CVE-2021-46912 (GCVE-0-2021-46912)

Vulnerability from cvelistv5 – Published: 2024-02-27 06:53 – Updated: 2026-05-11 13:44
VLAI?
Title
net: Make tcp_allowed_congestion_control readonly in non-init netns
Summary
In the Linux kernel, the following vulnerability has been resolved: net: Make tcp_allowed_congestion_control readonly in non-init netns Currently, tcp_allowed_congestion_control is global and writable; writing to it in any net namespace will leak into all other net namespaces. tcp_available_congestion_control and tcp_allowed_congestion_control are the only sysctls in ipv4_net_table (the per-netns sysctl table) with a NULL data pointer; their handlers (proc_tcp_available_congestion_control and proc_allowed_congestion_control) have no other way of referencing a struct net. Thus, they operate globally. Because ipv4_net_table does not use designated initializers, there is no easy way to fix up this one "bad" table entry. However, the data pointer updating logic shouldn't be applied to NULL pointers anyway, so we instead force these entries to be read-only. These sysctls used to exist in ipv4_table (init-net only), but they were moved to the per-net ipv4_net_table, presumably without realizing that tcp_allowed_congestion_control was writable and thus introduced a leak. Because the intent of that commit was only to know (i.e. read) "which congestion algorithms are available or allowed", this read-only solution should be sufficient. The logic added in recent commit 31c4d2f160eb: ("net: Ensure net namespace isolation of sysctls") does not and cannot check for NULL data pointers, because other table entries (e.g. /proc/sys/net/netfilter/nf_log/) have .data=NULL but use other methods (.extra2) to access the struct net.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 9cb8e048e5d93825ec5e8dfb5b8df4987ea25745 , < 35d7491e2f77ce480097cabcaf93ed409e916e12 (git)
Affected: 9cb8e048e5d93825ec5e8dfb5b8df4987ea25745 , < 1ccdf1bed140820240e383ba0accc474ffc7f006 (git)
Affected: 9cb8e048e5d93825ec5e8dfb5b8df4987ea25745 , < 97684f0970f6e112926de631fdd98d9693c7e5c1 (git)
Create a notification for this product.
Linux Linux Affected: 5.7
Unaffected: 0 , < 5.7 (semver)
Unaffected: 5.10.32 , ≤ 5.10.* (semver)
Unaffected: 5.11.16 , ≤ 5.11.* (semver)
Unaffected: 5.12 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2021-46912",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-02-27T16:08:06.856506Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T17:13:13.524Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T05:17:42.998Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/35d7491e2f77ce480097cabcaf93ed409e916e12"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/1ccdf1bed140820240e383ba0accc474ffc7f006"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/97684f0970f6e112926de631fdd98d9693c7e5c1"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/ipv4/sysctl_net_ipv4.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "35d7491e2f77ce480097cabcaf93ed409e916e12",
              "status": "affected",
              "version": "9cb8e048e5d93825ec5e8dfb5b8df4987ea25745",
              "versionType": "git"
            },
            {
              "lessThan": "1ccdf1bed140820240e383ba0accc474ffc7f006",
              "status": "affected",
              "version": "9cb8e048e5d93825ec5e8dfb5b8df4987ea25745",
              "versionType": "git"
            },
            {
              "lessThan": "97684f0970f6e112926de631fdd98d9693c7e5c1",
              "status": "affected",
              "version": "9cb8e048e5d93825ec5e8dfb5b8df4987ea25745",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/ipv4/sysctl_net_ipv4.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.7"
            },
            {
              "lessThan": "5.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.32",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.11.*",
              "status": "unaffected",
              "version": "5.11.16",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "5.12",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.32",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.11.16",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.12",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: Make tcp_allowed_congestion_control readonly in non-init netns\n\nCurrently, tcp_allowed_congestion_control is global and writable;\nwriting to it in any net namespace will leak into all other net\nnamespaces.\n\ntcp_available_congestion_control and tcp_allowed_congestion_control are\nthe only sysctls in ipv4_net_table (the per-netns sysctl table) with a\nNULL data pointer; their handlers (proc_tcp_available_congestion_control\nand proc_allowed_congestion_control) have no other way of referencing a\nstruct net. Thus, they operate globally.\n\nBecause ipv4_net_table does not use designated initializers, there is no\neasy way to fix up this one \"bad\" table entry. However, the data pointer\nupdating logic shouldn\u0027t be applied to NULL pointers anyway, so we\ninstead force these entries to be read-only.\n\nThese sysctls used to exist in ipv4_table (init-net only), but they were\nmoved to the per-net ipv4_net_table, presumably without realizing that\ntcp_allowed_congestion_control was writable and thus introduced a leak.\n\nBecause the intent of that commit was only to know (i.e. read) \"which\ncongestion algorithms are available or allowed\", this read-only solution\nshould be sufficient.\n\nThe logic added in recent commit\n31c4d2f160eb: (\"net: Ensure net namespace isolation of sysctls\")\ndoes not and cannot check for NULL data pointers, because\nother table entries (e.g. /proc/sys/net/netfilter/nf_log/) have\n.data=NULL but use other methods (.extra2) to access the struct net."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T13:44:17.656Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/35d7491e2f77ce480097cabcaf93ed409e916e12"
        },
        {
          "url": "https://git.kernel.org/stable/c/1ccdf1bed140820240e383ba0accc474ffc7f006"
        },
        {
          "url": "https://git.kernel.org/stable/c/97684f0970f6e112926de631fdd98d9693c7e5c1"
        }
      ],
      "title": "net: Make tcp_allowed_congestion_control readonly in non-init netns",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2021-46912",
    "datePublished": "2024-02-27T06:53:52.135Z",
    "dateReserved": "2024-02-25T13:45:52.718Z",
    "dateUpdated": "2026-05-11T13:44:17.656Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2021-46912",
      "date": "2026-05-19",
      "epss": "0.00018",
      "percentile": "0.04838"
    },
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"5.7.0\", \"versionEndExcluding\": \"5.10.32\", \"matchCriteriaId\": \"C1C508F5-A923-4065-B935-4585062D5CA8\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"5.11.0\", \"versionEndExcluding\": \"5.11.16\", \"matchCriteriaId\": \"3C5242B9-B5BD-4578-AD66-69DF59D54A14\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: Make tcp_allowed_congestion_control readonly in non-init netns\\n\\nCurrently, tcp_allowed_congestion_control is global and writable;\\nwriting to it in any net namespace will leak into all other net\\nnamespaces.\\n\\ntcp_available_congestion_control and tcp_allowed_congestion_control are\\nthe only sysctls in ipv4_net_table (the per-netns sysctl table) with a\\nNULL data pointer; their handlers (proc_tcp_available_congestion_control\\nand proc_allowed_congestion_control) have no other way of referencing a\\nstruct net. Thus, they operate globally.\\n\\nBecause ipv4_net_table does not use designated initializers, there is no\\neasy way to fix up this one \\\"bad\\\" table entry. However, the data pointer\\nupdating logic shouldn\u0027t be applied to NULL pointers anyway, so we\\ninstead force these entries to be read-only.\\n\\nThese sysctls used to exist in ipv4_table (init-net only), but they were\\nmoved to the per-net ipv4_net_table, presumably without realizing that\\ntcp_allowed_congestion_control was writable and thus introduced a leak.\\n\\nBecause the intent of that commit was only to know (i.e. read) \\\"which\\ncongestion algorithms are available or allowed\\\", this read-only solution\\nshould be sufficient.\\n\\nThe logic added in recent commit\\n31c4d2f160eb: (\\\"net: Ensure net namespace isolation of sysctls\\\")\\ndoes not and cannot check for NULL data pointers, because\\nother table entries (e.g. /proc/sys/net/netfilter/nf_log/) have\\n.data=NULL but use other methods (.extra2) to access the struct net.\"}, {\"lang\": \"es\", \"value\": \"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: hacer que tcp_allowed_congestion_control sea de solo lectura en redes no init. Actualmente, tcp_allowed_congestion_control es global y se puede escribir; escribir en \\u00e9l en cualquier espacio de nombres de red se filtrar\\u00e1 a todos los dem\\u00e1s espacios de nombres de red. tcp_available_congestion_control y tcp_allowed_congestion_control son los \\u00fanicos sysctls en ipv4_net_table (la tabla sysctl por red) con un puntero de datos NULL; sus controladores (proc_tcp_available_congestion_control y proc_allowed_congestion_control) no tienen otra forma de hacer referencia a una estructura neta. Por lo tanto, operan globalmente. Debido a que ipv4_net_table no utiliza inicializadores designados, no existe una manera f\\u00e1cil de corregir esta entrada \\\"mala\\\" de la tabla. Sin embargo, la l\\u00f3gica de actualizaci\\u00f3n del puntero de datos no deber\\u00eda aplicarse a los punteros NULL de todos modos, por lo que forzamos que estas entradas sean de solo lectura. Estos sysctls sol\\u00edan existir en ipv4_table (solo init-net), pero se movieron a ipv4_net_table por red, presumiblemente sin darse cuenta de que tcp_allowed_congestion_control se pod\\u00eda escribir y, por lo tanto, introdujeron una fuga. Debido a que la intenci\\u00f3n de esa confirmaci\\u00f3n era s\\u00f3lo saber (es decir, leer) \\\"qu\\u00e9 algoritmos de congesti\\u00f3n est\\u00e1n disponibles o permitidos\\\", esta soluci\\u00f3n de solo lectura deber\\u00eda ser suficiente. La l\\u00f3gica agregada en la reciente confirmaci\\u00f3n 31c4d2f160eb: (\\\"net: Garantizar el aislamiento del espacio de nombres de red de sysctls\\\") no verifica ni puede verificar los punteros de datos NULL, porque otras entradas de la tabla (por ejemplo, /proc/sys/net/netfilter/nf_log/) tienen .data=NULL pero usa otros m\\u00e9todos (.extra2) para acceder a la estructura neta.\"}]",
      "id": "CVE-2021-46912",
      "lastModified": "2024-11-21T06:34:55.010",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\", \"baseScore\": 5.5, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 1.8, \"impactScore\": 3.6}]}",
      "published": "2024-02-27T07:15:07.613",
      "references": "[{\"url\": \"https://git.kernel.org/stable/c/1ccdf1bed140820240e383ba0accc474ffc7f006\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"tags\": [\"Patch\"]}, {\"url\": \"https://git.kernel.org/stable/c/35d7491e2f77ce480097cabcaf93ed409e916e12\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"tags\": [\"Patch\"]}, {\"url\": \"https://git.kernel.org/stable/c/97684f0970f6e112926de631fdd98d9693c7e5c1\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"tags\": [\"Patch\"]}, {\"url\": \"https://git.kernel.org/stable/c/1ccdf1bed140820240e383ba0accc474ffc7f006\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\"]}, {\"url\": \"https://git.kernel.org/stable/c/35d7491e2f77ce480097cabcaf93ed409e916e12\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\"]}, {\"url\": \"https://git.kernel.org/stable/c/97684f0970f6e112926de631fdd98d9693c7e5c1\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\"]}]",
      "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-476\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-46912\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-02-27T07:15:07.613\",\"lastModified\":\"2024-11-21T06:34:55.010\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: Make tcp_allowed_congestion_control readonly in non-init netns\\n\\nCurrently, tcp_allowed_congestion_control is global and writable;\\nwriting to it in any net namespace will leak into all other net\\nnamespaces.\\n\\ntcp_available_congestion_control and tcp_allowed_congestion_control are\\nthe only sysctls in ipv4_net_table (the per-netns sysctl table) with a\\nNULL data pointer; their handlers (proc_tcp_available_congestion_control\\nand proc_allowed_congestion_control) have no other way of referencing a\\nstruct net. Thus, they operate globally.\\n\\nBecause ipv4_net_table does not use designated initializers, there is no\\neasy way to fix up this one \\\"bad\\\" table entry. However, the data pointer\\nupdating logic shouldn\u0027t be applied to NULL pointers anyway, so we\\ninstead force these entries to be read-only.\\n\\nThese sysctls used to exist in ipv4_table (init-net only), but they were\\nmoved to the per-net ipv4_net_table, presumably without realizing that\\ntcp_allowed_congestion_control was writable and thus introduced a leak.\\n\\nBecause the intent of that commit was only to know (i.e. read) \\\"which\\ncongestion algorithms are available or allowed\\\", this read-only solution\\nshould be sufficient.\\n\\nThe logic added in recent commit\\n31c4d2f160eb: (\\\"net: Ensure net namespace isolation of sysctls\\\")\\ndoes not and cannot check for NULL data pointers, because\\nother table entries (e.g. /proc/sys/net/netfilter/nf_log/) have\\n.data=NULL but use other methods (.extra2) to access the struct net.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: hacer que tcp_allowed_congestion_control sea de solo lectura en redes no init. Actualmente, tcp_allowed_congestion_control es global y se puede escribir; escribir en \u00e9l en cualquier espacio de nombres de red se filtrar\u00e1 a todos los dem\u00e1s espacios de nombres de red. tcp_available_congestion_control y tcp_allowed_congestion_control son los \u00fanicos sysctls en ipv4_net_table (la tabla sysctl por red) con un puntero de datos NULL; sus controladores (proc_tcp_available_congestion_control y proc_allowed_congestion_control) no tienen otra forma de hacer referencia a una estructura neta. Por lo tanto, operan globalmente. Debido a que ipv4_net_table no utiliza inicializadores designados, no existe una manera f\u00e1cil de corregir esta entrada \\\"mala\\\" de la tabla. Sin embargo, la l\u00f3gica de actualizaci\u00f3n del puntero de datos no deber\u00eda aplicarse a los punteros NULL de todos modos, por lo que forzamos que estas entradas sean de solo lectura. Estos sysctls sol\u00edan existir en ipv4_table (solo init-net), pero se movieron a ipv4_net_table por red, presumiblemente sin darse cuenta de que tcp_allowed_congestion_control se pod\u00eda escribir y, por lo tanto, introdujeron una fuga. Debido a que la intenci\u00f3n de esa confirmaci\u00f3n era s\u00f3lo saber (es decir, leer) \\\"qu\u00e9 algoritmos de congesti\u00f3n est\u00e1n disponibles o permitidos\\\", esta soluci\u00f3n de solo lectura deber\u00eda ser suficiente. La l\u00f3gica agregada en la reciente confirmaci\u00f3n 31c4d2f160eb: (\\\"net: Garantizar el aislamiento del espacio de nombres de red de sysctls\\\") no verifica ni puede verificar los punteros de datos NULL, porque otras entradas de la tabla (por ejemplo, /proc/sys/net/netfilter/nf_log/) tienen .data=NULL pero usa otros m\u00e9todos (.extra2) para acceder a la estructura neta.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-476\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.7.0\",\"versionEndExcluding\":\"5.10.32\",\"matchCriteriaId\":\"C1C508F5-A923-4065-B935-4585062D5CA8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.11.0\",\"versionEndExcluding\":\"5.11.16\",\"matchCriteriaId\":\"3C5242B9-B5BD-4578-AD66-69DF59D54A14\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/1ccdf1bed140820240e383ba0accc474ffc7f006\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/35d7491e2f77ce480097cabcaf93ed409e916e12\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/97684f0970f6e112926de631fdd98d9693c7e5c1\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/1ccdf1bed140820240e383ba0accc474ffc7f006\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/35d7491e2f77ce480097cabcaf93ed409e916e12\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/97684f0970f6e112926de631fdd98d9693c7e5c1\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://git.kernel.org/stable/c/35d7491e2f77ce480097cabcaf93ed409e916e12\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/1ccdf1bed140820240e383ba0accc474ffc7f006\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/97684f0970f6e112926de631fdd98d9693c7e5c1\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-04T05:17:42.998Z\"}}, {\"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2021-46912\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-02-27T16:08:06.856506Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-05-23T19:01:13.425Z\"}, \"title\": \"CISA ADP Vulnrichment\"}], \"cna\": {\"title\": \"net: Make tcp_allowed_congestion_control readonly in non-init netns\", \"affected\": [{\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"9cb8e048e5d93825ec5e8dfb5b8df4987ea25745\", \"lessThan\": \"35d7491e2f77ce480097cabcaf93ed409e916e12\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"9cb8e048e5d93825ec5e8dfb5b8df4987ea25745\", \"lessThan\": \"1ccdf1bed140820240e383ba0accc474ffc7f006\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"9cb8e048e5d93825ec5e8dfb5b8df4987ea25745\", \"lessThan\": \"97684f0970f6e112926de631fdd98d9693c7e5c1\", \"versionType\": \"git\"}], \"programFiles\": [\"net/ipv4/sysctl_net_ipv4.c\"], \"defaultStatus\": \"unaffected\"}, {\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"5.7\"}, {\"status\": \"unaffected\", \"version\": \"0\", \"lessThan\": \"5.7\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"5.10.32\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.10.*\"}, {\"status\": \"unaffected\", \"version\": \"5.11.16\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.11.*\"}, {\"status\": \"unaffected\", \"version\": \"5.12\", \"versionType\": \"original_commit_for_fix\", \"lessThanOrEqual\": \"*\"}], \"programFiles\": [\"net/ipv4/sysctl_net_ipv4.c\"], \"defaultStatus\": \"affected\"}], \"references\": [{\"url\": \"https://git.kernel.org/stable/c/35d7491e2f77ce480097cabcaf93ed409e916e12\"}, {\"url\": \"https://git.kernel.org/stable/c/1ccdf1bed140820240e383ba0accc474ffc7f006\"}, {\"url\": \"https://git.kernel.org/stable/c/97684f0970f6e112926de631fdd98d9693c7e5c1\"}], \"x_generator\": {\"engine\": \"bippy-1.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: Make tcp_allowed_congestion_control readonly in non-init netns\\n\\nCurrently, tcp_allowed_congestion_control is global and writable;\\nwriting to it in any net namespace will leak into all other net\\nnamespaces.\\n\\ntcp_available_congestion_control and tcp_allowed_congestion_control are\\nthe only sysctls in ipv4_net_table (the per-netns sysctl table) with a\\nNULL data pointer; their handlers (proc_tcp_available_congestion_control\\nand proc_allowed_congestion_control) have no other way of referencing a\\nstruct net. Thus, they operate globally.\\n\\nBecause ipv4_net_table does not use designated initializers, there is no\\neasy way to fix up this one \\\"bad\\\" table entry. However, the data pointer\\nupdating logic shouldn\u0027t be applied to NULL pointers anyway, so we\\ninstead force these entries to be read-only.\\n\\nThese sysctls used to exist in ipv4_table (init-net only), but they were\\nmoved to the per-net ipv4_net_table, presumably without realizing that\\ntcp_allowed_congestion_control was writable and thus introduced a leak.\\n\\nBecause the intent of that commit was only to know (i.e. read) \\\"which\\ncongestion algorithms are available or allowed\\\", this read-only solution\\nshould be sufficient.\\n\\nThe logic added in recent commit\\n31c4d2f160eb: (\\\"net: Ensure net namespace isolation of sysctls\\\")\\ndoes not and cannot check for NULL data pointers, because\\nother table entries (e.g. /proc/sys/net/netfilter/nf_log/) have\\n.data=NULL but use other methods (.extra2) to access the struct net.\"}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.10.32\", \"versionStartIncluding\": \"5.7\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.11.16\", \"versionStartIncluding\": \"5.7\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.12\", \"versionStartIncluding\": \"5.7\"}], \"operator\": \"OR\"}]}], \"providerMetadata\": {\"orgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"shortName\": \"Linux\", \"dateUpdated\": \"2026-05-11T13:44:17.656Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2021-46912\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-11T13:44:17.656Z\", \"dateReserved\": \"2024-02-25T13:45:52.718Z\", \"assignerOrgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"datePublished\": \"2024-02-27T06:53:52.135Z\", \"assignerShortName\": \"Linux\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.