CVE-2021-47243
📋 TL;DR
A buffer read vulnerability in the Linux kernel's CAKE (Common Applications Kept Enhanced) queuing discipline allows reading one byte out of bounds when parsing TCP options. This could lead to kernel memory disclosure or crashes. Systems using Linux kernels with CAKE qdisc enabled are affected.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel panic leading to denial of service, or potential information disclosure from kernel memory
Likely Case
System crash or instability when processing malformed TCP packets with CAKE enabled
If Mitigated
Minimal impact if CAKE is not used or proper packet filtering is in place
🎯 Exploit Status
Exploitation requires sending specially crafted TCP packets to a system with CAKE enabled
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Kernel versions containing commits 3371392c60e2, 3b491dd593d5, 4cefa061fc63, 595897ef118d, or ba91c49dedbd
Vendor Advisory: https://git.kernel.org/stable/c/3371392c60e2685af30bd4547badd880f5df2b3f
Restart Required: Yes
Instructions:
1. Update Linux kernel to patched version from your distribution. 2. Reboot system to load new kernel.
🔧 Temporary Workarounds
Disable CAKE qdisc
linuxRemove CAKE configuration from network interfaces
tc qdisc del dev <interface> root cake
Check with: tc qdisc show
🧯 If You Can't Patch
- Disable CAKE qdisc on all network interfaces
- Implement network filtering to block malformed TCP packets at perimeter
🔍 How to Verify
Check if Vulnerable:
Check if CAKE is configured: tc qdisc show | grep cakeCheck Version:
uname -rVerify Fix Applied:
Check kernel version against patched versions from your distribution📡 Detection & Monitoring
Log Indicators:
- Kernel panic logs
- System crash dumps
- Network interface errors
Network Indicators:
- Malformed TCP packets with unusual option lengths
SIEM Query:
Search for kernel panic events or network interface errors on systems with CAKE configured🔗 References
- https://git.kernel.org/stable/c/3371392c60e2685af30bd4547badd880f5df2b3f
- https://git.kernel.org/stable/c/3b491dd593d582ceeb27aa617600712a6bd14246
- https://git.kernel.org/stable/c/4cefa061fc63f4d2dff5ab4083f43857cd7a2335
- https://git.kernel.org/stable/c/595897ef118d6fe66690c4fc5b572028c9da95b7
- https://git.kernel.org/stable/c/ba91c49dedbde758ba0b72f57ac90b06ddf8e548
- https://git.kernel.org/stable/c/3371392c60e2685af30bd4547badd880f5df2b3f
- https://git.kernel.org/stable/c/3b491dd593d582ceeb27aa617600712a6bd14246
- https://git.kernel.org/stable/c/4cefa061fc63f4d2dff5ab4083f43857cd7a2335
- https://git.kernel.org/stable/c/595897ef118d6fe66690c4fc5b572028c9da95b7
- https://git.kernel.org/stable/c/ba91c49dedbde758ba0b72f57ac90b06ddf8e548
