CVE-2021-46999 (GCVE-0-2021-46999)
Vulnerability from cvelistv5
Published
2024-02-28 08:13
Modified
2025-05-04 12:40
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
sctp: do asoc update earlier in sctp_sf_do_dupcook_a
There's a panic that occurs in a few of envs, the call trace is as below:
[] general protection fault, ... 0x29acd70f1000a: 0000 [#1] SMP PTI
[] RIP: 0010:sctp_ulpevent_notify_peer_addr_change+0x4b/0x1fa [sctp]
[] sctp_assoc_control_transport+0x1b9/0x210 [sctp]
[] sctp_do_8_2_transport_strike.isra.16+0x15c/0x220 [sctp]
[] sctp_cmd_interpreter.isra.21+0x1231/0x1a10 [sctp]
[] sctp_do_sm+0xc3/0x2a0 [sctp]
[] sctp_generate_timeout_event+0x81/0xf0 [sctp]
This is caused by a transport use-after-free issue. When processing a
duplicate COOKIE-ECHO chunk in sctp_sf_do_dupcook_a(), both COOKIE-ACK
and SHUTDOWN chunks are allocated with the transort from the new asoc.
However, later in the sideeffect machine, the old asoc is used to send
them out and old asoc's shutdown_last_sent_to is set to the transport
that SHUTDOWN chunk attached to in sctp_cmd_setup_t2(), which actually
belongs to the new asoc. After the new_asoc is freed and the old asoc
T2 timeout, the old asoc's shutdown_last_sent_to that is already freed
would be accessed in sctp_sf_t2_timer_expire().
Thanks Alexander and Jere for helping dig into this issue.
To fix it, this patch is to do the asoc update first, then allocate
the COOKIE-ACK and SHUTDOWN chunks with the 'updated' old asoc. This
would make more sense, as a chunk from an asoc shouldn't be sent out
with another asoc. We had fixed quite a few issues caused by this.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: db8bf823e70f239372c62f13e4eb6f08a1665e8c Version: a204d577be70e0a0a6023cf1b9859c9ebffaeecd Version: 145cb2f7177d94bc54563ed26027e952ee0ae03c Version: 145cb2f7177d94bc54563ed26027e952ee0ae03c Version: 145cb2f7177d94bc54563ed26027e952ee0ae03c Version: 145cb2f7177d94bc54563ed26027e952ee0ae03c Version: a5ce8531ea508d270822b2bc6140c6198c8a2a7b |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-46999",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-21T16:28:23.491999Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-21T16:28:34.904Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-04T05:24:37.916Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/d624f2991b977821375fbd56c91b0c91d456a697"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/b1b31948c0af44628e43353828453461bb74098f"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/f01988ecf3654f805282dce2d3bb9afe68d2691e"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/61b877bad9bb0d82b7d8841be50872557090a704"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/0bfd913c2121b3d553bfd52810fe6061d542d625"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/35b4f24415c854cd718ccdf38dbea6297f010aae"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sctp/sm_statefuns.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d624f2991b977821375fbd56c91b0c91d456a697",
"status": "affected",
"version": "db8bf823e70f239372c62f13e4eb6f08a1665e8c",
"versionType": "git"
},
{
"lessThan": "b1b31948c0af44628e43353828453461bb74098f",
"status": "affected",
"version": "a204d577be70e0a0a6023cf1b9859c9ebffaeecd",
"versionType": "git"
},
{
"lessThan": "f01988ecf3654f805282dce2d3bb9afe68d2691e",
"status": "affected",
"version": "145cb2f7177d94bc54563ed26027e952ee0ae03c",
"versionType": "git"
},
{
"lessThan": "61b877bad9bb0d82b7d8841be50872557090a704",
"status": "affected",
"version": "145cb2f7177d94bc54563ed26027e952ee0ae03c",
"versionType": "git"
},
{
"lessThan": "0bfd913c2121b3d553bfd52810fe6061d542d625",
"status": "affected",
"version": "145cb2f7177d94bc54563ed26027e952ee0ae03c",
"versionType": "git"
},
{
"lessThan": "35b4f24415c854cd718ccdf38dbea6297f010aae",
"status": "affected",
"version": "145cb2f7177d94bc54563ed26027e952ee0ae03c",
"versionType": "git"
},
{
"status": "affected",
"version": "a5ce8531ea508d270822b2bc6140c6198c8a2a7b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sctp/sm_statefuns.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.191",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.38",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.11.*",
"status": "unaffected",
"version": "5.11.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.12.*",
"status": "unaffected",
"version": "5.12.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.13",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.191",
"versionStartIncluding": "4.19.123",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.120",
"versionStartIncluding": "5.4.41",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.38",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.11.22",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.12.5",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.13",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.6.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: do asoc update earlier in sctp_sf_do_dupcook_a\n\nThere\u0027s a panic that occurs in a few of envs, the call trace is as below:\n\n [] general protection fault, ... 0x29acd70f1000a: 0000 [#1] SMP PTI\n [] RIP: 0010:sctp_ulpevent_notify_peer_addr_change+0x4b/0x1fa [sctp]\n [] sctp_assoc_control_transport+0x1b9/0x210 [sctp]\n [] sctp_do_8_2_transport_strike.isra.16+0x15c/0x220 [sctp]\n [] sctp_cmd_interpreter.isra.21+0x1231/0x1a10 [sctp]\n [] sctp_do_sm+0xc3/0x2a0 [sctp]\n [] sctp_generate_timeout_event+0x81/0xf0 [sctp]\n\nThis is caused by a transport use-after-free issue. When processing a\nduplicate COOKIE-ECHO chunk in sctp_sf_do_dupcook_a(), both COOKIE-ACK\nand SHUTDOWN chunks are allocated with the transort from the new asoc.\nHowever, later in the sideeffect machine, the old asoc is used to send\nthem out and old asoc\u0027s shutdown_last_sent_to is set to the transport\nthat SHUTDOWN chunk attached to in sctp_cmd_setup_t2(), which actually\nbelongs to the new asoc. After the new_asoc is freed and the old asoc\nT2 timeout, the old asoc\u0027s shutdown_last_sent_to that is already freed\nwould be accessed in sctp_sf_t2_timer_expire().\n\nThanks Alexander and Jere for helping dig into this issue.\n\nTo fix it, this patch is to do the asoc update first, then allocate\nthe COOKIE-ACK and SHUTDOWN chunks with the \u0027updated\u0027 old asoc. This\nwould make more sense, as a chunk from an asoc shouldn\u0027t be sent out\nwith another asoc. We had fixed quite a few issues caused by this."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T12:40:45.930Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d624f2991b977821375fbd56c91b0c91d456a697"
},
{
"url": "https://git.kernel.org/stable/c/b1b31948c0af44628e43353828453461bb74098f"
},
{
"url": "https://git.kernel.org/stable/c/f01988ecf3654f805282dce2d3bb9afe68d2691e"
},
{
"url": "https://git.kernel.org/stable/c/61b877bad9bb0d82b7d8841be50872557090a704"
},
{
"url": "https://git.kernel.org/stable/c/0bfd913c2121b3d553bfd52810fe6061d542d625"
},
{
"url": "https://git.kernel.org/stable/c/35b4f24415c854cd718ccdf38dbea6297f010aae"
}
],
"title": "sctp: do asoc update earlier in sctp_sf_do_dupcook_a",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2021-46999",
"datePublished": "2024-02-28T08:13:22.256Z",
"dateReserved": "2024-02-27T18:42:55.950Z",
"dateUpdated": "2025-05-04T12:40:45.930Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://git.kernel.org/stable/c/d624f2991b977821375fbd56c91b0c91d456a697\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/b1b31948c0af44628e43353828453461bb74098f\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/f01988ecf3654f805282dce2d3bb9afe68d2691e\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/61b877bad9bb0d82b7d8841be50872557090a704\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/0bfd913c2121b3d553bfd52810fe6061d542d625\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/35b4f24415c854cd718ccdf38dbea6297f010aae\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-04T05:24:37.916Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2021-46999\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-06-21T16:28:23.491999Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-06-21T16:28:29.325Z\"}}], \"cna\": {\"title\": \"sctp: do asoc update earlier in sctp_sf_do_dupcook_a\", \"affected\": [{\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"db8bf823e70f239372c62f13e4eb6f08a1665e8c\", \"lessThan\": \"d624f2991b977821375fbd56c91b0c91d456a697\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"a204d577be70e0a0a6023cf1b9859c9ebffaeecd\", \"lessThan\": \"b1b31948c0af44628e43353828453461bb74098f\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"145cb2f7177d94bc54563ed26027e952ee0ae03c\", \"lessThan\": \"f01988ecf3654f805282dce2d3bb9afe68d2691e\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"145cb2f7177d94bc54563ed26027e952ee0ae03c\", \"lessThan\": \"61b877bad9bb0d82b7d8841be50872557090a704\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"145cb2f7177d94bc54563ed26027e952ee0ae03c\", \"lessThan\": \"0bfd913c2121b3d553bfd52810fe6061d542d625\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"145cb2f7177d94bc54563ed26027e952ee0ae03c\", \"lessThan\": \"35b4f24415c854cd718ccdf38dbea6297f010aae\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"a5ce8531ea508d270822b2bc6140c6198c8a2a7b\", \"versionType\": \"git\"}], \"programFiles\": [\"net/sctp/sm_statefuns.c\"], \"defaultStatus\": \"unaffected\"}, {\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"5.7\"}, {\"status\": \"unaffected\", \"version\": \"0\", \"lessThan\": \"5.7\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"4.19.191\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"4.19.*\"}, {\"status\": \"unaffected\", \"version\": \"5.4.120\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.4.*\"}, {\"status\": \"unaffected\", \"version\": \"5.10.38\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.10.*\"}, {\"status\": \"unaffected\", \"version\": \"5.11.22\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.11.*\"}, {\"status\": \"unaffected\", \"version\": \"5.12.5\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.12.*\"}, {\"status\": \"unaffected\", \"version\": \"5.13\", \"versionType\": \"original_commit_for_fix\", \"lessThanOrEqual\": \"*\"}], \"programFiles\": [\"net/sctp/sm_statefuns.c\"], \"defaultStatus\": \"affected\"}], \"references\": [{\"url\": \"https://git.kernel.org/stable/c/d624f2991b977821375fbd56c91b0c91d456a697\"}, {\"url\": \"https://git.kernel.org/stable/c/b1b31948c0af44628e43353828453461bb74098f\"}, {\"url\": \"https://git.kernel.org/stable/c/f01988ecf3654f805282dce2d3bb9afe68d2691e\"}, {\"url\": \"https://git.kernel.org/stable/c/61b877bad9bb0d82b7d8841be50872557090a704\"}, {\"url\": \"https://git.kernel.org/stable/c/0bfd913c2121b3d553bfd52810fe6061d542d625\"}, {\"url\": \"https://git.kernel.org/stable/c/35b4f24415c854cd718ccdf38dbea6297f010aae\"}], \"x_generator\": {\"engine\": \"bippy-1.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsctp: do asoc update earlier in sctp_sf_do_dupcook_a\\n\\nThere\u0027s a panic that occurs in a few of envs, the call trace is as below:\\n\\n [] general protection fault, ... 0x29acd70f1000a: 0000 [#1] SMP PTI\\n [] RIP: 0010:sctp_ulpevent_notify_peer_addr_change+0x4b/0x1fa [sctp]\\n [] sctp_assoc_control_transport+0x1b9/0x210 [sctp]\\n [] sctp_do_8_2_transport_strike.isra.16+0x15c/0x220 [sctp]\\n [] sctp_cmd_interpreter.isra.21+0x1231/0x1a10 [sctp]\\n [] sctp_do_sm+0xc3/0x2a0 [sctp]\\n [] sctp_generate_timeout_event+0x81/0xf0 [sctp]\\n\\nThis is caused by a transport use-after-free issue. When processing a\\nduplicate COOKIE-ECHO chunk in sctp_sf_do_dupcook_a(), both COOKIE-ACK\\nand SHUTDOWN chunks are allocated with the transort from the new asoc.\\nHowever, later in the sideeffect machine, the old asoc is used to send\\nthem out and old asoc\u0027s shutdown_last_sent_to is set to the transport\\nthat SHUTDOWN chunk attached to in sctp_cmd_setup_t2(), which actually\\nbelongs to the new asoc. After the new_asoc is freed and the old asoc\\nT2 timeout, the old asoc\u0027s shutdown_last_sent_to that is already freed\\nwould be accessed in sctp_sf_t2_timer_expire().\\n\\nThanks Alexander and Jere for helping dig into this issue.\\n\\nTo fix it, this patch is to do the asoc update first, then allocate\\nthe COOKIE-ACK and SHUTDOWN chunks with the \u0027updated\u0027 old asoc. This\\nwould make more sense, as a chunk from an asoc shouldn\u0027t be sent out\\nwith another asoc. We had fixed quite a few issues caused by this.\"}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"4.19.191\", \"versionStartIncluding\": \"4.19.123\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.4.120\", \"versionStartIncluding\": \"5.4.41\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.10.38\", \"versionStartIncluding\": \"5.7\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.11.22\", \"versionStartIncluding\": \"5.7\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.12.5\", \"versionStartIncluding\": \"5.7\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.13\", \"versionStartIncluding\": \"5.7\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionStartIncluding\": \"5.6.13\"}], \"operator\": \"OR\"}]}], \"providerMetadata\": {\"orgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"shortName\": \"Linux\", \"dateUpdated\": \"2025-05-04T12:40:45.930Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2021-46999\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-05-04T12:40:45.930Z\", \"dateReserved\": \"2024-02-27T18:42:55.950Z\", \"assignerOrgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"datePublished\": \"2024-02-28T08:13:22.256Z\", \"assignerShortName\": \"Linux\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…