CVE-2021-46954
📋 TL;DR
This is a stack out-of-bounds read vulnerability in the Linux kernel's network scheduler when fragmenting IPv4 packets. It allows attackers to read kernel stack memory, potentially leaking sensitive information or causing denial of service. Systems running affected Linux kernel versions with specific network configurations are vulnerable.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel memory disclosure leading to information leakage, privilege escalation, or system crash/panic.
Likely Case
Denial of service through kernel panic or system instability when processing specially crafted network packets.
If Mitigated
Limited impact if proper network segmentation and filtering prevent malicious packets from reaching vulnerable systems.
🎯 Exploit Status
Exploitation requires network access and ability to send specially crafted packets to systems with specific tc configurations.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in kernel commits: 018bb8da5b5888e19585f9b802f036afe643fcef, 31fe34a0118e0acc958c802e830ad5d37ef6b1d3, 8e6dfb7beeb6489ac1365b8a71052e737f5da76e
Vendor Advisory: https://git.kernel.org/stable/c/018bb8da5b5888e19585f9b802f036afe643fcef
Restart Required: Yes
Instructions:
1. Update Linux kernel to version containing the fix. 2. Check distribution-specific security advisories. 3. Reboot system after kernel update.
🔧 Temporary Workarounds
Disable vulnerable tc actions
linuxRemove or disable 'act_mirred' and 'act_ct' tc actions if not required
tc qdisc del dev <interface> root
Review and remove tc filter rules using act_mirred/act_ct
Network filtering
linuxBlock fragmented IPv4 packets at network boundaries
iptables -A INPUT -f -j DROP
nft add rule ip filter input ip frag-off != 0 drop
🧯 If You Can't Patch
- Implement strict network segmentation to limit exposure
- Deploy network intrusion prevention systems to detect/block exploitation attempts
🔍 How to Verify
Check if Vulnerable:
Check kernel version and if tc rules use act_mirred/act_ct: uname -r && tc filter showCheck Version:
uname -rVerify Fix Applied:
Verify kernel version is patched and test with packet fragmentation scenarios📡 Detection & Monitoring
Log Indicators:
- Kernel panic logs
- KASAN stack-out-of-bounds warnings in dmesg
- Network interface errors
Network Indicators:
- Unusual fragmented IPv4 packet patterns
- Traffic to systems with specific tc configurations
SIEM Query:
source="kernel" AND ("KASAN" OR "stack-out-of-bounds" OR "panic")🔗 References
- https://git.kernel.org/stable/c/018bb8da5b5888e19585f9b802f036afe643fcef
- https://git.kernel.org/stable/c/31fe34a0118e0acc958c802e830ad5d37ef6b1d3
- https://git.kernel.org/stable/c/8e6dfb7beeb6489ac1365b8a71052e737f5da76e
- https://git.kernel.org/stable/c/018bb8da5b5888e19585f9b802f036afe643fcef
- https://git.kernel.org/stable/c/31fe34a0118e0acc958c802e830ad5d37ef6b1d3
- https://git.kernel.org/stable/c/8e6dfb7beeb6489ac1365b8a71052e737f5da76e
