{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2021-47106","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-03-04T18:12:48.835Z","datePublished":"2024-03-04T18:15:20.190Z","dateUpdated":"2025-05-04T07:04:17.759Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2025-05-04T07:04:17.759Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: fix use-after-free in nft_set_catchall_destroy()\n\nWe need to use list_for_each_entry_safe() iterator\nbecause we can not access @catchall after kfree_rcu() call.\n\nsyzbot reported:\n\nBUG: KASAN: use-after-free in nft_set_catchall_destroy net/netfilter/nf_tables_api.c:4486 [inline]\nBUG: KASAN: use-after-free in nft_set_destroy net/netfilter/nf_tables_api.c:4504 [inline]\nBUG: KASAN: use-after-free in nft_set_destroy+0x3fd/0x4f0 net/netfilter/nf_tables_api.c:4493\nRead of size 8 at addr ffff8880716e5b80 by task syz-executor.3/8871\n\nCPU: 1 PID: 8871 Comm: syz-executor.3 Not tainted 5.16.0-rc5-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106\n print_address_description.constprop.0.cold+0x8d/0x2ed mm/kasan/report.c:247\n __kasan_report mm/kasan/report.c:433 [inline]\n kasan_report.cold+0x83/0xdf mm/kasan/report.c:450\n nft_set_catchall_destroy net/netfilter/nf_tables_api.c:4486 [inline]\n nft_set_destroy net/netfilter/nf_tables_api.c:4504 [inline]\n nft_set_destroy+0x3fd/0x4f0 net/netfilter/nf_tables_api.c:4493\n __nft_release_table+0x79f/0xcd0 net/netfilter/nf_tables_api.c:9626\n nft_rcv_nl_event+0x4f8/0x670 net/netfilter/nf_tables_api.c:9688\n notifier_call_chain+0xb5/0x200 kernel/notifier.c:83\n blocking_notifier_call_chain kernel/notifier.c:318 [inline]\n blocking_notifier_call_chain+0x67/0x90 kernel/notifier.c:306\n netlink_release+0xcb6/0x1dd0 net/netlink/af_netlink.c:788\n __sock_release+0xcd/0x280 net/socket.c:649\n sock_close+0x18/0x20 net/socket.c:1314\n __fput+0x286/0x9f0 fs/file_table.c:280\n task_work_run+0xdd/0x1a0 kernel/task_work.c:164\n tracehook_notify_resume include/linux/tracehook.h:189 [inline]\n exit_to_user_mode_loop kernel/entry/common.c:175 [inline]\n exit_to_user_mode_prepare+0x27e/0x290 kernel/entry/common.c:207\n __syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline]\n syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:300\n do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86\n entry_SYSCALL_64_after_hwframe+0x44/0xae\nRIP: 0033:0x7f75fbf28adb\nCode: 0f 05 48 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24 0c e8 63 fc ff ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 a1 fc ff ff 8b 44\nRSP: 002b:00007ffd8da7ec10 EFLAGS: 00000293 ORIG_RAX: 0000000000000003\nRAX: 0000000000000000 RBX: 0000000000000004 RCX: 00007f75fbf28adb\nRDX: 00007f75fc08e828 RSI: ffffffffffffffff RDI: 0000000000000003\nRBP: 00007f75fc08a960 R08: 0000000000000000 R09: 00007f75fc08e830\nR10: 00007ffd8da7ed10 R11: 0000000000000293 R12: 00000000002067c3\nR13: 00007ffd8da7ed10 R14: 00007f75fc088f60 R15: 0000000000000032\n </TASK>\n\nAllocated by task 8886:\n kasan_save_stack+0x1e/0x50 mm/kasan/common.c:38\n kasan_set_track mm/kasan/common.c:46 [inline]\n set_alloc_info mm/kasan/common.c:434 [inline]\n ____kasan_kmalloc mm/kasan/common.c:513 [inline]\n ____kasan_kmalloc mm/kasan/common.c:472 [inline]\n __kasan_kmalloc+0xa6/0xd0 mm/kasan/common.c:522\n kasan_kmalloc include/linux/kasan.h:269 [inline]\n kmem_cache_alloc_trace+0x1ea/0x4a0 mm/slab.c:3575\n kmalloc include/linux/slab.h:590 [inline]\n nft_setelem_catchall_insert net/netfilter/nf_tables_api.c:5544 [inline]\n nft_setelem_insert net/netfilter/nf_tables_api.c:5562 [inline]\n nft_add_set_elem+0x232e/0x2f40 net/netfilter/nf_tables_api.c:5936\n nf_tables_newsetelem+0x6ff/0xbb0 net/netfilter/nf_tables_api.c:6032\n nfnetlink_rcv_batch+0x1710/0x25f0 net/netfilter/nfnetlink.c:513\n nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:634 [inline]\n nfnetlink_rcv+0x3af/0x420 net/netfilter/nfnetlink.c:652\n netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]\n netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1345\n netlink_sendmsg+0x904/0xdf0 net/netlink/af_netlink.c:1921\n sock_sendmsg_nosec net/\n---truncated---"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/netfilter/nf_tables_api.c"],"versions":[{"version":"aaa31047a6d25da0fa101da1ed544e1247949b40","lessThan":"9d558e5f0d6fdd0a568f73dceb0b40c4f5012e5a","status":"affected","versionType":"git"},{"version":"aaa31047a6d25da0fa101da1ed544e1247949b40","lessThan":"0f7d9b31ce7abdbb29bf018131ac920c9f698518","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/netfilter/nf_tables_api.c"],"versions":[{"version":"5.13","status":"affected"},{"version":"0","lessThan":"5.13","status":"unaffected","versionType":"semver"},{"version":"5.15.12","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"5.16","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.13","versionEndExcluding":"5.15.12"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.13","versionEndExcluding":"5.16"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/9d558e5f0d6fdd0a568f73dceb0b40c4f5012e5a"},{"url":"https://git.kernel.org/stable/c/0f7d9b31ce7abdbb29bf018131ac920c9f698518"}],"title":"netfilter: nf_tables: fix use-after-free in nft_set_catchall_destroy()","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-04T05:24:39.888Z"},"title":"CVE Program Container","references":[{"url":"https://git.kernel.org/stable/c/9d558e5f0d6fdd0a568f73dceb0b40c4f5012e5a","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/0f7d9b31ce7abdbb29bf018131ac920c9f698518","tags":["x_transferred"]}]},{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2024-08-15T19:25:52.257046Z","id":"CVE-2021-47106","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-08-15T19:25:59.608Z"}}]}}