{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2021-47515", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-05-24T15:02:54.824Z", "datePublished": "2024-05-24T15:09:29.334Z", "dateUpdated": "2026-05-23T15:20:08.595Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-23T15:20:08.595Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nseg6: fix the iif in the IPv6 socket control block\n\nWhen an IPv4 packet is received, the ip_rcv_core(...) sets the receiving\ninterface index into the IPv4 socket control block (v5.16-rc4,\nnet/ipv4/ip_input.c line 510):\n\n IPCB(skb)->iif = skb->skb_iif;\n\nIf that IPv4 packet is meant to be encapsulated in an outer IPv6+SRH\nheader, the seg6_do_srh_encap(...) performs the required encapsulation.\nIn this case, the seg6_do_srh_encap function clears the IPv6 socket control\nblock (v5.16-rc4 net/ipv6/seg6_iptunnel.c line 163):\n\n memset(IP6CB(skb), 0, sizeof(*IP6CB(skb)));\n\nThe memset(...) was introduced in commit ef489749aae5 (\"ipv6: sr: clear\nIP6CB(skb) on SRH ip4ip6 encapsulation\") a long time ago (2019-01-29).\n\nSince the IPv6 socket control block and the IPv4 socket control block share\nthe same memory area (skb->cb), the receiving interface index info is lost\n(IP6CB(skb)->iif is set to zero).\n\nAs a side effect, that condition triggers a NULL pointer dereference if\ncommit 0857d6f8c759 (\"ipv6: When forwarding count rx stats on the orig\nnetdev\") is applied.\n\nTo fix that issue, we set the IP6CB(skb)->iif with the index of the\nreceiving interface once again."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/ipv6/seg6_iptunnel.c"], "versions": [{"version": "c630ec8bdadae9d557b1ceb9d6c06e149108a0d4", "lessThan": "b16d412e5f79734033df04e97d7ea2f50a8e9fe3", "status": "affected", "versionType": "git"}, {"version": "2f704348c93ff8119e642dae6a72327f90b82810", "lessThan": "6431e71093f3da586a00c6d931481ffb0dc2db0e", "status": "affected", "versionType": "git"}, {"version": "ef489749aae508e6f17886775c075f12ff919fb1", "lessThan": "ef8804e47c0a44ae106ead1740408af5ea6c6ee9", "status": "affected", "versionType": "git"}, {"version": "ef489749aae508e6f17886775c075f12ff919fb1", "lessThan": "666521b3852d2b2f52d570f9122b1e4b50d96831", "status": "affected", "versionType": "git"}, {"version": "ef489749aae508e6f17886775c075f12ff919fb1", "lessThan": "98adb2bbfa407c9290bda299d4c6f7a1c4ebd5e1", "status": "affected", "versionType": "git"}, {"version": "ef489749aae508e6f17886775c075f12ff919fb1", "lessThan": "ae68d93354e5bf5191ee673982251864ea24dd5c", "status": "affected", "versionType": "git"}, {"version": "b71b7e0280f47b4ac633fbfd153423814ea87810", "status": "affected", "versionType": "git"}, {"version": "4.14.98", "lessThan": "4.14.258", "status": "affected", "versionType": "semver"}, {"version": "4.19.20", "lessThan": "4.19.221", "status": "affected", "versionType": "semver"}, {"version": "4.20.7", "lessThan": "4.21", "status": "affected", "versionType": "semver"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/ipv6/seg6_iptunnel.c"], "versions": [{"version": "5.0", "status": "affected"}, {"version": "0", "lessThan": "5.0", "status": "unaffected", "versionType": "semver"}, {"version": "4.14.258", "lessThanOrEqual": "4.14.*", "status": "unaffected", "versionType": "semver"}, {"version": "4.19.221", "lessThanOrEqual": "4.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.4.165", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.85", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.8", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.16", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.14.98", "versionEndExcluding": "4.14.258"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.19.20", "versionEndExcluding": "4.19.221"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.0", "versionEndExcluding": "5.4.165"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.0", "versionEndExcluding": "5.10.85"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.0", "versionEndExcluding": "5.15.8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.0", "versionEndExcluding": "5.16"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.20.7"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/b16d412e5f79734033df04e97d7ea2f50a8e9fe3"}, {"url": "https://git.kernel.org/stable/c/6431e71093f3da586a00c6d931481ffb0dc2db0e"}, {"url": "https://git.kernel.org/stable/c/ef8804e47c0a44ae106ead1740408af5ea6c6ee9"}, {"url": "https://git.kernel.org/stable/c/666521b3852d2b2f52d570f9122b1e4b50d96831"}, {"url": "https://git.kernel.org/stable/c/98adb2bbfa407c9290bda299d4c6f7a1c4ebd5e1"}, {"url": "https://git.kernel.org/stable/c/ae68d93354e5bf5191ee673982251864ea24dd5c"}], "title": "seg6: fix the iif in the IPv6 socket control block", "x_generator": {"engine": "bippy-1.2.0"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T05:39:59.755Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/b16d412e5f79734033df04e97d7ea2f50a8e9fe3", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/6431e71093f3da586a00c6d931481ffb0dc2db0e", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/ef8804e47c0a44ae106ead1740408af5ea6c6ee9", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/666521b3852d2b2f52d570f9122b1e4b50d96831", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/98adb2bbfa407c9290bda299d4c6f7a1c4ebd5e1", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/ae68d93354e5bf5191ee673982251864ea24dd5c", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2021-47515", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T15:35:33.340330Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T17:32:52.378Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/b16d412e5f79734033df04e97d7ea2f50a8e9fe3", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/6431e71093f3da586a00c6d931481ffb0dc2db0e", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/ef8804e47c0a44ae106ead1740408af5ea6c6ee9", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/666521b3852d2b2f52d570f9122b1e4b50d96831", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/98adb2bbfa407c9290bda299d4c6f7a1c4ebd5e1", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/ae68d93354e5bf5191ee673982251864ea24dd5c", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T05:39:59.755Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2021-47515", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T15:35:33.340330Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T12:42:13.176Z"}}], "cna": {"title": "seg6: fix the iif in the IPv6 socket control block", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "c630ec8bdadae9d557b1ceb9d6c06e149108a0d4", "lessThan": "b16d412e5f79734033df04e97d7ea2f50a8e9fe3", "versionType": "git"}, {"status": "affected", "version": "2f704348c93ff8119e642dae6a72327f90b82810", "lessThan": "6431e71093f3da586a00c6d931481ffb0dc2db0e", "versionType": "git"}, {"status": "affected", "version": "ef489749aae508e6f17886775c075f12ff919fb1", "lessThan": "ef8804e47c0a44ae106ead1740408af5ea6c6ee9", "versionType": "git"}, {"status": "affected", "version": "ef489749aae508e6f17886775c075f12ff919fb1", "lessThan": "666521b3852d2b2f52d570f9122b1e4b50d96831", "versionType": "git"}, {"status": "affected", "version": "ef489749aae508e6f17886775c075f12ff919fb1", "lessThan": "98adb2bbfa407c9290bda299d4c6f7a1c4ebd5e1", "versionType": "git"}, {"status": "affected", "version": "ef489749aae508e6f17886775c075f12ff919fb1", "lessThan": "ae68d93354e5bf5191ee673982251864ea24dd5c", "versionType": "git"}, {"status": "affected", "version": "b71b7e0280f47b4ac633fbfd153423814ea87810", "versionType": "git"}, {"status": "affected", "version": "4.14.98", "lessThan": "4.14.258", "versionType": "semver"}, {"status": "affected", "version": "4.19.20", "lessThan": "4.19.221", "versionType": "semver"}, {"status": "affected", "version": "4.20.7", "lessThan": "4.21", "versionType": "semver"}], "programFiles": ["net/ipv6/seg6_iptunnel.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "5.0"}, {"status": "unaffected", "version": "0", "lessThan": "5.0", "versionType": "semver"}, {"status": "unaffected", "version": "4.14.258", "versionType": "semver", "lessThanOrEqual": "4.14.*"}, {"status": "unaffected", "version": "4.19.221", "versionType": "semver", "lessThanOrEqual": "4.19.*"}, {"status": "unaffected", "version": "5.4.165", "versionType": "semver", "lessThanOrEqual": "5.4.*"}, {"status": "unaffected", "version": "5.10.85", "versionType": "semver", "lessThanOrEqual": "5.10.*"}, {"status": "unaffected", "version": "5.15.8", "versionType": "semver", "lessThanOrEqual": "5.15.*"}, {"status": "unaffected", "version": "5.16", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["net/ipv6/seg6_iptunnel.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/b16d412e5f79734033df04e97d7ea2f50a8e9fe3"}, {"url": "https://git.kernel.org/stable/c/6431e71093f3da586a00c6d931481ffb0dc2db0e"}, {"url": "https://git.kernel.org/stable/c/ef8804e47c0a44ae106ead1740408af5ea6c6ee9"}, {"url": "https://git.kernel.org/stable/c/666521b3852d2b2f52d570f9122b1e4b50d96831"}, {"url": "https://git.kernel.org/stable/c/98adb2bbfa407c9290bda299d4c6f7a1c4ebd5e1"}, {"url": "https://git.kernel.org/stable/c/ae68d93354e5bf5191ee673982251864ea24dd5c"}], "x_generator": {"engine": "bippy-1.2.0"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nseg6: fix the iif in the IPv6 socket control block\n\nWhen an IPv4 packet is received, the ip_rcv_core(...) sets the receiving\ninterface index into the IPv4 socket control block (v5.16-rc4,\nnet/ipv4/ip_input.c line 510):\n\n IPCB(skb)->iif = skb->skb_iif;\n\nIf that IPv4 packet is meant to be encapsulated in an outer IPv6+SRH\nheader, the seg6_do_srh_encap(...) performs the required encapsulation.\nIn this case, the seg6_do_srh_encap function clears the IPv6 socket control\nblock (v5.16-rc4 net/ipv6/seg6_iptunnel.c line 163):\n\n memset(IP6CB(skb), 0, sizeof(*IP6CB(skb)));\n\nThe memset(...) was introduced in commit ef489749aae5 (\"ipv6: sr: clear\nIP6CB(skb) on SRH ip4ip6 encapsulation\") a long time ago (2019-01-29).\n\nSince the IPv6 socket control block and the IPv4 socket control block share\nthe same memory area (skb->cb), the receiving interface index info is lost\n(IP6CB(skb)->iif is set to zero).\n\nAs a side effect, that condition triggers a NULL pointer dereference if\ncommit 0857d6f8c759 (\"ipv6: When forwarding count rx stats on the orig\nnetdev\") is applied.\n\nTo fix that issue, we set the IP6CB(skb)->iif with the index of the\nreceiving interface once again."}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "4.14.258", "versionStartIncluding": "4.14.98"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "4.19.221", "versionStartIncluding": "4.19.20"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.4.165", "versionStartIncluding": "5.0"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.10.85", "versionStartIncluding": "5.0"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.15.8", "versionStartIncluding": "5.0"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.16", "versionStartIncluding": "5.0"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionStartIncluding": "4.20.7"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-23T15:20:08.595Z"}}}, "cveMetadata": {"cveId": "CVE-2021-47515", "state": "PUBLISHED", "dateUpdated": "2026-05-23T15:20:08.595Z", "dateReserved": "2024-05-24T15:02:54.824Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-05-24T15:09:29.334Z", "assignerShortName": "Linux"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "72C9A7C8-757B-4EFB-AC4E-B383EFFEF45C", "versionEndExcluding": "4.14.258", "versionStartIncluding": "4.14.98", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "9F887262-DA38-45C9-BED5-4D65E50DB9C0", "versionEndExcluding": "4.19.221", "versionStartIncluding": "4.19.20", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "232F87BF-8F17-4BEB-80A0-49489CB86DDA", "versionEndExcluding": "5.0", "versionStartIncluding": "4.20.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "A29CBCD8-CCB1-42FD-BFC8-FD77C4D2FD57", "versionEndExcluding": "5.4.165", "versionStartIncluding": "5.0.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "D9668578-08F7-4694-A86F-FCE448387A79", "versionEndExcluding": "5.10.85", "versionStartIncluding": "5.5", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "6664ACE2-F748-4AE5-B98B-58803B0B2C3E", "versionEndExcluding": "5.15.8", "versionStartIncluding": "5.11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.0:-:*:*:*:*:*:*", "matchCriteriaId": "1D0FE595-0CFE-4491-808B-CEF691CE7B0A", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "FDF49B77-4688-4908-9239-89B729456D22", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.0:rc7:*:*:*:*:*:*", "matchCriteriaId": "77F342FB-3D7B-4EAE-BF8B-57B7B860BAFD", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.0:rc8:*:*:*:*:*:*", "matchCriteriaId": "47D61679-6515-4E18-83C7-A71982CCD83C", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.16:rc1:*:*:*:*:*:*", "matchCriteriaId": "357AA433-37E8-4323-BFB2-3038D6E4B414", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.16:rc2:*:*:*:*:*:*", "matchCriteriaId": "A73429BA-C2D9-4D0C-A75F-06A1CA8B3983", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.16:rc3:*:*:*:*:*:*", "matchCriteriaId": "F621B5E3-E99D-49E7-90B9-EC3B77C95383", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.16:rc4:*:*:*:*:*:*", "matchCriteriaId": "F7BFDCAA-1650-49AA-8462-407DD593F94F", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nseg6: fix the iif in the IPv6 socket control block\n\nWhen an IPv4 packet is received, the ip_rcv_core(...) sets the receiving\ninterface index into the IPv4 socket control block (v5.16-rc4,\nnet/ipv4/ip_input.c line 510):\n\n IPCB(skb)->iif = skb->skb_iif;\n\nIf that IPv4 packet is meant to be encapsulated in an outer IPv6+SRH\nheader, the seg6_do_srh_encap(...) performs the required encapsulation.\nIn this case, the seg6_do_srh_encap function clears the IPv6 socket control\nblock (v5.16-rc4 net/ipv6/seg6_iptunnel.c line 163):\n\n memset(IP6CB(skb), 0, sizeof(*IP6CB(skb)));\n\nThe memset(...) was introduced in commit ef489749aae5 (\"ipv6: sr: clear\nIP6CB(skb) on SRH ip4ip6 encapsulation\") a long time ago (2019-01-29).\n\nSince the IPv6 socket control block and the IPv4 socket control block share\nthe same memory area (skb->cb), the receiving interface index info is lost\n(IP6CB(skb)->iif is set to zero).\n\nAs a side effect, that condition triggers a NULL pointer dereference if\ncommit 0857d6f8c759 (\"ipv6: When forwarding count rx stats on the orig\nnetdev\") is applied.\n\nTo fix that issue, we set the IP6CB(skb)->iif with the index of the\nreceiving interface once again."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: seg6: corrige el iif en el bloque de control del socket IPv6 Cuando se recibe un paquete IPv4, ip_rcv_core(...) establece el \u00edndice de la interfaz de recepci\u00f3n en el bloque de control del socket IPv4 (v5 .16-rc4, net/ipv4/ip_input.c l\u00ednea 510): IPCB(skb)->iif = skb->skb_iif; Si ese paquete IPv4 debe encapsularse en un encabezado IPv6+SRH externo, seg6_do_srh_encap(...) realiza la encapsulaci\u00f3n requerida. En este caso, la funci\u00f3n seg6_do_srh_encap borra el bloque de control del socket IPv6 (v5.16-rc4 net/ipv6/seg6_iptunnel.c l\u00ednea 163): memset(IP6CB(skb), 0, sizeof(*IP6CB(skb))); El memset(...) se introdujo en El commit ef489749aae5 (\"ipv6: sr: clear IP6CB(skb) en la encapsulaci\u00f3n SRH ip4ip6\") hace mucho tiempo (29 de enero de 2019). Dado que el bloque de control del socket IPv6 y el bloque de control del socket IPv4 comparten la misma \u00e1rea de memoria (skb->cb), la informaci\u00f3n del \u00edndice de la interfaz de recepci\u00f3n se pierde (IP6CB(skb)->iif se establece en cero). Como efecto secundario, esa condici\u00f3n desencadena una desreferencia del puntero NULL si se aplica el commit 0857d6f8c759 (\"ipv6: al reenviar estad\u00edsticas de recuento de rx en el netdev original\"). Para solucionar ese problema, configuramos IP6CB(skb)->iif con el \u00edndice de la interfaz de recepci\u00f3n una vez m\u00e1s."}], "id": "CVE-2021-47515", "lastModified": "2025-09-24T19:37:09.340", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-05-24T15:15:12.937", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/6431e71093f3da586a00c6d931481ffb0dc2db0e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/666521b3852d2b2f52d570f9122b1e4b50d96831"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/98adb2bbfa407c9290bda299d4c6f7a1c4ebd5e1"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/ae68d93354e5bf5191ee673982251864ea24dd5c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/b16d412e5f79734033df04e97d7ea2f50a8e9fe3"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/ef8804e47c0a44ae106ead1740408af5ea6c6ee9"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/6431e71093f3da586a00c6d931481ffb0dc2db0e"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/666521b3852d2b2f52d570f9122b1e4b50d96831"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/98adb2bbfa407c9290bda299d4c6f7a1c4ebd5e1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/ae68d93354e5bf5191ee673982251864ea24dd5c"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/b16d412e5f79734033df04e97d7ea2f50a8e9fe3"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/ef8804e47c0a44ae106ead1740408af5ea6c6ee9"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-476"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2023:6583", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "kernel-0:5.14.0-362.8.1.el9_3", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2023-11-07T00:00:00Z"}, {"advisory": "RHSA-2023:6583", "cpe": "cpe:/o:redhat:enterprise_linux:9", "package": "kernel-0:5.14.0-362.8.1.el9_3", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2023-11-07T00:00:00Z"}], "bugzilla": {"description": "kernel: seg6: fix the iif in the IPv6 socket control block", "id": "2283436", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2283436"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-476", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nseg6: fix the iif in the IPv6 socket control block\nWhen an IPv4 packet is received, the ip_rcv_core(...) sets the receiving\ninterface index into the IPv4 socket control block (v5.16-rc4,\nnet/ipv4/ip_input.c line 510):\nIPCB(skb)->iif = skb->skb_iif;\nIf that IPv4 packet is meant to be encapsulated in an outer IPv6+SRH\nheader, the seg6_do_srh_encap(...) performs the required encapsulation.\nIn this case, the seg6_do_srh_encap function clears the IPv6 socket control\nblock (v5.16-rc4 net/ipv6/seg6_iptunnel.c line 163):\nmemset(IP6CB(skb), 0, sizeof(*IP6CB(skb)));\nThe memset(...) was introduced in commit ef489749aae5 (\"ipv6: sr: clear\nIP6CB(skb) on SRH ip4ip6 encapsulation\") a long time ago (2019-01-29).\nSince the IPv6 socket control block and the IPv4 socket control block share\nthe same memory area (skb->cb), the receiving interface index info is lost\n(IP6CB(skb)->iif is set to zero).\nAs a side effect, that condition triggers a NULL pointer dereference if\ncommit 0857d6f8c759 (\"ipv6: When forwarding count rx stats on the orig\nnetdev\") is applied.\nTo fix that issue, we set the IP6CB(skb)->iif with the index of the\nreceiving interface once again."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2021-47515", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-05-24T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-47515\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-47515\nhttps://lore.kernel.org/linux-cve-announce/2024052431-CVE-2021-47515-5c06@gregkh/T"], "threat_severity": "Moderate"}

{}