CVE-2021-46936

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 5.4

Description A use-after-free vulnerability has been identified in the Linux kernel. The issue arises when the ipv4 mib exit net function is called before tcp sk exit batch during the destruction of a net namespace, resulting in a use-after-free condition on net->mib.net statistics in the tw timer handler function. This vulnerability can lead to a real-world panic issue, as demonstrated in Linux 5.4. The bug was introduced by commit 61a7e26028b9, which put net statistics on the struct net and freed it when the net namespace was destroyed.

Recommendations To resolve this issue, move init ipv4 mibs() to the front of tcp init() and replace pr crit() with panic() since continuing is meaningless when init ipv4 mibs() fails. As a temporary workaround, consider disabling the tw timer handler function until a patch is available. Restrict access to the vulnerable net->mib.net statistics to minimize the risk of exploitation.