CVE-2021-47129 in Linux
Summary
by MITRE • 03/15/2024
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nft_ct: skip expectations for confirmed conntrack
nft_ct_expect_obj_eval() calls nf_ct_ext_add() for a confirmed conntrack entry. However, nf_ct_ext_add() can only be called for !nf_ct_is_confirmed().
[ 1825.349056] WARNING: CPU: 0 PID: 1279 at net/netfilter/nf_conntrack_extend.c:48 nf_ct_xt_add+0x18e/0x1a0 [nf_conntrack]
[ 1825.351391] RIP: 0010:nf_ct_ext_add+0x18e/0x1a0 [nf_conntrack]
[ 1825.351493] Code: 41 5c 41 5d 41 5e 41 5f c3 41 bc 0a 00 00 00 e9 15 ff ff ff ba 09 00 00 00 31 f6 4c 89 ff e8 69 6c 3d e9 eb 96 45 31 ed eb cd 0b e9 b1 fe ff ff e8 86 79 14 e9 eb bf 0f 1f 40 00 0f 1f 44 00
[ 1825.351721] RSP: 0018:ffffc90002e1f1e8 EFLAGS: 00010202
[ 1825.351790] RAX: 000000000000000e RBX: ffff88814f5783c0 RCX: ffffffffc0e4f887
[ 1825.351881] RDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffff88814f578440
[ 1825.351971] RBP: 0000000000000000 R08: 0000000000000000 R09: ffff88814f578447
[ 1825.352060] R10: ffffed1029eaf088 R11: 0000000000000001 R12: ffff88814f578440
[ 1825.352150] R13: ffff8882053f3a00 R14: 0000000000000000 R15: 0000000000000a20
[ 1825.352240] FS: 00007f992261c900(0000) GS:ffff889faec00000(0000) knlGS:0000000000000000
[ 1825.352343] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1825.352417] CR2: 000056070a4d1158 CR3: 000000015efe0000 CR4: 0000000000350ee0
[ 1825.352508] Call Trace:
[ 1825.352544] nf_ct_helper_ext_add+0x10/0x60 [nf_conntrack]
[ 1825.352641] nft_ct_expect_obj_eval+0x1b8/0x1e0 [nft_ct]
[ 1825.352716] nft_do_chain+0x232/0x850 [nf_tables]
Add the ct helper extension only for unconfirmed conntrack. Skip rule evaluation if the ct helper extension does not exist. Thus, you can only create expectations from the first packet.
It should be possible to remove this limitation by adding a new action to attach a generic ct helper to the first packet. Then, use this ct helper extension from follow up packets to create the ct expectation.
While at it, add a missing check to skip the template conntrack too and remove check for IPCT_UNTRACK which is implicit to !ct.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 06/21/2025
The vulnerability described in CVE-2021-47129 resides within the Linux kernel's netfilter subsystem, specifically affecting the nftables module's conntrack implementation. This issue manifests as a critical flaw in the handling of connection tracking expectations, where the system attempts to add extended connection tracking elements to already confirmed connection entries. The problem occurs during the evaluation of connection tracking expectations within the nft_ct_expect_obj_eval() function, which directly calls nf_ct_ext_add() for confirmed conntrack entries. However, the nf_ct_ext_add() function is explicitly designed to operate only on unconfirmed connection tracking entries, creating a fundamental contradiction that leads to system instability.
The technical execution of this vulnerability is demonstrated through kernel panic messages and stack traces that show the system attempting to access memory locations that should remain protected. When the kernel encounters this contradiction, it triggers a warning message indicating a critical system failure in the netfilter subsystem's connection tracking extension management. The error occurs at the specific memory address net/netfilter/nf_conntrack_extend.c:48 in the nf_ct_xt_add function, where the system attempts to perform operations on connection tracking data structures that are no longer in a valid state for extension. The call trace reveals the execution path leading from nft_ct_expect_obj_eval through nf_ct_helper_ext_add up to the core nf_ct_ext_add function, demonstrating how the system's flow control becomes corrupted.
This vulnerability has significant operational impact on systems relying on netfilter and nftables for network traffic management and security enforcement. The improper handling of connection tracking expectations can lead to system crashes, complete kernel panics, and potential denial of service conditions that affect network connectivity and system availability. Network security appliances, firewalls, and routing systems that depend on these kernel modules become vulnerable to exploitation, potentially allowing attackers to cause system instability or disrupt network services. The vulnerability affects systems running Linux kernel versions that include the affected netfilter code, particularly those implementing nftables rules that utilize connection tracking expectations.
The mitigation strategy for this vulnerability involves modifying the nft_ct_expect_obj_eval() function to properly check connection tracking confirmation status before attempting to add extensions. The fix implements a conditional check that prevents extension addition for confirmed connections, ensuring that helper extensions are only created for unconfirmed entries. Additionally, the patch addresses the issue by skipping rule evaluation when the ct helper extension does not exist, effectively limiting expectation creation to the first packet of a connection. The solution also includes removing checks for IPCT_UNTRACK which are implicitly handled by the negation of ct status, and adds proper validation to skip template conntrack entries. This approach aligns with CWE-691, which addresses insufficient control flow management in security-critical systems, and follows ATT&CK technique T1499.004 for network denial of service. The fix ensures that connection tracking expectations are properly managed according to the kernel's design principles, maintaining system stability while preserving the intended security functionality.