CVE-2021-47371
📋 TL;DR
A memory leak vulnerability in the Linux kernel's nexthop notification chain allows unregistered listeners to retain references to nexthop objects, causing kernel memory exhaustion. This affects systems using specific network drivers like mlxsw, netdevsim, and VXLAN that register with the nexthop notification chain. The vulnerability requires local access or ability to trigger driver reload operations.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Sustained exploitation could lead to kernel memory exhaustion, causing system instability, crashes, or denial of service through resource depletion.
Likely Case
Memory leaks accumulate during network configuration changes or driver reloads, gradually degrading system performance until kernel OOM killer terminates processes or system becomes unresponsive.
If Mitigated
With proper access controls, impact is limited to authorized users performing network configuration operations, causing localized performance issues rather than system-wide compromise.
🎯 Exploit Status
Exploitation requires ability to execute privileged network configuration commands (ip nexthop, devlink reload) and use of affected network drivers. Discovered via syzkaller fuzzing.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Kernel patches: 3106a0847525befe3e22fc723909d1b21eb0d520 and 741760fa6252628a3d3afad439b72437d4b123d9
Vendor Advisory: https://git.kernel.org/stable/c/3106a0847525befe3e22fc723909d1b21eb0d520
Restart Required: Yes
Instructions:
1. Apply kernel patches 3106a0847525befe3e22fc723909d1b21eb0d520 and 741760fa6252628a3d3afad439b72437d4b123d9. 2. Recompile kernel if using custom build. 3. Reboot system to load patched kernel.
🔧 Temporary Workarounds
Restrict network configuration privileges
linuxLimit access to ip and devlink commands to prevent triggering the vulnerability
sudo chmod 750 /sbin/ip
sudo chmod 750 /sbin/devlink
sudo setcap -r /sbin/ip
sudo setcap -r /sbin/devlink
Avoid devlink reload operations
linuxTemporarily avoid using devlink dev reload commands on affected network interfaces
# Do not execute: devlink dev reload pci/0000:06:00.0
🧯 If You Can't Patch
- Restrict access to network configuration tools (ip, devlink) to essential administrators only
- Monitor kernel memory usage and restart systems showing abnormal memory growth patterns
🔍 How to Verify
Check if Vulnerable:
Check if kernel version includes the fix commits: grep -q '3106a0847525befe3e22fc723909d1b21eb0d520\|741760fa6252628a3d3afad439b72437d4b123d9' /proc/version || echo 'Potentially vulnerable'Check Version:
uname -r && cat /proc/versionVerify Fix Applied:
Verify kernel includes fix commits: cat /proc/version | grep -E '3106a0847525befe3e22fc723909d1b21eb0d520|741760fa6252628a3d3afad439b72437d4b123d9'📡 Detection & Monitoring
Log Indicators:
- Kernel OOM killer messages in dmesg
- Abnormal slab memory growth in /proc/meminfo
- Repeated devlink reload operations in system logs
Network Indicators:
- Unusual nexthop configuration changes from non-standard users
SIEM Query:
source="kernel" AND ("Out of memory" OR "oom-killer" OR "slab") AND ("nexthop" OR "mlxsw" OR "netdevsim" OR "vxlan")