CVE-2021-47148
📋 TL;DR
A buffer overflow vulnerability in the Linux kernel's octeontx2-pf driver allows local attackers to corrupt kernel memory. This affects systems using Marvell OcteonTX2 network adapters with the vulnerable driver. Attackers with local access can potentially escalate privileges or crash the system.
💻 Affected Systems
- Linux kernel with octeontx2-pf driver
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Local privilege escalation to root, kernel panic causing system crash, or arbitrary code execution in kernel context.
Likely Case
Kernel panic leading to denial of service, or limited memory corruption affecting system stability.
If Mitigated
No impact if proper access controls prevent local users from executing ethtool commands or if the vulnerable driver is not loaded.
🎯 Exploit Status
Exploitation requires local access and ability to call ethtool_set_rxfh() with malicious input. No public exploits known as of analysis.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in kernel commits 389146bc6d2bbb20714d06624b74856320ce40f7 and e5cc361e21648b75f935f9571d4003aaee480214
Vendor Advisory: https://git.kernel.org/stable/c/389146bc6d2bbb20714d06624b74856320ce40f7
Restart Required: Yes
Instructions:
1. Update Linux kernel to version containing the fix commits. 2. Check with your distribution for specific patched kernel versions. 3. Reboot system to load patched kernel.
🔧 Temporary Workarounds
Disable octeontx2-pf driver
linuxPrevent loading of vulnerable driver if OcteonTX2 hardware is not required
echo 'blacklist octeontx2-pf' >> /etc/modprobe.d/blacklist.conf
rmmod octeontx2-pf
Restrict ethtool access
linuxLimit which users can execute ethtool commands via sudo or capabilities
chmod 750 /sbin/ethtool
setcap cap_net_admin=ep /sbin/ethtool
🧯 If You Can't Patch
- Implement strict access controls to prevent local users from executing ethtool commands
- Monitor for suspicious ethtool usage or kernel panic events
🔍 How to Verify
Check if Vulnerable:
Check if octeontx2-pf driver is loaded: lsmod | grep octeontx2-pf. Check kernel version against distribution security advisories.Check Version:
uname -rVerify Fix Applied:
Verify kernel version includes fix commits or is newer than vulnerable versions. Check with: uname -r📡 Detection & Monitoring
Log Indicators:
- Kernel panic messages
- System crashes or reboots
- ethtool command execution in audit logs
Network Indicators:
- None - local exploitation only
SIEM Query:
source="kernel" AND "panic" OR source="audit" AND "ethtool" AND "rxfh"