CVE-2021-47598 – A use-after-free vulnerability in the Linux ker... (How to Fix)

Q: What is the severity of CVE-2021-47598?

CVE-2021-47598 has a CVSS score of 7.8 (HIGH). A use-after-free vulnerability in the Linux kernel's CAKE (Common Applications Kept Enhanced) qdisc scheduler allows local attackers to cause denial of service or potentially escalate privileges. The vulnerability occurs when cake_destroy() is incorrectly called from cake_init(), leading to memory corruption. This affects systems using the CAKE scheduler with unpatched Linux kernels.

📋 TL;DR

A use-after-free vulnerability in the Linux kernel's CAKE (Common Applications Kept Enhanced) qdisc scheduler allows local attackers to cause denial of service or potentially escalate privileges. The vulnerability occurs when cake_destroy() is incorrectly called from cake_init(), leading to memory corruption. This affects systems using the CAKE scheduler with unpatched Linux kernels.

💻 Affected Systems

Products:

Linux Kernel

Versions: Versions before the fix commits (specific versions vary by distribution, generally kernels before 5.16 with CAKE scheduler enabled)

Operating Systems: Linux distributions using vulnerable kernel versions

Default Config Vulnerable: ✅ No

Notes: Only vulnerable if CAKE qdisc scheduler is configured and used. Many systems may not have CAKE enabled by default.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Kernel panic leading to system crash, or potential privilege escalation allowing full system compromise.

🟠

Likely Case

System instability, kernel crashes, or denial of service affecting network traffic management.

🟢

If Mitigated

Limited impact if CAKE scheduler is not in use or proper access controls restrict local user privileges.

🌐 Internet-Facing: LOW - Requires local access to exploit, not directly reachable from network.

🏢 Internal Only: MEDIUM - Local users or compromised services could exploit this to disrupt system stability.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Syzbot found and reported the issue with a proof-of-concept. Exploitation requires local access and knowledge of triggering the vulnerable code path.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in kernel commits: 0d80462fbdcafd536dcad7569e65d3d14a7e9f2f, 20ad1ef02f9ad5e1dda9eeb113e4c158b4806986, 4e388232e630ebe4f94b4a0715ec98c0e2b314a3, ab443c53916730862cec202078d36fd4008bea79, f6deae2e2d83bd267e1986f5d71d8c458e18fd99

Vendor Advisory: https://git.kernel.org/stable/c/0d80462fbdcafd536dcad7569e65d3d14a7e9f2f

Restart Required: Yes

Instructions:

1. Update Linux kernel to version containing the fix commits. 2. Check distribution-specific security advisories for patched kernel packages. 3. Reboot system after kernel update.

🔧 Temporary Workarounds

Disable CAKE scheduler

linux

Remove or disable CAKE qdisc configuration if not required

tc qdisc del dev <interface> root cake
Check /etc/network/interfaces or network manager configurations for CAKE usage

🧯 If You Can't Patch

Restrict local user access to prevent exploitation
Monitor system logs for kernel panic or crash indicators

🔍 How to Verify

Check if Vulnerable:

Check kernel version and if CAKE is configured: uname -r and tc qdisc show

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version is patched and check system logs for stability after update

📡 Detection & Monitoring

Log Indicators:

Kernel panic messages
Use-after-free warnings in dmesg
System crash/reboot logs

Network Indicators:

Unusual network scheduling behavior if CAQ is affected

SIEM Query:

source="kernel" AND ("panic" OR "use-after-free" OR "WARNING: CPU")

📊 Metadata

CVE ID: CVE-2021-47598

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-416

Published: June 19, 2024

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-47598, you might also want to check these: