CVE-2021-47243 (GCVE-0-2021-47243)

Vulnerability from cvelistv5 – Published: 2024-05-21 14:19 – Updated: 2025-05-04 07:07
VLAI?
Title
sch_cake: Fix out of bounds when parsing TCP options and header
Summary
In the Linux kernel, the following vulnerability has been resolved: sch_cake: Fix out of bounds when parsing TCP options and header The TCP option parser in cake qdisc (cake_get_tcpopt and cake_tcph_may_drop) could read one byte out of bounds. When the length is 1, the execution flow gets into the loop, reads one byte of the opcode, and if the opcode is neither TCPOPT_EOL nor TCPOPT_NOP, it reads one more byte, which exceeds the length of 1. This fix is inspired by commit 9609dad263f8 ("ipv4: tcp_input: fix stack out of bounds when parsing TCP options."). v2 changes: Added doff validation in cake_get_tcphdr to avoid parsing garbage as TCP header. Although it wasn't strictly an out-of-bounds access (memory was allocated), garbage values could be read where CAKE expected the TCP header if doff was smaller than 5.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 8b7138814f29933898ecd31dfc83e35a30ee69f5 , < 595897ef118d6fe66690c4fc5b572028c9da95b7 (git)
Affected: 8b7138814f29933898ecd31dfc83e35a30ee69f5 , < 4cefa061fc63f4d2dff5ab4083f43857cd7a2335 (git)
Affected: 8b7138814f29933898ecd31dfc83e35a30ee69f5 , < 3b491dd593d582ceeb27aa617600712a6bd14246 (git)
Affected: 8b7138814f29933898ecd31dfc83e35a30ee69f5 , < 3371392c60e2685af30bd4547badd880f5df2b3f (git)
Affected: 8b7138814f29933898ecd31dfc83e35a30ee69f5 , < ba91c49dedbde758ba0b72f57ac90b06ddf8e548 (git)
Create a notification for this product.
    Linux Linux Affected: 4.19
Unaffected: 0 , < 4.19 (semver)
Unaffected: 4.19.196 , ≤ 4.19.* (semver)
Unaffected: 5.4.128 , ≤ 5.4.* (semver)
Unaffected: 5.10.46 , ≤ 5.10.* (semver)
Unaffected: 5.12.13 , ≤ 5.12.* (semver)
Unaffected: 5.13 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T05:32:07.942Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/595897ef118d6fe66690c4fc5b572028c9da95b7"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/4cefa061fc63f4d2dff5ab4083f43857cd7a2335"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/3b491dd593d582ceeb27aa617600712a6bd14246"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/3371392c60e2685af30bd4547badd880f5df2b3f"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/ba91c49dedbde758ba0b72f57ac90b06ddf8e548"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2021-47243",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-10T15:39:57.595123Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-11T17:33:12.342Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_cake.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "595897ef118d6fe66690c4fc5b572028c9da95b7",
              "status": "affected",
              "version": "8b7138814f29933898ecd31dfc83e35a30ee69f5",
              "versionType": "git"
            },
            {
              "lessThan": "4cefa061fc63f4d2dff5ab4083f43857cd7a2335",
              "status": "affected",
              "version": "8b7138814f29933898ecd31dfc83e35a30ee69f5",
              "versionType": "git"
            },
            {
              "lessThan": "3b491dd593d582ceeb27aa617600712a6bd14246",
              "status": "affected",
              "version": "8b7138814f29933898ecd31dfc83e35a30ee69f5",
              "versionType": "git"
            },
            {
              "lessThan": "3371392c60e2685af30bd4547badd880f5df2b3f",
              "status": "affected",
              "version": "8b7138814f29933898ecd31dfc83e35a30ee69f5",
              "versionType": "git"
            },
            {
              "lessThan": "ba91c49dedbde758ba0b72f57ac90b06ddf8e548",
              "status": "affected",
              "version": "8b7138814f29933898ecd31dfc83e35a30ee69f5",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_cake.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.19"
            },
            {
              "lessThan": "4.19",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.196",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.128",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.46",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.12.*",
              "status": "unaffected",
              "version": "5.12.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "5.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.19.196",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.128",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.46",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.12.13",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.13",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsch_cake: Fix out of bounds when parsing TCP options and header\n\nThe TCP option parser in cake qdisc (cake_get_tcpopt and\ncake_tcph_may_drop) could read one byte out of bounds. When the length\nis 1, the execution flow gets into the loop, reads one byte of the\nopcode, and if the opcode is neither TCPOPT_EOL nor TCPOPT_NOP, it reads\none more byte, which exceeds the length of 1.\n\nThis fix is inspired by commit 9609dad263f8 (\"ipv4: tcp_input: fix stack\nout of bounds when parsing TCP options.\").\n\nv2 changes:\n\nAdded doff validation in cake_get_tcphdr to avoid parsing garbage as TCP\nheader. Although it wasn\u0027t strictly an out-of-bounds access (memory was\nallocated), garbage values could be read where CAKE expected the TCP\nheader if doff was smaller than 5."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:07:01.395Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/595897ef118d6fe66690c4fc5b572028c9da95b7"
        },
        {
          "url": "https://git.kernel.org/stable/c/4cefa061fc63f4d2dff5ab4083f43857cd7a2335"
        },
        {
          "url": "https://git.kernel.org/stable/c/3b491dd593d582ceeb27aa617600712a6bd14246"
        },
        {
          "url": "https://git.kernel.org/stable/c/3371392c60e2685af30bd4547badd880f5df2b3f"
        },
        {
          "url": "https://git.kernel.org/stable/c/ba91c49dedbde758ba0b72f57ac90b06ddf8e548"
        }
      ],
      "title": "sch_cake: Fix out of bounds when parsing TCP options and header",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2021-47243",
    "datePublished": "2024-05-21T14:19:42.309Z",
    "dateReserved": "2024-04-10T18:59:19.532Z",
    "dateUpdated": "2025-05-04T07:07:01.395Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"4.19\", \"versionEndExcluding\": \"4.19.196\", \"matchCriteriaId\": \"3DE66C67-F5DA-4883-B3AB-D6D527C324D9\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"4.20\", \"versionEndExcluding\": \"5.4.128\", \"matchCriteriaId\": \"6267BD4E-BE25-48B5-B850-4B493440DAFA\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"5.5\", \"versionEndExcluding\": \"5.10.46\", \"matchCriteriaId\": \"59455D13-A902-42E1-97F7-5ED579777193\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"5.11\", \"versionEndExcluding\": \"5.12.13\", \"matchCriteriaId\": \"7806E7E5-6D4F-4E18-81C1-79B3C60EE855\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:5.13:rc1:*:*:*:*:*:*\", \"matchCriteriaId\": \"0CBAD0FC-C281-4666-AB2F-F8E6E1165DF7\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:5.13:rc2:*:*:*:*:*:*\", \"matchCriteriaId\": \"96AC23B2-D46A-49D9-8203-8E1BEDCA8532\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:5.13:rc3:*:*:*:*:*:*\", \"matchCriteriaId\": \"DA610E30-717C-4700-9F77-A3C9244F3BFD\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:5.13:rc4:*:*:*:*:*:*\", \"matchCriteriaId\": \"1ECD33F5-85BE-430B-8F86-8D7BD560311D\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:5.13:rc5:*:*:*:*:*:*\", \"matchCriteriaId\": \"CF351855-2437-4CF5-AD7C-BDFA51F27683\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:5.13:rc6:*:*:*:*:*:*\", \"matchCriteriaId\": \"25A855BA-2118-44F2-90EF-EBBB12AF51EF\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsch_cake: Fix out of bounds when parsing TCP options and header\\n\\nThe TCP option parser in cake qdisc (cake_get_tcpopt and\\ncake_tcph_may_drop) could read one byte out of bounds. When the length\\nis 1, the execution flow gets into the loop, reads one byte of the\\nopcode, and if the opcode is neither TCPOPT_EOL nor TCPOPT_NOP, it reads\\none more byte, which exceeds the length of 1.\\n\\nThis fix is inspired by commit 9609dad263f8 (\\\"ipv4: tcp_input: fix stack\\nout of bounds when parsing TCP options.\\\").\\n\\nv2 changes:\\n\\nAdded doff validation in cake_get_tcphdr to avoid parsing garbage as TCP\\nheader. Although it wasn\u0027t strictly an out-of-bounds access (memory was\\nallocated), garbage values could be read where CAKE expected the TCP\\nheader if doff was smaller than 5.\"}, {\"lang\": \"es\", \"value\": \" En el kernel de Linux, se resolvi\\u00f3 la siguiente vulnerabilidad: sch_cake: Correcci\\u00f3n de l\\u00edmites al analizar las opciones TCP y el encabezado. El analizador de opciones TCP en cake qdisc (cake_get_tcpopt y cake_tcph_may_drop) pod\\u00eda leer un byte fuera de los l\\u00edmites. Cuando la longitud es 1, el flujo de ejecuci\\u00f3n entra en el bucle, lee un byte del c\\u00f3digo de operaci\\u00f3n y, si el c\\u00f3digo de operaci\\u00f3n no es TCPOPT_EOL ni TCPOPT_NOP, lee un byte m\\u00e1s, que excede la longitud de 1. Esta soluci\\u00f3n est\\u00e1 inspirada en la confirmaci\\u00f3n. 9609dad263f8 (\\\"ipv4: tcp_input: corrige la pila fuera de los l\\u00edmites al analizar las opciones de TCP\\\"). Cambios en v2: Se agreg\\u00f3 validaci\\u00f3n de doff en cake_get_tcphdr para evitar analizar basura como encabezado TCP. Aunque no era estrictamente un acceso fuera de los l\\u00edmites (se asign\\u00f3 memoria), se pod\\u00edan leer valores basura donde CAKE esperaba el encabezado TCP si doff era menor que 5.\"}]",
      "id": "CVE-2021-47243",
      "lastModified": "2024-12-30T19:04:26.770",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H\", \"baseScore\": 7.1, \"baseSeverity\": \"HIGH\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 1.8, \"impactScore\": 5.2}]}",
      "published": "2024-05-21T15:15:13.403",
      "references": "[{\"url\": \"https://git.kernel.org/stable/c/3371392c60e2685af30bd4547badd880f5df2b3f\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"tags\": [\"Patch\"]}, {\"url\": \"https://git.kernel.org/stable/c/3b491dd593d582ceeb27aa617600712a6bd14246\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"tags\": [\"Patch\"]}, {\"url\": \"https://git.kernel.org/stable/c/4cefa061fc63f4d2dff5ab4083f43857cd7a2335\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"tags\": [\"Patch\"]}, {\"url\": \"https://git.kernel.org/stable/c/595897ef118d6fe66690c4fc5b572028c9da95b7\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"tags\": [\"Patch\"]}, {\"url\": \"https://git.kernel.org/stable/c/ba91c49dedbde758ba0b72f57ac90b06ddf8e548\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"tags\": [\"Patch\"]}, {\"url\": \"https://git.kernel.org/stable/c/3371392c60e2685af30bd4547badd880f5df2b3f\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\"]}, {\"url\": \"https://git.kernel.org/stable/c/3b491dd593d582ceeb27aa617600712a6bd14246\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\"]}, {\"url\": \"https://git.kernel.org/stable/c/4cefa061fc63f4d2dff5ab4083f43857cd7a2335\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\"]}, {\"url\": \"https://git.kernel.org/stable/c/595897ef118d6fe66690c4fc5b572028c9da95b7\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\"]}, {\"url\": \"https://git.kernel.org/stable/c/ba91c49dedbde758ba0b72f57ac90b06ddf8e548\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\"]}]",
      "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "vulnStatus": "Analyzed",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-125\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-47243\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-05-21T15:15:13.403\",\"lastModified\":\"2024-12-30T19:04:26.770\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsch_cake: Fix out of bounds when parsing TCP options and header\\n\\nThe TCP option parser in cake qdisc (cake_get_tcpopt and\\ncake_tcph_may_drop) could read one byte out of bounds. When the length\\nis 1, the execution flow gets into the loop, reads one byte of the\\nopcode, and if the opcode is neither TCPOPT_EOL nor TCPOPT_NOP, it reads\\none more byte, which exceeds the length of 1.\\n\\nThis fix is inspired by commit 9609dad263f8 (\\\"ipv4: tcp_input: fix stack\\nout of bounds when parsing TCP options.\\\").\\n\\nv2 changes:\\n\\nAdded doff validation in cake_get_tcphdr to avoid parsing garbage as TCP\\nheader. Although it wasn\u0027t strictly an out-of-bounds access (memory was\\nallocated), garbage values could be read where CAKE expected the TCP\\nheader if doff was smaller than 5.\"},{\"lang\":\"es\",\"value\":\" En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: sch_cake: Correcci\u00f3n de l\u00edmites al analizar las opciones TCP y el encabezado. El analizador de opciones TCP en cake qdisc (cake_get_tcpopt y cake_tcph_may_drop) pod\u00eda leer un byte fuera de los l\u00edmites. Cuando la longitud es 1, el flujo de ejecuci\u00f3n entra en el bucle, lee un byte del c\u00f3digo de operaci\u00f3n y, si el c\u00f3digo de operaci\u00f3n no es TCPOPT_EOL ni TCPOPT_NOP, lee un byte m\u00e1s, que excede la longitud de 1. Esta soluci\u00f3n est\u00e1 inspirada en la confirmaci\u00f3n. 9609dad263f8 (\\\"ipv4: tcp_input: corrige la pila fuera de los l\u00edmites al analizar las opciones de TCP\\\"). Cambios en v2: Se agreg\u00f3 validaci\u00f3n de doff en cake_get_tcphdr para evitar analizar basura como encabezado TCP. Aunque no era estrictamente un acceso fuera de los l\u00edmites (se asign\u00f3 memoria), se pod\u00edan leer valores basura donde CAKE esperaba el encabezado TCP si doff era menor que 5.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H\",\"baseScore\":7.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.2}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-125\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.19\",\"versionEndExcluding\":\"4.19.196\",\"matchCriteriaId\":\"3DE66C67-F5DA-4883-B3AB-D6D527C324D9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.20\",\"versionEndExcluding\":\"5.4.128\",\"matchCriteriaId\":\"6267BD4E-BE25-48B5-B850-4B493440DAFA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.5\",\"versionEndExcluding\":\"5.10.46\",\"matchCriteriaId\":\"59455D13-A902-42E1-97F7-5ED579777193\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.11\",\"versionEndExcluding\":\"5.12.13\",\"matchCriteriaId\":\"7806E7E5-6D4F-4E18-81C1-79B3C60EE855\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:5.13:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"0CBAD0FC-C281-4666-AB2F-F8E6E1165DF7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:5.13:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"96AC23B2-D46A-49D9-8203-8E1BEDCA8532\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:5.13:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"DA610E30-717C-4700-9F77-A3C9244F3BFD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:5.13:rc4:*:*:*:*:*:*\",\"matchCriteriaId\":\"1ECD33F5-85BE-430B-8F86-8D7BD560311D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:5.13:rc5:*:*:*:*:*:*\",\"matchCriteriaId\":\"CF351855-2437-4CF5-AD7C-BDFA51F27683\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:5.13:rc6:*:*:*:*:*:*\",\"matchCriteriaId\":\"25A855BA-2118-44F2-90EF-EBBB12AF51EF\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/3371392c60e2685af30bd4547badd880f5df2b3f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/3b491dd593d582ceeb27aa617600712a6bd14246\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/4cefa061fc63f4d2dff5ab4083f43857cd7a2335\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/595897ef118d6fe66690c4fc5b572028c9da95b7\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/ba91c49dedbde758ba0b72f57ac90b06ddf8e548\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/3371392c60e2685af30bd4547badd880f5df2b3f\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/3b491dd593d582ceeb27aa617600712a6bd14246\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/4cefa061fc63f4d2dff5ab4083f43857cd7a2335\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/595897ef118d6fe66690c4fc5b572028c9da95b7\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/ba91c49dedbde758ba0b72f57ac90b06ddf8e548\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://git.kernel.org/stable/c/595897ef118d6fe66690c4fc5b572028c9da95b7\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/4cefa061fc63f4d2dff5ab4083f43857cd7a2335\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/3b491dd593d582ceeb27aa617600712a6bd14246\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/3371392c60e2685af30bd4547badd880f5df2b3f\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/ba91c49dedbde758ba0b72f57ac90b06ddf8e548\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-04T05:32:07.942Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2021-47243\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-09-10T15:39:57.595123Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-09-11T12:42:15.335Z\"}}], \"cna\": {\"title\": \"sch_cake: Fix out of bounds when parsing TCP options and header\", \"affected\": [{\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"8b7138814f29\", \"lessThan\": \"595897ef118d\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"8b7138814f29\", \"lessThan\": \"4cefa061fc63\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"8b7138814f29\", \"lessThan\": \"3b491dd593d5\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"8b7138814f29\", \"lessThan\": \"3371392c60e2\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"8b7138814f29\", \"lessThan\": \"ba91c49dedbd\", \"versionType\": \"git\"}], \"programFiles\": [\"net/sched/sch_cake.c\"], \"defaultStatus\": \"unaffected\"}, {\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"4.19\"}, {\"status\": \"unaffected\", \"version\": \"0\", \"lessThan\": \"4.19\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"4.19.196\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"4.19.*\"}, {\"status\": \"unaffected\", \"version\": \"5.4.128\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.4.*\"}, {\"status\": \"unaffected\", \"version\": \"5.10.46\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.10.*\"}, {\"status\": \"unaffected\", \"version\": \"5.12.13\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.12.*\"}, {\"status\": \"unaffected\", \"version\": \"5.13\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"*\"}], \"programFiles\": [\"net/sched/sch_cake.c\"], \"defaultStatus\": \"affected\"}], \"references\": [{\"url\": \"https://git.kernel.org/stable/c/595897ef118d6fe66690c4fc5b572028c9da95b7\"}, {\"url\": \"https://git.kernel.org/stable/c/4cefa061fc63f4d2dff5ab4083f43857cd7a2335\"}, {\"url\": \"https://git.kernel.org/stable/c/3b491dd593d582ceeb27aa617600712a6bd14246\"}, {\"url\": \"https://git.kernel.org/stable/c/3371392c60e2685af30bd4547badd880f5df2b3f\"}, {\"url\": \"https://git.kernel.org/stable/c/ba91c49dedbde758ba0b72f57ac90b06ddf8e548\"}], \"x_generator\": {\"engine\": \"bippy-c8e10e5f6187\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsch_cake: Fix out of bounds when parsing TCP options and header\\n\\nThe TCP option parser in cake qdisc (cake_get_tcpopt and\\ncake_tcph_may_drop) could read one byte out of bounds. When the length\\nis 1, the execution flow gets into the loop, reads one byte of the\\nopcode, and if the opcode is neither TCPOPT_EOL nor TCPOPT_NOP, it reads\\none more byte, which exceeds the length of 1.\\n\\nThis fix is inspired by commit 9609dad263f8 (\\\"ipv4: tcp_input: fix stack\\nout of bounds when parsing TCP options.\\\").\\n\\nv2 changes:\\n\\nAdded doff validation in cake_get_tcphdr to avoid parsing garbage as TCP\\nheader. Although it wasn\u0027t strictly an out-of-bounds access (memory was\\nallocated), garbage values could be read where CAKE expected the TCP\\nheader if doff was smaller than 5.\"}], \"providerMetadata\": {\"orgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"shortName\": \"Linux\", \"dateUpdated\": \"2024-11-04T11:37:28.294Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2021-47243\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-11-04T11:37:28.294Z\", \"dateReserved\": \"2024-04-10T18:59:19.532Z\", \"assignerOrgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"datePublished\": \"2024-05-21T14:19:42.309Z\", \"assignerShortName\": \"Linux\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.