex_lock+0x9ec/0x12f0 kernel/locking/mutex.c:740 Modules linked in: CPU: 0 PID: 21902 Comm: syz-executor189 Not tainted 5.16.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:__mutex_lock_common kernel/locking/mutex.c:586 [inline] RIP: 0010:__mutex_lock+0x9ec/0x12f0 kernel/locking/mutex.c:740 Code: 08 84 d2 0f 85 19 08 00 00 8b 05 97 38 4b 04 85 c0 0f 85 27 f7 ff ff 48 c7 c6 20 00 ac 89 48 c7 c7 a0 fe ab 89 e8 bf 76 ba ff <0f> 0b e9 0d f7 ff ff 48 8b 44 24 40 48 8d b8 c8 08 00 00 48 89 f8 RSP: 0018:ffffc9000627f290 EFLAGS: 00010282 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: ffff88802315d700 RSI: ffffffff815f1db8 RDI: fffff52000c4fe44 RBP: ffff88818f28e000 R08: 0000000000000000 R09: 0000000000000000 R10: ffffffff815ebb5e R11: 0000000000000000 R12: 0000000000000000 R13: dffffc0000000000 R14: ffffc9000627f458 R15: 0000000093c30000 FS: 0000555556abc400(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fda689c3303 CR3: 000000001cfbb000 CR4: 0000000000350ef0 Call Trace: <TASK> tcf_chain0_head_change_cb_del+0x2e/0x3d0 net/sched/cls_api.c:810 tcf_block_put_ext net/sched/cls_api.c:1381 [inline] tcf_block_put_ext net/sched/cls_api.c:1376 [inline] tcf_block_put+0xbc/0x130 net/sched/cls_api.c:1394 cake_destroy+0x3f/0x80 net/sched/sch_cake.c:2695 qdisc_create.constprop.0+0x9da/0x10f0 net/sched/sch_api.c:1293 tc_modify_qdisc+0x4c5/0x1980 net/sched/sch_api.c:1660 rtnetlink_rcv_msg+0x413/0xb80 net/core/rtnetlink.c:5571 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2496 netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline] netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1345 netlink_sendmsg+0x904/0xdf0 net/netlink/af_netlink.c:1921 sock_sendmsg_nosec net/socket.c:704 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:724 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2409 ___sys_sendmsg+0xf3/0x170 net/socket.c:2463 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2492 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f1bb06badb9 Code: Unable to access opcode bytes at RIP 0x7f1bb06bad8f. RSP: 002b:00007fff3012a658 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f1bb06badb9 RDX: 0000000000000000 RSI: 00000000200007c0 RDI: 0000000000000003 RBP: 0000000000000000 R08: 0000000000000003 R09: 0000000000000003 R10: 0000000000000003 R11: 0000000000000246 R12: 00007fff3012a688 R13: 00007fff3012a6a0 R14: 00007fff3012a6e0 R15: 00000000000013c2 </TASK>
AI Analysis
Technical Summary
CVE-2021-47598 is a vulnerability identified in the Linux kernel's sch_cake (Controlled Delay Active Queue Management) module, specifically related to improper handling of the cake_destroy() function call during cake_init(). The root cause is that the queuing disciplines (qdiscs) in the Linux kernel are not supposed to invoke their own destroy() method from their initialization routine because the core networking stack already manages the destruction process. This incorrect behavior leads to a use-after-free condition, where memory is freed prematurely and then accessed again, causing undefined behavior and potential kernel crashes. The vulnerability was discovered and triggered by syzbot, an automated kernel fuzzer, which produced kernel warnings and lock-related errors indicating a race or memory corruption issue. The stack trace shows that the problem occurs during the modification of qdiscs via rtnetlink messages, which are used for network configuration. This vulnerability affects the Linux kernel versions identified by the given commit hashes and is related to the network scheduling subsystem. Although no CVSS score has been assigned, the vulnerability allows for kernel memory corruption, which can lead to denial of service (system crashes) or potentially privilege escalation if exploited further. The vulnerability does not require user interaction but does require the ability to send netlink messages to modify qdiscs, which typically requires elevated privileges or local access. No known exploits are currently reported in the wild, but the issue is critical enough to warrant patching due to the kernel-level impact and the potential for system instability or compromise.
Potential Impact
For European organizations, this vulnerability poses a significant risk primarily to servers, network appliances, and embedded systems running vulnerable Linux kernel versions with the sch_cake module enabled. The impact includes potential denial of service through kernel crashes, which can disrupt critical services such as web hosting, cloud infrastructure, and telecommunications. In environments where attackers have local access or can send crafted netlink messages (e.g., via compromised containers or virtual machines), there is a risk of privilege escalation or further kernel exploitation. This is particularly concerning for cloud providers and enterprises relying on Linux-based infrastructure for critical operations. The vulnerability could affect data confidentiality and integrity indirectly if attackers leverage it to gain higher privileges or disrupt system availability. Given the widespread use of Linux in European data centers, telecom networks, and industrial control systems, unpatched systems could face operational disruptions and increased attack surface.
Mitigation Recommendations
European organizations should immediately verify their Linux kernel versions and apply the official patches or kernel updates that address CVE-2021-47598. Since the vulnerability involves the sch_cake qdisc, administrators should audit network configurations to identify if this module is in use and consider disabling or replacing it temporarily if patching is delayed. Restricting access to netlink interfaces is critical; organizations should enforce strict access controls and limit the ability to modify qdiscs to trusted administrators only. Employing kernel hardening techniques such as SELinux or AppArmor policies to restrict network configuration changes can reduce exploitation risk. Monitoring kernel logs for unusual netlink activity or kernel warnings related to mutex locks can provide early detection. For cloud environments, isolating workloads and minimizing privileged container capabilities can mitigate risk. Finally, organizations should maintain an up-to-date inventory of Linux kernel versions across their infrastructure and implement automated patch management to rapidly deploy fixes.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2021-47598: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: sch_cake: do not call cake_destroy() from cake_init() qdiscs are not supposed to call their own destroy() method from init(), because core stack already does that. syzbot was able to trigger use after free: DEBUG_LOCKS_WARN_ON(lock->magic != lock) WARNING: CPU: 0 PID: 21902 at kernel/locking/mutex.c:586 __mutex_lock_common kernel/locking/mutex.c:586 [inline] WARNING: CPU: 0 PID: 21902 at kernel/locking/mutex.c:586 __mutex_lock+0x9ec/0x12f0 kernel/locking/mutex.c:740 Modules linked in: CPU: 0 PID: 21902 Comm: syz-executor189 Not tainted 5.16.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:__mutex_lock_common kernel/locking/mutex.c:586 [inline] RIP: 0010:__mutex_lock+0x9ec/0x12f0 kernel/locking/mutex.c:740 Code: 08 84 d2 0f 85 19 08 00 00 8b 05 97 38 4b 04 85 c0 0f 85 27 f7 ff ff 48 c7 c6 20 00 ac 89 48 c7 c7 a0 fe ab 89 e8 bf 76 ba ff <0f> 0b e9 0d f7 ff ff 48 8b 44 24 40 48 8d b8 c8 08 00 00 48 89 f8 RSP: 0018:ffffc9000627f290 EFLAGS: 00010282 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: ffff88802315d700 RSI: ffffffff815f1db8 RDI: fffff52000c4fe44 RBP: ffff88818f28e000 R08: 0000000000000000 R09: 0000000000000000 R10: ffffffff815ebb5e R11: 0000000000000000 R12: 0000000000000000 R13: dffffc0000000000 R14: ffffc9000627f458 R15: 0000000093c30000 FS: 0000555556abc400(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fda689c3303 CR3: 000000001cfbb000 CR4: 0000000000350ef0 Call Trace: <TASK> tcf_chain0_head_change_cb_del+0x2e/0x3d0 net/sched/cls_api.c:810 tcf_block_put_ext net/sched/cls_api.c:1381 [inline] tcf_block_put_ext net/sched/cls_api.c:1376 [inline] tcf_block_put+0xbc/0x130 net/sched/cls_api.c:1394 cake_destroy+0x3f/0x80 net/sched/sch_cake.c:2695 qdisc_create.constprop.0+0x9da/0x10f0 net/sched/sch_api.c:1293 tc_modify_qdisc+0x4c5/0x1980 net/sched/sch_api.c:1660 rtnetlink_rcv_msg+0x413/0xb80 net/core/rtnetlink.c:5571 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2496 netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline] netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1345 netlink_sendmsg+0x904/0xdf0 net/netlink/af_netlink.c:1921 sock_sendmsg_nosec net/socket.c:704 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:724 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2409 ___sys_sendmsg+0xf3/0x170 net/socket.c:2463 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2492 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f1bb06badb9 Code: Unable to access opcode bytes at RIP 0x7f1bb06bad8f. RSP: 002b:00007fff3012a658 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f1bb06badb9 RDX: 0000000000000000 RSI: 00000000200007c0 RDI: 0000000000000003 RBP: 0000000000000000 R08: 0000000000000003 R09: 0000000000000003 R10: 0000000000000003 R11: 0000000000000246 R12: 00007fff3012a688 R13: 00007fff3012a6a0 R14: 00007fff3012a6e0 R15: 00000000000013c2 </TASK>
AI-Powered Analysis
Technical Analysis
CVE-2021-47598 is a vulnerability identified in the Linux kernel's sch_cake (Controlled Delay Active Queue Management) module, specifically related to improper handling of the cake_destroy() function call during cake_init(). The root cause is that the queuing disciplines (qdiscs) in the Linux kernel are not supposed to invoke their own destroy() method from their initialization routine because the core networking stack already manages the destruction process. This incorrect behavior leads to a use-after-free condition, where memory is freed prematurely and then accessed again, causing undefined behavior and potential kernel crashes. The vulnerability was discovered and triggered by syzbot, an automated kernel fuzzer, which produced kernel warnings and lock-related errors indicating a race or memory corruption issue. The stack trace shows that the problem occurs during the modification of qdiscs via rtnetlink messages, which are used for network configuration. This vulnerability affects the Linux kernel versions identified by the given commit hashes and is related to the network scheduling subsystem. Although no CVSS score has been assigned, the vulnerability allows for kernel memory corruption, which can lead to denial of service (system crashes) or potentially privilege escalation if exploited further. The vulnerability does not require user interaction but does require the ability to send netlink messages to modify qdiscs, which typically requires elevated privileges or local access. No known exploits are currently reported in the wild, but the issue is critical enough to warrant patching due to the kernel-level impact and the potential for system instability or compromise.
Potential Impact
For European organizations, this vulnerability poses a significant risk primarily to servers, network appliances, and embedded systems running vulnerable Linux kernel versions with the sch_cake module enabled. The impact includes potential denial of service through kernel crashes, which can disrupt critical services such as web hosting, cloud infrastructure, and telecommunications. In environments where attackers have local access or can send crafted netlink messages (e.g., via compromised containers or virtual machines), there is a risk of privilege escalation or further kernel exploitation. This is particularly concerning for cloud providers and enterprises relying on Linux-based infrastructure for critical operations. The vulnerability could affect data confidentiality and integrity indirectly if attackers leverage it to gain higher privileges or disrupt system availability. Given the widespread use of Linux in European data centers, telecom networks, and industrial control systems, unpatched systems could face operational disruptions and increased attack surface.
Mitigation Recommendations
European organizations should immediately verify their Linux kernel versions and apply the official patches or kernel updates that address CVE-2021-47598. Since the vulnerability involves the sch_cake qdisc, administrators should audit network configurations to identify if this module is in use and consider disabling or replacing it temporarily if patching is delayed. Restricting access to netlink interfaces is critical; organizations should enforce strict access controls and limit the ability to modify qdiscs to trusted administrators only. Employing kernel hardening techniques such as SELinux or AppArmor policies to restrict network configuration changes can reduce exploitation risk. Monitoring kernel logs for unusual netlink activity or kernel warnings related to mutex locks can provide early detection. For cloud environments, isolating workloads and minimizing privileged container capabilities can mitigate risk. Finally, organizations should maintain an up-to-date inventory of Linux kernel versions across their infrastructure and implement automated patch management to rapidly deploy fixes.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-24T15:11:00.734Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9834c4522896dcbe9576
Added to database: 5/21/2025, 9:09:08 AM
Last enriched: 6/30/2025, 3:12:56 PM
Last updated: 7/30/2025, 8:47:39 PM
Views: 15
Related Threats
Plex warns users to patch security vulnerability immediately
HighCVE-2025-9019: Heap-based Buffer Overflow in tcpreplay
LowCVE-2025-9017: Cross Site Scripting in PHPGurukul Zoo Management System
MediumCVE-2025-9051: SQL Injection in projectworlds Travel Management System
MediumCVE-2025-1929: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in Risk Yazılım Teknolojileri Ltd. Şti. Reel Sektör Hazine ve Risk Yönetimi Yazılımı
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.