CVE-2021-47426
📋 TL;DR
This CVE describes a memory leak vulnerability in the Linux kernel's BPF JIT compiler for s390 architecture. If triggered, it could cause kernel memory exhaustion over time, potentially leading to denial of service. Systems running Linux kernel with BPF JIT enabled on s390 architecture are affected.
💻 Affected Systems
- Linux Kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Sustained exploitation could exhaust kernel memory, causing system instability, crashes, or denial of service requiring reboot.
Likely Case
Gradual memory consumption leading to performance degradation and eventual system instability if vulnerable code paths are frequently triggered.
If Mitigated
Minimal impact with proper memory monitoring and restart procedures in place.
🎯 Exploit Status
Requires ability to load and execute BPF programs on the system, typically requiring CAP_BPF or CAP_SYS_ADMIN capabilities.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Multiple stable kernel versions with commits: 29fdb11ca88d3c490a3d56f0dc77eb9444d086be, 686cb8b9f6b46787f035afe8fbd132a74e6b1bdd, a326f9c01cfbee4450ae49ce618ae6cbc0f76842, d590a410e472417a22336c7c37685bfb38e801f2
Vendor Advisory: https://git.kernel.org/stable/c/29fdb11ca88d3c490a3d56f0dc77eb9444d086be
Restart Required: Yes
Instructions:
1. Update Linux kernel to patched version from your distribution vendor. 2. Reboot system to load new kernel. 3. Verify kernel version matches patched release.
🔧 Temporary Workarounds
Disable BPF JIT on s390
linuxDisable the BPF JIT compiler to prevent exploitation of this vulnerability
echo 0 > /proc/sys/net/core/bpf_jit_enable
Restrict BPF program loading
linuxLimit which users can load BPF programs using capabilities or SELinux/AppArmor
setcap -r /usr/bin/bpftool
chmod 750 /usr/bin/bpftool
🧯 If You Can't Patch
- Implement strict capability controls to prevent unprivileged BPF program loading
- Monitor kernel memory usage and implement automated alerts for abnormal consumption patterns
🔍 How to Verify
Check if Vulnerable:
Check if running on s390 architecture with BPF JIT enabled: cat /proc/sys/net/core/bpf_jit_enable should return 1 on s390/s390x systemsCheck Version:
uname -rVerify Fix Applied:
Check kernel version includes one of the fix commits: uname -r and verify with distribution patch notes📡 Detection & Monitoring
Log Indicators:
- Kernel oom-killer messages
- System memory exhaustion warnings in dmesg
- BPF program loading failures
Network Indicators:
- None - this is a local vulnerability
SIEM Query:
source="kernel" AND ("out of memory" OR "oom-killer" OR "BPF" AND "error")🔗 References
- https://git.kernel.org/stable/c/29fdb11ca88d3c490a3d56f0dc77eb9444d086be
- https://git.kernel.org/stable/c/686cb8b9f6b46787f035afe8fbd132a74e6b1bdd
- https://git.kernel.org/stable/c/a326f9c01cfbee4450ae49ce618ae6cbc0f76842
- https://git.kernel.org/stable/c/d590a410e472417a22336c7c37685bfb38e801f2
- https://git.kernel.org/stable/c/29fdb11ca88d3c490a3d56f0dc77eb9444d086be
- https://git.kernel.org/stable/c/686cb8b9f6b46787f035afe8fbd132a74e6b1bdd
- https://git.kernel.org/stable/c/a326f9c01cfbee4450ae49ce618ae6cbc0f76842
- https://git.kernel.org/stable/c/d590a410e472417a22336c7c37685bfb38e801f2
