CVE-2021-47591 – A null pointer dereference vulnerability in the... (How to Fix)

Q: What is the severity of CVE-2021-47591?

CVE-2021-47591 has a CVSS score of 5.5 (MEDIUM). A null pointer dereference vulnerability in the Linux kernel's MPTCP implementation allows local attackers to crash the kernel when TCP_ULP setsockopt is called on MPTCP sockets in fallback mode. This affects Linux systems with MPTCP enabled and can lead to denial of service. The vulnerability requires local access to trigger.

📋 TL;DR

A null pointer dereference vulnerability in the Linux kernel's MPTCP implementation allows local attackers to crash the kernel when TCP_ULP setsockopt is called on MPTCP sockets in fallback mode. This affects Linux systems with MPTCP enabled and can lead to denial of service. The vulnerability requires local access to trigger.

💻 Affected Systems

Products:

Linux Kernel

Versions: Linux kernel versions with MPTCP support before fixes in 5.16-rc2

Operating Systems: Linux distributions with vulnerable kernel versions

Default Config Vulnerable: ✅ No

Notes: Only affects systems with MPTCP enabled and configured. MPTCP is not enabled by default in most distributions.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Kernel panic leading to system crash and denial of service, potentially disrupting critical services.

🟠

Likely Case

Local denial of service through kernel crash, requiring system reboot to restore functionality.

🟢

If Mitigated

Minimal impact if MPTCP is disabled or systems are patched, as exploitation requires local access.

🌐 Internet-Facing: LOW - Exploitation requires local access, not remotely exploitable.

🏢 Internal Only: MEDIUM - Local users or compromised accounts could crash systems, but requires specific MPTCP configuration.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Syzbot found and triggered the crash. Exploitation requires local access and ability to call setsockopt with TCP_ULP on MPTCP sockets.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Linux kernel 5.16-rc2 and later

Vendor Advisory: https://git.kernel.org/stable/c/3de0c86d42f841d1d64f316cd949e65c566f0734

Restart Required: Yes

Instructions:

1. Update Linux kernel to version 5.16-rc2 or later. 2. For stable branches, apply commit 3de0c86d42f841d1d64f316cd949e65c566f0734. 3. Reboot system to load new kernel.

🔧 Temporary Workarounds

Disable MPTCP

linux

Disable MPTCP support in kernel configuration to prevent exploitation

echo 'net.mptcp.enabled=0' >> /etc/sysctl.conf
sysctl -p

Restrict setsockopt permissions

linux

Use SELinux/AppArmor to restrict setsockopt syscall for untrusted processes

🧯 If You Can't Patch

Disable MPTCP via sysctl or kernel boot parameters
Implement strict access controls to prevent untrusted users from creating MPTCP sockets

🔍 How to Verify

Check if Vulnerable:

Check kernel version: uname -r. If version is before 5.16-rc2 and MPTCP is enabled, system may be vulnerable.

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version is 5.16-rc2 or later: uname -r. Check that commit 3de0c86d42f841d1d64f316cd949e65c566f0734 is present in kernel source.

📡 Detection & Monitoring

Log Indicators:

Kernel panic logs
KASAN null-ptr-deref reports in dmesg
System crash/reboot events

Network Indicators:

MPTCP connection attempts followed by system instability

SIEM Query:

event_type:kernel_panic OR event_type:system_crash AND process_name:syz-executor

📊 Metadata

CVE ID: CVE-2021-47591

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-476

Published: June 19, 2024

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-47591, you might also want to check these: