{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2021-47309","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-05-21T14:28:16.972Z","datePublished":"2024-05-21T14:35:27.981Z","dateUpdated":"2025-05-04T07:08:24.966Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2025-05-04T07:08:24.966Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: validate lwtstate->data before returning from skb_tunnel_info()\n\nskb_tunnel_info() returns pointer of lwtstate->data as ip_tunnel_info\ntype without validation. lwtstate->data can have various types such as\nmpls_iptunnel_encap, etc and these are not compatible.\nSo skb_tunnel_info() should validate before returning that pointer.\n\nSplat looks like:\nBUG: KASAN: slab-out-of-bounds in vxlan_get_route+0x418/0x4b0 [vxlan]\nRead of size 2 at addr ffff888106ec2698 by task ping/811\n\nCPU: 1 PID: 811 Comm: ping Not tainted 5.13.0+ #1195\nCall Trace:\n dump_stack_lvl+0x56/0x7b\n print_address_description.constprop.8.cold.13+0x13/0x2ee\n ? vxlan_get_route+0x418/0x4b0 [vxlan]\n ? vxlan_get_route+0x418/0x4b0 [vxlan]\n kasan_report.cold.14+0x83/0xdf\n ? vxlan_get_route+0x418/0x4b0 [vxlan]\n vxlan_get_route+0x418/0x4b0 [vxlan]\n [ ... ]\n vxlan_xmit_one+0x148b/0x32b0 [vxlan]\n [ ... ]\n vxlan_xmit+0x25c5/0x4780 [vxlan]\n [ ... ]\n dev_hard_start_xmit+0x1ae/0x6e0\n __dev_queue_xmit+0x1f39/0x31a0\n [ ... ]\n neigh_xmit+0x2f9/0x940\n mpls_xmit+0x911/0x1600 [mpls_iptunnel]\n lwtunnel_xmit+0x18f/0x450\n ip_finish_output2+0x867/0x2040\n [ ... ]"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["include/net/dst_metadata.h"],"versions":[{"version":"61adedf3e3f1d3f032c5a6a299978d91eff6d555","lessThan":"e7f3c9df40515a6c6b46f36c4c94cf48a043f887","status":"affected","versionType":"git"},{"version":"61adedf3e3f1d3f032c5a6a299978d91eff6d555","lessThan":"b61d327cd3cc5ea591f3bf751dd11e034f388bb5","status":"affected","versionType":"git"},{"version":"61adedf3e3f1d3f032c5a6a299978d91eff6d555","lessThan":"83bdcfbd968bcc91a0632b7b625e4a9b0cba5e0d","status":"affected","versionType":"git"},{"version":"61adedf3e3f1d3f032c5a6a299978d91eff6d555","lessThan":"8bb1589c89e61e3b182dd546f1021928ebb5c2a6","status":"affected","versionType":"git"},{"version":"61adedf3e3f1d3f032c5a6a299978d91eff6d555","lessThan":"8aa13a86964cdec4fd969ef677c6614ff068641a","status":"affected","versionType":"git"},{"version":"61adedf3e3f1d3f032c5a6a299978d91eff6d555","lessThan":"2179d96ec702cc33ead02a9ce40ece599b8538c5","status":"affected","versionType":"git"},{"version":"61adedf3e3f1d3f032c5a6a299978d91eff6d555","lessThan":"a915379594f1e045421635c6316d8f3ffa018c58","status":"affected","versionType":"git"},{"version":"61adedf3e3f1d3f032c5a6a299978d91eff6d555","lessThan":"67a9c94317402b826fc3db32afc8f39336803d97","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["include/net/dst_metadata.h"],"versions":[{"version":"4.3","status":"affected"},{"version":"0","lessThan":"4.3","status":"unaffected","versionType":"semver"},{"version":"4.4.277","lessThanOrEqual":"4.4.*","status":"unaffected","versionType":"semver"},{"version":"4.9.277","lessThanOrEqual":"4.9.*","status":"unaffected","versionType":"semver"},{"version":"4.14.241","lessThanOrEqual":"4.14.*","status":"unaffected","versionType":"semver"},{"version":"4.19.199","lessThanOrEqual":"4.19.*","status":"unaffected","versionType":"semver"},{"version":"5.4.135","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.53","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.13.5","lessThanOrEqual":"5.13.*","status":"unaffected","versionType":"semver"},{"version":"5.14","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.3","versionEndExcluding":"4.4.277"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.3","versionEndExcluding":"4.9.277"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.3","versionEndExcluding":"4.14.241"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.3","versionEndExcluding":"4.19.199"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.3","versionEndExcluding":"5.4.135"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.3","versionEndExcluding":"5.10.53"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.3","versionEndExcluding":"5.13.5"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.3","versionEndExcluding":"5.14"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/e7f3c9df40515a6c6b46f36c4c94cf48a043f887"},{"url":"https://git.kernel.org/stable/c/b61d327cd3cc5ea591f3bf751dd11e034f388bb5"},{"url":"https://git.kernel.org/stable/c/83bdcfbd968bcc91a0632b7b625e4a9b0cba5e0d"},{"url":"https://git.kernel.org/stable/c/8bb1589c89e61e3b182dd546f1021928ebb5c2a6"},{"url":"https://git.kernel.org/stable/c/8aa13a86964cdec4fd969ef677c6614ff068641a"},{"url":"https://git.kernel.org/stable/c/2179d96ec702cc33ead02a9ce40ece599b8538c5"},{"url":"https://git.kernel.org/stable/c/a915379594f1e045421635c6316d8f3ffa018c58"},{"url":"https://git.kernel.org/stable/c/67a9c94317402b826fc3db32afc8f39336803d97"}],"title":"net: validate lwtstate->data before returning from skb_tunnel_info()","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"title":"CISA ADP Vulnrichment","metrics":[{"other":{"type":"ssvc","content":{"id":"CVE-2021-47309","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"version":"2.0.3","timestamp":"2024-05-23T19:12:00.559990Z"}}}],"providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-06-04T17:14:34.709Z"}},{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-04T05:32:08.596Z"},"title":"CVE Program Container","references":[{"url":"https://git.kernel.org/stable/c/e7f3c9df40515a6c6b46f36c4c94cf48a043f887","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/b61d327cd3cc5ea591f3bf751dd11e034f388bb5","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/83bdcfbd968bcc91a0632b7b625e4a9b0cba5e0d","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/8bb1589c89e61e3b182dd546f1021928ebb5c2a6","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/8aa13a86964cdec4fd969ef677c6614ff068641a","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/2179d96ec702cc33ead02a9ce40ece599b8538c5","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/a915379594f1e045421635c6316d8f3ffa018c58","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/67a9c94317402b826fc3db32afc8f39336803d97","tags":["x_transferred"]}]}]}}