CVE-2021-47010

net: Only allow init netns to set default tcp cong to a restricted algo

Description

In the Linux kernel, the following vulnerability has been resolved: net: Only allow init netns to set default tcp cong to a restricted algo tcp_set_default_congestion_control() is netns-safe in that it writes to &net->ipv4.tcp_congestion_control, but it also sets ca->flags |= TCP_CONG_NON_RESTRICTED which is not namespaced. This has the unintended side-effect of changing the global net.ipv4.tcp_allowed_congestion_control sysctl, despite the fact that it is read-only: 97684f0970f6 ("net: Make tcp_allowed_congestion_control readonly in non-init netns") Resolve this netns "leak" by only allowing the init netns to set the default algorithm to one that is restricted. This restriction could be removed if tcp_allowed_congestion_control were namespace-ified in the future. This bug was uncovered with https://github.com/JonathonReinhart/linux-netns-sysctl-verify

Category

7.8
CVSS
Severity: High
CVSS 3.1 •
EPSS 0.01%
Affected: Linux Linux
Affected: Linux Linux
Published at:
Updated at:

References

Link Tags
https://git.kernel.org/stable/c/992de06308d9a9584d59b96d294ac676f924e437 patch
https://git.kernel.org/stable/c/9884f745108f7d25b189bbcd6754e284fb29ab68 patch
https://git.kernel.org/stable/c/6c1ea8bee75df8fe2184a50fcd0f70bf82986f42 patch
https://git.kernel.org/stable/c/efe1532a6e1a8e3c343d04fff510f0ed80328f9c patch
https://git.kernel.org/stable/c/e7d7bedd507bb732e600403b7a96f9fe48d0ca31 patch
https://git.kernel.org/stable/c/8d432592f30fcc34ef5a10aac4887b4897884493 patch

Frequently Asked Questions

What is the severity of CVE-2021-47010?
CVE-2021-47010 has been scored as a high severity vulnerability.
How to fix CVE-2021-47010?
To fix CVE-2021-47010, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2021-47010 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2021-47010 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2021-47010?
CVE-2021-47010 affects Linux Linux, Linux Linux.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.