CVE-2021-46952
📋 TL;DR
This vulnerability in the Linux kernel's NFS implementation allows an attacker to trigger a shift out-of-bounds error by passing a maliciously large 'retrans' mount option when mounting an NFS share over UDP. This could lead to kernel memory corruption or system crashes. Systems using NFS over UDP with custom mount options are affected.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel panic leading to denial of service, or potential kernel memory corruption that could be leveraged for privilege escalation.
Likely Case
System crash or kernel panic when mounting NFS shares with malicious retrans values, causing denial of service.
If Mitigated
Mount operation fails with error, preventing exploitation.
🎯 Exploit Status
Syzkaller fuzzer discovered this vulnerability. Exploitation requires ability to mount NFS shares with custom options.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Kernel versions with commits 2f3380121d49e829fb73ba86240c181bc32ad897 or equivalent backports
Vendor Advisory: https://git.kernel.org/stable/c/2f3380121d49e829fb73ba86240c181bc32ad897
Restart Required: Yes
Instructions:
1. Update Linux kernel to patched version from your distribution vendor. 2. Reboot system to load new kernel.
🔧 Temporary Workarounds
Disable NFS over UDP
linuxConfigure NFS to use TCP only instead of UDP transport
mount -t nfs -o proto=tcp server:/share /mountpoint
Restrict NFS mount privileges
linuxLimit who can mount NFS shares using sudoers or other access controls
🧯 If You Can't Patch
- Disable NFS UDP mounts entirely by removing UDP support from NFS configuration
- Implement strict input validation for NFS mount options in wrapper scripts
🔍 How to Verify
Check if Vulnerable:
Check kernel version and if NFS UDP is enabled: uname -r && cat /proc/fs/nfsd/portlistCheck Version:
uname -rVerify Fix Applied:
Verify kernel version is patched and test mounting with retrans=64 should fail with error📡 Detection & Monitoring
Log Indicators:
- Kernel panic logs
- NFS mount failures with large retrans values
- System crash reports
Network Indicators:
- Unexpected NFS mount attempts with unusual options
SIEM Query:
source="kernel" AND ("panic" OR "oops") AND "nfs"🔗 References
- https://git.kernel.org/stable/c/2f3380121d49e829fb73ba86240c181bc32ad897
- https://git.kernel.org/stable/c/3d0163821c035040a46d816a42c0780f0f0a30a8
- https://git.kernel.org/stable/c/96fa26b74cdcf9f5c98996bf36bec9fb5b19ffe2
- https://git.kernel.org/stable/c/c09f11ef35955785f92369e25819bf0629df2e59
- https://git.kernel.org/stable/c/2f3380121d49e829fb73ba86240c181bc32ad897
- https://git.kernel.org/stable/c/3d0163821c035040a46d816a42c0780f0f0a30a8
- https://git.kernel.org/stable/c/96fa26b74cdcf9f5c98996bf36bec9fb5b19ffe2
- https://git.kernel.org/stable/c/c09f11ef35955785f92369e25819bf0629df2e59
