CVE-2021-47402
📋 TL;DR
This is a use-after-free vulnerability in the Linux kernel's flower classifier (cls_flower) within the traffic control subsystem. It allows local attackers to cause memory corruption, potentially leading to system crashes or privilege escalation. Systems running vulnerable Linux kernel versions with traffic control features enabled are affected.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Local privilege escalation to root, kernel panic causing system crash, or arbitrary code execution in kernel context.
Likely Case
Kernel panic leading to denial of service (system crash) or memory corruption causing unpredictable system behavior.
If Mitigated
Limited to denial of service if exploit attempts fail or are contained by kernel protections like KASAN.
🎯 Exploit Status
Requires local access and knowledge of traffic control subsystem. The KASAN trace suggests race condition exploitation is needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in kernel commits: 694b0cee7f8546b69a80996a29cb3cf4149c0453 and related stable backports
Vendor Advisory: https://git.kernel.org/stable/c/694b0cee7f8546b69a80996a29cb3cf4149c0453
Restart Required: Yes
Instructions:
1. Update Linux kernel to patched version from your distribution. 2. For Red Hat/CentOS: yum update kernel. 3. For Ubuntu/Debian: apt update && apt upgrade linux-image. 4. Reboot system to load new kernel.
🔧 Temporary Workarounds
Disable flower classifier module
linuxUnload the cls_flower kernel module if not needed
rmmod cls_flower
Restrict tc command access
linuxLimit which users can run traffic control commands
chmod 750 /sbin/tc
setcap -r /sbin/tc
🧯 If You Can't Patch
- Implement strict access controls to prevent unauthorized users from running tc commands
- Monitor for suspicious tc command usage and kernel panic logs
🔍 How to Verify
Check if Vulnerable:
Check kernel version: uname -r and compare with distribution security advisories. Check if cls_flower module is loaded: lsmod | grep cls_flowerCheck Version:
uname -rVerify Fix Applied:
Verify kernel version is patched: uname -r should show version with fix. Check commit inclusion: zgrep -i '694b0cee7f8546b69a80996a29cb3cf4149c0453' /boot/config*📡 Detection & Monitoring
Log Indicators:
- Kernel panic messages
- KASAN use-after-free reports in dmesg
- Multiple tc command executions from unusual users
Network Indicators:
- None - local exploitation only
SIEM Query:
source="kernel" AND ("KASAN: use-after-free" OR "cls_flower" OR "fl_walk")🔗 References
- https://git.kernel.org/stable/c/694b0cee7f8546b69a80996a29cb3cf4149c0453
- https://git.kernel.org/stable/c/d0d520c19e7ea19ed38dc5797b12397b6ccf9f88
- https://git.kernel.org/stable/c/d5ef190693a7d76c5c192d108e8dec48307b46ee
- https://git.kernel.org/stable/c/dab4677bdbffa5c8270e79e34e51c89efa0728a0
- https://git.kernel.org/stable/c/694b0cee7f8546b69a80996a29cb3cf4149c0453
- https://git.kernel.org/stable/c/d0d520c19e7ea19ed38dc5797b12397b6ccf9f88
- https://git.kernel.org/stable/c/d5ef190693a7d76c5c192d108e8dec48307b46ee
- https://git.kernel.org/stable/c/dab4677bdbffa5c8270e79e34e51c89efa0728a0
