CVE-2021-47295
📋 TL;DR
This vulnerability is a memory leak in the Linux kernel's traffic control subsystem. It allows attackers to cause denial of service by exhausting kernel memory resources. Systems running affected Linux kernel versions with traffic control (tc) configurations are vulnerable.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel memory exhaustion leading to system crash, instability, or denial of service affecting all processes.
Likely Case
Gradual performance degradation and potential system instability under specific traffic control operations.
If Mitigated
Minimal impact if traffic control features are not used or memory limits are enforced.
🎯 Exploit Status
Requires local access and CAP_NET_ADMIN capability. Memory leak can be triggered through tcindex operations.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Multiple stable kernel versions with commits: 01d0d2b8b4e3cf2110baba9371c0c3d04ad5c77b, 18c3fa7a7fdbb4d21dafc8a7710ae2c1680930f6, 372ae77cf11d11fb118cbe2d37def9dd5f826abd, 3abebc503a5148072052c229c6b04b329a420ecd, 53af9c793f644d5841d84d8e0ad83bd7ab47f3e0
Vendor Advisory: https://git.kernel.org/stable/c/
Restart Required: Yes
Instructions:
1. Update Linux kernel to patched version. 2. Check distribution-specific security advisories. 3. Reboot system after kernel update.
🔧 Temporary Workarounds
Restrict CAP_NET_ADMIN
linuxLimit which users/processes have CAP_NET_ADMIN capability to reduce attack surface
# Review current capabilities: getcap /usr/sbin/tc
# Remove CAP_NET_ADMIN: setcap -r /usr/sbin/tc
Disable traffic control features
linuxAvoid using tcindex classifier in traffic control configurations
# Check current tc configurations: tc filter show
# Remove tcindex filters if present
🧯 If You Can't Patch
- Implement strict access controls to limit CAP_NET_ADMIN capability
- Monitor system memory usage and kernel logs for signs of memory exhaustion
🔍 How to Verify
Check if Vulnerable:
Check kernel version and if traffic control is configured: uname -r && tc filter showCheck Version:
uname -rVerify Fix Applied:
Verify kernel version is updated and check for memory leak patterns in /proc/meminfo and kernel logs📡 Detection & Monitoring
Log Indicators:
- Kernel oom-killer messages
- Memory allocation failures in dmesg
- High kernel memory usage in system logs
Network Indicators:
- Unusual traffic control configuration changes
SIEM Query:
source="kernel" AND ("out of memory" OR "oom-killer" OR "memory allocation failure")🔗 References
- https://git.kernel.org/stable/c/01d0d2b8b4e3cf2110baba9371c0c3d04ad5c77b
- https://git.kernel.org/stable/c/18c3fa7a7fdbb4d21dafc8a7710ae2c1680930f6
- https://git.kernel.org/stable/c/372ae77cf11d11fb118cbe2d37def9dd5f826abd
- https://git.kernel.org/stable/c/3abebc503a5148072052c229c6b04b329a420ecd
- https://git.kernel.org/stable/c/53af9c793f644d5841d84d8e0ad83bd7ab47f3e0
- https://git.kernel.org/stable/c/7a6fb69bbcb21e9ce13bdf18c008c268874f0480
- https://git.kernel.org/stable/c/7c183dc0af472dec33d2c0786a5e356baa8cad19
- https://git.kernel.org/stable/c/8d7924ce85bae64e7a67c366c7c50840f49f3a62
- https://git.kernel.org/stable/c/8e9662fde6d63c78eb1350f6167f64c9d71a865b
- https://git.kernel.org/stable/c/cac71d27745f92ee13f0ecc668ffe151a4a9c9b1
- https://git.kernel.org/stable/c/f5051bcece50140abd1a11a2d36dc3ec5484fc32
- https://git.kernel.org/stable/c/8d7924ce85bae64e7a67c366c7c50840f49f3a62
- https://git.kernel.org/stable/c/8e9662fde6d63c78eb1350f6167f64c9d71a865b
- https://git.kernel.org/stable/c/cac71d27745f92ee13f0ecc668ffe151a4a9c9b1
- https://git.kernel.org/stable/c/f5051bcece50140abd1a11a2d36dc3ec5484fc32
