CVE-2021-47593 in Linux
Summary
by MITRE • 06/19/2024
In the Linux kernel, the following vulnerability has been resolved:
mptcp: clear 'kern' flag from fallback sockets
The mptcp ULP extension relies on sk->sk_sock_kern being set correctly: It prevents setsockopt(fd, IPPROTO_TCP, TCP_ULP, "mptcp", 6); from working for plain tcp sockets (any userspace-exposed socket).
But in case of fallback, accept() can return a plain tcp sk. In such case, sk is still tagged as 'kernel' and setsockopt will work.
This will crash the kernel, The subflow extension has a NULL ctx->conn mptcp socket:
BUG: KASAN: null-ptr-deref in subflow_data_ready+0x181/0x2b0 Call Trace: tcp_data_ready+0xf8/0x370 [..]
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 10/04/2025
The vulnerability CVE-2021-47593 represents a critical kernel panic condition within the Linux kernel's Multipath TCP (MPTCP) implementation that stems from improper handling of socket kernel flags during fallback scenarios. This issue specifically affects the MPTCP Userspace Protocol (ULP) extension which depends on the accurate state of the sk_sock_kern flag to distinguish between kernel and user-space sockets. The flaw occurs when the kernel fails to properly clear the 'kern' flag from fallback sockets, creating a dangerous inconsistency in socket state management that can lead to system crashes.
The technical root cause involves the MPTCP subsystem's reliance on the sk->sk_sock_kern flag to control socket behavior, particularly preventing the TCP_ULP setsockopt call from being executed on plain TCP sockets. When a fallback scenario occurs during connection establishment, the accept() function may return a plain TCP socket that retains the kernel flag designation from its parent MPTCP socket. This improper state inheritance allows the setsockopt operation to succeed on what should be a plain TCP socket, triggering a null pointer dereference in the subflow_data_ready function. The kernel's memory safety checker (KASAN) identifies this as a null-ptr-deref error when the subflow extension attempts to access a NULL ctx->conn field on an MPTCP socket that has been improperly initialized.
The operational impact of this vulnerability is severe as it can cause immediate system crashes and potential denial of service conditions across affected Linux systems. Attackers could exploit this weakness by triggering fallback scenarios in MPTCP connections, potentially leading to complete system instability. The vulnerability affects systems running Linux kernel versions where MPTCP is enabled and active, making it particularly concerning for network infrastructure equipment and servers that rely on multipath connectivity. This issue directly relates to CWE-476 which addresses NULL pointer dereference vulnerabilities, and aligns with ATT&CK technique T1499.004 for network denial of service attacks.
Mitigation strategies should focus on ensuring proper socket flag management during fallback operations and implementing additional validation checks before allowing TCP_ULP setsockopt calls on potentially compromised socket states. System administrators should prioritize kernel updates that address this specific vulnerability while also monitoring for unusual network behavior that might indicate exploitation attempts. The fix requires careful attention to socket state transitions and proper flag clearing during fallback scenarios to maintain the integrity of the MPTCP subsystem's internal state management mechanisms.