CVE Alert: CVE-2021-22555 – n/a – Linux Kernel
CVE-2021-22555
HIGHExploitation active
A heap out-of-bounds write affecting Linux since v2.6.19-rc1 was discovered in net/netfilter/x_tables.c. This allows an attacker to gain privileges or cause a DoS (via heap memory corruption) through user name space
CVSS v3.1 (8.3)
AV ADJACENT_NETWORK · AC HIGH · PR NONE · UI NONE · S CHANGED
Vendor
n/a
Product
Linux Kernel
Versions
2.6.19-rc1 lt unspecified
CWE
CWE-787, CWE-787 Out-of-bounds Write
Vector
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Published
2021-07-07T11:20:10.668Z
Updated
2025-10-04T03:55:23.395Z
References
AI Summary Analysis
- Risk verdict: Active exploitation is reported; treat as priority 1.
- Why this matters: An adjacent-network attacker can trigger a heap out-of-bounds write in Netfilter IP6T_SO_SET_REPLACE, enabling privilege escalation or a DoS. The high base score and changed scope suggest potential cross-component impact beyond the initial host, compromising confidentiality, integrity and availability.
- Most likely attack path: An attacker within the same network could issue crafted netfilter IP6T operations to induce the heap corruption, requiring no user interaction. Successful exploitation may grant kernel-level privileges or disrupt services, with possible lateral movement across containers or other processes sharing the kernel.
- Who is most exposed: Linux systems with IPv6 Netfilter exposed to adjacent networks are at risk, including cloud VMs, container hosts and embedded devices deployed in less controlled networks.
- Detection ideas
- Kernel OOPS/panic messages referencing net/netfilter/x_tables.c
- Logs of heap/memory corruption events in dmesg
- Abnormal bursts of IP6T_SET_REPLACE or IPv6 netfilter activity
- Privilege-escalation attempts without user actions
- Audit logs showing unexpected changes to IPv6 netfilter rules
- Mitigation and prioritisation
- Apply vendor/kernel patch or upgrade to fixed revision; coordinate with distro PM.
- If patching is delayed, implement compensating controls: restrict adjacent-network access, limit IPv6 netfilter modifications, and tighten firewall rules.
- Validate patches in staging before production rollout; plan change window.
- Consider live patches where available; monitor for related CVE disclosures.
- treat as priority 1 (due to active exploitation).
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
