CVE-2021-47394

Published: May 21, 2024

Modified: May 11, 2026

PUBLISHED

Description

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: unlink table before deleting it syzbot reports following UAF: BUG: KASAN: use-after-free in memcmp+0x18f/0x1c0 lib/string.c:955 nla_strcmp+0xf2/0x130 lib/nlattr.c:836 nft_table_lookup.part.0+0x1a2/0x460 net/netfilter/nf_tables_api.c:570 nft_table_lookup net/netfilter/nf_tables_api.c:4064 [inline] nf_tables_getset+0x1b3/0x860 net/netfilter/nf_tables_api.c:4064 nfnetlink_rcv_msg+0x659/0x13f0 net/netfilter/nfnetlink.c:285 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2504 Problem is that all get operations are lockless, so the commit_mutex held by nft_rcv_nl_event() isn't enough to stop a parallel GET request from doing read-accesses to the table object even after synchronize_rcu(). To avoid this, unlink the table first and store the table objects in on-stack scratch space.

Vendor	Product	Versions
Linux	Linux	affected `6001a930ce0378b62210d4f83583fc88a903d89d - < f65c73d3aabb87d4353e0bc4a718b5ae8c43fd04` affected `6001a930ce0378b62210d4f83583fc88a903d89d - < a499b03bf36b0c2e3b958a381d828678ab0ffc5e`
Linux	Linux	affected `5.12` unaffected `0 - < 5.12` unaffected `5.14.10 - <= 5.14.` unaffected `5.15 - <= `

References

https://git.kernel.org/stable/c/f65c73d3aabb87d4353e0bc4a718b5ae8c43fd04

https://git.kernel.org/stable/c/a499b03bf36b0c2e3b958a381d828678ab0ffc5e

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2021-47394

Description

Affected Products

References