CVE-2021-47418
📋 TL;DR
A NULL pointer dereference vulnerability in the Linux kernel's network scheduler allows local attackers to cause a kernel panic (denial of service) by manipulating traffic control (tc) queueing disciplines. This affects Linux systems where users have CAP_NET_ADMIN capabilities or root access. The vulnerability is triggered when changing queue parameters on network interfaces.
💻 Affected Systems
- Linux Kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Local attacker with CAP_NET_ADMIN privileges causes kernel panic leading to system crash and denial of service.
Likely Case
Local user or misconfigured application triggers kernel panic, causing service disruption until system reboot.
If Mitigated
Systems without local users or with restricted CAP_NET_ADMIN capabilities experience no impact.
🎯 Exploit Status
Syzbot provided reproducible test case. Exploitation requires local access with appropriate privileges.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in kernel commits: 08d7056e8e250fd2e67dbea5be5fdecdd75bf6b4, 0dd7ddc462b9c2d31eb5a9926a2cc63eaa3e9f52, 26af64d71b6277841285fa40e3f7164a378dfda9, 560ee196fe9e5037e5015e2cdb14b3aecb1cd7dc, acff2d182c0768a713cee77442caeb07668bd68f
Vendor Advisory: https://git.kernel.org/stable/c/
Restart Required: Yes
Instructions:
1. Update Linux kernel to patched version from your distribution vendor. 2. Reboot system to load new kernel. 3. Verify kernel version after reboot.
🔧 Temporary Workarounds
Restrict CAP_NET_ADMIN capabilities
linuxLimit which users and processes can modify network queueing disciplines
# Remove CAP_NET_ADMIN from non-essential users
setcap -r CAP_NET_ADMIN /path/to/binary
# Use capabilities bounding set
echo 'cap_net_admin' > /proc/sys/kernel/cap-bound
Use namespaces to isolate network control
linuxRun untrusted applications in network namespaces without CAP_NET_ADMIN in host
# Create network namespace
ip netns add isolated_ns
# Run application in namespace
ip netns exec isolated_ns /path/to/app
🧯 If You Can't Patch
- Restrict local user access and monitor for suspicious tc command usage
- Implement strict capability management and audit CAP_NET_ADMIN usage
🔍 How to Verify
Check if Vulnerable:
Check kernel version and if specific vulnerable commits are present. Use: 'uname -r' and check distribution security advisories.Check Version:
uname -rVerify Fix Applied:
Verify kernel version is updated to patched version and test tc commands no longer cause crashes.📡 Detection & Monitoring
Log Indicators:
- Kernel panic logs mentioning 'fifo_set_limit' or NULL pointer dereference
- Audit logs showing tc command execution by unauthorized users
Network Indicators:
- Sudden loss of network connectivity on specific interfaces
SIEM Query:
source="kernel" AND ("NULL pointer dereference" OR "fifo_set_limit" OR "sch_fifo.c")🔗 References
- https://git.kernel.org/stable/c/08d7056e8e250fd2e67dbea5be5fdecdd75bf6b4
- https://git.kernel.org/stable/c/0dd7ddc462b9c2d31eb5a9926a2cc63eaa3e9f52
- https://git.kernel.org/stable/c/26af64d71b6277841285fa40e3f7164a378dfda9
- https://git.kernel.org/stable/c/560ee196fe9e5037e5015e2cdb14b3aecb1cd7dc
- https://git.kernel.org/stable/c/acff2d182c0768a713cee77442caeb07668bd68f
- https://git.kernel.org/stable/c/c951a3be5e8803e93bb49a0aca0d30457d3c1b67
- https://git.kernel.org/stable/c/d07098f45be868a9cdce6c616563c36c64dbbd87
- https://git.kernel.org/stable/c/fb58cd7991747b5e0b110c98c922d7b0e47a1f14
- https://git.kernel.org/stable/c/08d7056e8e250fd2e67dbea5be5fdecdd75bf6b4
- https://git.kernel.org/stable/c/0dd7ddc462b9c2d31eb5a9926a2cc63eaa3e9f52
- https://git.kernel.org/stable/c/26af64d71b6277841285fa40e3f7164a378dfda9
- https://git.kernel.org/stable/c/560ee196fe9e5037e5015e2cdb14b3aecb1cd7dc
- https://git.kernel.org/stable/c/acff2d182c0768a713cee77442caeb07668bd68f
- https://git.kernel.org/stable/c/c951a3be5e8803e93bb49a0aca0d30457d3c1b67
- https://git.kernel.org/stable/c/d07098f45be868a9cdce6c616563c36c64dbbd87
- https://git.kernel.org/stable/c/fb58cd7991747b5e0b110c98c922d7b0e47a1f14
