CVE-2021-47557 – A NULL pointer dereference vulnerability in the... (How to Fix)

Q: What is the severity of CVE-2021-47557?

CVE-2021-47557 has a CVSS score of 5.5 (MEDIUM). A NULL pointer dereference vulnerability in the Linux kernel's Enhanced Transmission Selection (ETS) queuing discipline allows local attackers to cause a kernel panic and system crash. This affects systems using the sch_ets scheduler with DRR classes. The vulnerability is triggered when the number of DRR classes decreases while packets are being processed.

📋 TL;DR

A NULL pointer dereference vulnerability in the Linux kernel's Enhanced Transmission Selection (ETS) queuing discipline allows local attackers to cause a kernel panic and system crash. This affects systems using the sch_ets scheduler with DRR classes. The vulnerability is triggered when the number of DRR classes decreases while packets are being processed.

💻 Affected Systems

Products:

Linux kernel

Versions: Kernel versions with sch_ets support up to the fix versions

Operating Systems: Linux distributions using affected kernel versions

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when sch_ets queuing discipline is configured and DRR classes are modified. Not enabled by default.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local attacker causes kernel panic leading to denial of service, potentially requiring physical or remote console access to restore system functionality.

🟠

Likely Case

System crash requiring reboot, causing service disruption and potential data loss for in-flight network operations.

🟢

If Mitigated

Minimal impact with proper access controls preventing local users from modifying network queuing configurations.

🌐 Internet-Facing: LOW - Requires local access to trigger, not remotely exploitable.

🏢 Internal Only: MEDIUM - Local users or processes with CAP_NET_ADMIN capabilities can trigger the crash, affecting system stability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires local access and CAP_NET_ADMIN capabilities to modify network queuing configurations. Trigger requires specific timing conditions during DRR class reduction.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in kernel commits: ae2659d2c670252759ee9c823c4e039c0e05a6f2, de6d25924c2a8c2988c6a385990cafbe742061bf, e25bdbc7e951ae5728fee1f4c09485df113d013c

Vendor Advisory: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=ae2659d2c670252759ee9c823c4e039c0e05a6f2

Restart Required: Yes

Instructions:

1. Update Linux kernel to version containing the fix. 2. Check distribution-specific security advisories. 3. Reboot system to load new kernel.

🔧 Temporary Workarounds

Disable sch_ets queuing discipline

linux

Remove or avoid using the Enhanced Transmission Selection queuing discipline

# Check if sch_ets is in use: tc qdisc show
# Remove ETS qdisc: tc qdisc del dev <interface> root

Restrict CAP_NET_ADMIN capabilities

linux

Limit which users/processes can modify network queuing configurations

# Use capabilities: setcap -r /path/to/binary
# Or use SELinux/AppArmor policies

🧯 If You Can't Patch

Restrict local user access to systems using sch_ets
Implement strict change control for network configuration modifications

🔍 How to Verify

Check if Vulnerable:

Check kernel version and if sch_ets module is loaded: lsmod | grep sch_ets

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version includes fix commits or check with distribution package manager

📡 Detection & Monitoring

Log Indicators:

Kernel panic logs with NULL pointer dereference at ets_qdisc_dequeue
System crash/reboot events following network configuration changes

Network Indicators:

Sudden loss of network connectivity on affected interfaces

SIEM Query:

search 'kernel: BUG: kernel NULL pointer dereference' AND 'ets_qdisc_dequeue'

📊 Metadata

CVE ID: CVE-2021-47557

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-476

Published: May 24, 2024

Last Updated: January 6, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-47557, you might also want to check these: