CVE-2021-47546 – A memory leak vulnerability in the Linux kernel... (How to Fix)

Q: What is the severity of CVE-2021-47546?

CVE-2021-47546 has a CVSS score of 5.5 (MEDIUM). A memory leak vulnerability in the Linux kernel's IPv6 routing subsystem allows attackers to cause denial of service through resource exhaustion. Systems with specific IPv6 nftables firewall rules and routing suppression rules are affected. This impacts Linux systems with IPv6 enabled and specific firewall configurations.

📋 TL;DR

A memory leak vulnerability in the Linux kernel's IPv6 routing subsystem allows attackers to cause denial of service through resource exhaustion. Systems with specific IPv6 nftables firewall rules and routing suppression rules are affected. This impacts Linux systems with IPv6 enabled and specific firewall configurations.

💻 Affected Systems

Products:

Linux kernel

Versions: Kernel versions before the fix commits (specific versions vary by distribution)

Operating Systems: Linux distributions with vulnerable kernel versions

Default Config Vulnerable: ✅ No

Notes: Requires both: 1) Specific nftables rule with fib expression for IPv6, and 2) IPv6 routing rule with suppress_prefixlength. Not vulnerable by default.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system crash due to memory exhaustion, leading to denial of service and potential system instability.

🟠

Likely Case

Gradual performance degradation and eventual system instability as memory is consumed over time.

🟢

If Mitigated

Minimal impact if systems have memory limits or monitoring that detects abnormal consumption.

🌐 Internet-Facing: MEDIUM - Requires specific IPv6 firewall configuration and incoming IPv6 packets to trigger.

🏢 Internal Only: LOW - Requires specific local network configuration and IPv6 traffic patterns.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Reproduction steps are publicly documented. Exploitation requires sending IPv6 packets to trigger the leak.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Kernel versions with commits 209d35ee34e25f9668c404350a1c86d914c54ffa or later

Vendor Advisory: https://git.kernel.org/stable/c/209d35ee34e25f9668c404350a1c86d914c54ffa

Restart Required: Yes

Instructions:

1. Update Linux kernel to patched version from your distribution. 2. Reboot system to load new kernel. 3. Verify kernel version matches patched release.

🔧 Temporary Workarounds

Remove vulnerable nftables rule

linux

Remove the specific nftables rule that triggers the memory leak

sudo nft delete rule inet test test_chain handle <handle>
sudo nft delete chain inet test test_chain
sudo nft delete table inet test

Remove IPv6 routing suppression rule

linux

Remove the IPv6 routing rule with suppress_prefixlength

sudo ip -6 rule del table main suppress_prefixlength 0

Disable IPv6

linux

Completely disable IPv6 if not needed

echo 'net.ipv6.conf.all.disable_ipv6 = 1' | sudo tee -a /etc/sysctl.conf
sudo sysctl -p

🧯 If You Can't Patch

Remove the specific nftables fib rule for IPv6 that triggers the vulnerability
Monitor ip6_dst_cache slab usage and restart system if memory consumption becomes excessive

🔍 How to Verify

Check if Vulnerable:

Check if both conditions exist: 1) nft list ruleset shows fib rule for IPv6, 2) ip -6 rule show shows suppress_prefixlength rule

Check Version:

uname -r

Verify Fix Applied:

Monitor slabtop -o | grep ip6_dst_cache while sending IPv6 packets - memory should not increase abnormally

📡 Detection & Monitoring

Log Indicators:

Kernel oom-killer messages
System logs showing memory exhaustion

Network Indicators:

Abnormal IPv6 traffic patterns to trigger the leak

SIEM Query:

source="kernel" AND ("oom-killer" OR "Out of memory" OR "slab allocation failure")

📊 Metadata

CVE ID: CVE-2021-47546

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-401

Published: May 24, 2024

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-47546, you might also want to check these: