CVE-2021-47152 in Linuxinfo

Summary

by MITRE • 03/25/2024

In the Linux kernel, the following vulnerability has been resolved:

mptcp: fix data stream corruption

Maxim reported several issues when forcing a TCP transparent proxy to use the MPTCP protocol for the inbound connections. He also provided a clean reproducer.

The problem boils down to 'mptcp_frag_can_collapse_to()' assuming that only MPTCP will use the given page_frag.

If others - e.g. the plain TCP protocol - allocate page fragments, we can end-up re-using already allocated memory for mptcp_data_frag.

Fix the issue ensuring that the to-be-expanded data fragment is located at the current page frag end.

v1 -> v2: - added missing fixes tag (Mat)

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 08/04/2025

The vulnerability CVE-2021-47152 represents a critical data stream corruption issue within the Linux kernel's Multipath TCP implementation. This flaw specifically affects the MPTCP protocol handling when transparent proxy configurations are employed, creating a scenario where data integrity is compromised during network traffic processing. The vulnerability was identified through detailed analysis of how MPTCP interacts with TCP transparent proxy mechanisms, particularly when the proxy forces inbound connections to utilize MPTCP protocol handling rather than standard TCP.

The technical root cause of this vulnerability lies in the mptcp_frag_can_collapse_to() function which makes an incorrect assumption about memory fragment allocation within the kernel's page fragmentation system. This function incorrectly presumes that only MPTCP protocol components will utilize specific page fragments, failing to account for the possibility that other network protocols such as plain TCP may also allocate and utilize the same memory fragments. When multiple protocols attempt to use overlapping memory regions, the system can end up reusing already allocated memory for MPTCP data fragments, leading to data corruption and potential security implications. This issue manifests particularly when transparent proxy configurations force MPTCP usage, creating a conflict between different protocol handling mechanisms within the kernel's memory management subsystem.

The operational impact of this vulnerability extends beyond simple data corruption, potentially affecting network reliability and security posture of systems running affected Linux kernels. When transparent proxies force MPTCP protocol usage for inbound connections, the corrupted data streams could lead to application-level failures, data integrity issues, and potentially provide attackers with opportunities to exploit the corrupted network traffic. The vulnerability affects systems that utilize MPTCP in conjunction with transparent proxy configurations, which are common in enterprise network environments where traffic optimization and load balancing are implemented. This flaw represents a significant concern for network infrastructure components that rely on both MPTCP for improved connectivity and transparent proxy mechanisms for traffic management.

The fix implemented addresses this issue by ensuring that data fragments to be expanded are properly located at the current page fragment end, preventing the overlap between different protocol allocations. This solution aligns with security best practices for kernel memory management and protocol isolation, preventing cross-protocol memory corruption scenarios. The mitigation approach follows established principles for avoiding race conditions and memory allocation conflicts in kernel space, particularly relevant to CWE-129 and CWE-131 categories that address improper handling of memory boundaries and buffer overflows. The fix also demonstrates adherence to ATT&CK framework considerations for kernel-level vulnerabilities, specifically targeting the privilege escalation and data integrity compromise vectors that could arise from such memory corruption flaws. This resolution ensures that MPTCP and TCP protocol handling mechanisms maintain proper isolation while operating within the same kernel memory management system, preventing the cross-protocol memory reuse scenarios that led to the original vulnerability.

Reservation

03/04/2024

Disclosure

03/25/2024

Moderation

accepted

CPE

ready

EPSS

0.00232

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!