CVE-2021-47129

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description The vulnerability is related to the nft ct expect obj eval() function in the Linux kernel's netfilter component. It is caused by the function calling nf ct ext add() for a confirmed conntrack entry, although nf ct ext add() can only be called for unconfirmed conntrack entries. This can lead to a denial of service. The issue can be mitigated by adding a new action to attach a generic ct helper to the first packet and using this ct helper extension from follow-up packets to create the ct expectation.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.