CVE-2021-47131 – A use-after-free vulnerability in the Linux ker... (How to Fix)

Q: What is the severity of CVE-2021-47131?

CVE-2021-47131 has a CVSS score of 7.8 (HIGH). A use-after-free vulnerability in the Linux kernel's TLS offload implementation allows attackers to potentially execute arbitrary code or cause system crashes. This affects Linux systems using TLS hardware offload on network devices. The vulnerability triggers when a network interface with active TLS connections goes down and back up while connections remain active.

📋 TL;DR

A use-after-free vulnerability in the Linux kernel's TLS offload implementation allows attackers to potentially execute arbitrary code or cause system crashes. This affects Linux systems using TLS hardware offload on network devices. The vulnerability triggers when a network interface with active TLS connections goes down and back up while connections remain active.

💻 Affected Systems

Products:

Linux kernel

Versions: Kernel versions with TLS offload support before the fix commits (specific versions vary by distribution)

Operating Systems: Linux distributions using affected kernel versions

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when TLS hardware offload is enabled and actively used on network interfaces.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Kernel memory corruption leading to arbitrary code execution with kernel privileges, system crashes, or data leakage.

🟠

Likely Case

System instability, kernel panics, or denial of service affecting TLS-enabled network connections.

🟢

If Mitigated

Minimal impact if patched or if TLS hardware offload is disabled.

🌐 Internet-Facing: MEDIUM - Requires specific TLS offload configuration and network interface state changes.

🏢 Internal Only: MEDIUM - Same technical requirements as internet-facing, but internal systems may have different configurations.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: HIGH

Exploitation requires control over network interface state changes and timing with active TLS connections.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Kernel versions containing commits: 0f1e6fe66977a864fe850522316f713d7b926fd9, c55dcdd435aa6c6ad6ccac0a4c636d010ee367a4, f1d4184f128dede82a59a841658ed40d4e6d3aa2

Vendor Advisory: https://git.kernel.org/stable/c/0f1e6fe66977a864fe850522316f713d7b926fd9

Restart Required: Yes

Instructions:

1. Update Linux kernel to patched version from your distribution. 2. Reboot system to load new kernel. 3. Verify kernel version after reboot.

🔧 Temporary Workarounds

Disable TLS hardware offload

linux

Prevent use of vulnerable TLS offload functionality by disabling hardware acceleration

ethtool -K <interface> tls-hw-tx-offload off
ethtool -K <interface> tls-hw-rx-offload off

🧯 If You Can't Patch

Disable TLS hardware offload on all network interfaces
Avoid bringing network interfaces with active TLS connections down and up while connections are active

🔍 How to Verify

Check if Vulnerable:

Check if TLS offload is enabled: ethtool -k <interface> | grep tls-offload

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version includes fix commits or is newer than vulnerable versions

📡 Detection & Monitoring

Log Indicators:

Kernel panic logs
Use-after-free kernel messages
TLS connection failures after interface state changes

Network Indicators:

Unexpected TLS connection resets
Network interface flapping with active TLS sessions

SIEM Query:

kernel: *use-after-free* AND (tls OR ktls)

📊 Metadata

CVE ID: CVE-2021-47131

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-416

Published: March 15, 2024

Last Updated: February 27, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-47131, you might also want to check these: