cbcvebase.
CVE-2021-22555
published 2021-07-07

CVE-2021-22555: A heap out-of-bounds write affecting Linux since v2.6.19-rc1 was discovered in net/netfilter/x_tables.c. This allows an attacker to gain privileges or cause a…

PriorityP189high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2025-10-27
Exploited in the wild
EPSS
78.68%
99.5th percentile
A heap out-of-bounds write affecting Linux since v2.6.19-rc1 was discovered in net/netfilter/x_tables.c. This allows an attacker to gain privileges or cause a DoS (via heap memory corruption) through user name space

Affected

23 ranges
VendorProductVersion rangeFixed in
debianlinux< linux 5.10.38-1 (bookworm)linux 5.10.38-1 (bookworm)
linuxlinux_kernel>= 0 < 5.10.38-15.10.38-1
linuxlinux_kernel>= 0 < 5.10.38-15.10.38-1
linuxlinux_kernel>= 0 < 5.10.38-15.10.38-1
linuxlinux_kernel>= 0 < 5.10.38-15.10.38-1
linuxlinux_kernel>= 0 < 4.4.0-214.2464.4.0-214.246
linuxlinux_kernel>= 0 < 4.4.0-213.2454.4.0-213.245
linuxlinux_kernel>= 0 < 4.4.0-218.2514.4.0-218.251
linuxlinux_kernel>= 0 < 4.15.0-156.1634.15.0-156.163
linuxlinux_kernel>= 0 < 4.15.0-144.1484.15.0-144.148
linuxlinux_kernel>= 0 < 4.15.0-166.1744.15.0-166.174
linuxlinux_kernel>= 0 < 5.4.0-84.945.4.0-84.94
linuxlinux_kernel>= 0 < 5.4.0-74.835.4.0-74.83
linuxlinux_kernel>= 0 < 5.4.0-92.1035.4.0-92.103
linuxlinux_kernel>= 2.6.19 < 4.4.2674.4.267
linuxlinux_kernel>= 2.6.19-rc1 < unspecifiedunspecified
linuxlinux_kernel>= 4.10 < 4.14.2314.14.231
linuxlinux_kernel>= 4.15 < 4.19.1884.19.188
linuxlinux_kernel>= 4.20 < 5.4.1135.4.113
linuxlinux_kernel>= 4.5 < 4.9.2674.9.267
linuxlinux_kernel>= 5.11 < 5.125.12
linuxlinux_kernel>= 5.5 < 5.10.315.10.31
paloaltopan-os

Detection & IOCsextracted from sources · hover to see the quote

pathnet/netfilter/x_tables.c
urlhttps://github.com/google/security-research/blob/master/pocs/linux/cve-2021-22555/exploit.c
path/proc/sys/user/max_user_namespaces
commandecho 0 > /proc/sys/user/max_user_namespaces
commandsetsockopt IPT_SO_SET_REPLACE
commandsetsockopt IP6T_SO_SET_REPLACE
  • Exploit targets the xt_compat_target_from_user() function in net/netfilter/x_tables.c via setsockopt with IPT_SO_SET_REPLACE or IP6T_SO_SET_REPLACE from a 32-bit process on a 64-bit system; monitor for unprivileged processes invoking these setsockopt options.
  • Exploit requires user namespaces (CONFIG_USER_NS + CONFIG_NET_NS); monitor for unprivileged calls to unshare(CLONE_NEWUSER) or unshare(CLONE_NEWNET) as a precursor to exploitation.
  • Post-exploitation stage escapes container by calling setns() on /proc/1/ns/mnt, /proc/1/ns/pid, and /proc/1/ns/net; monitor for unprivileged processes opening /proc/1/ns/* file descriptors.
  • Exploit overwrites modprobe_path kernel variable to achieve arbitrary code execution as root; monitor for unexpected changes to the modprobe_path kernel symbol value (e.g., via /proc/sys or kernel debugger).
  • Exploit triggers modprobe_path execution by writing a file with an unknown magic number (0xdeadbeef) and executing it; detect creation and execution of files with magic bytes 0xEF 0xBE 0xAD 0xDE by non-root users.
  • CVE-2021-22555 was observed being exploited in the wild by the Earth Krahang APT for Linux privilege escalation alongside CVE-2021-4034 and CVE-2016-5195; correlate Linux priv-esc attempts with these CVEs in the same intrusion.
  • Exploit uses msg_msg / skbuff heap spray with 4096 message queues (NUM_MSQIDS) and 256 pipe file descriptors (NUM_PIPEFDS) to manipulate slab allocator; anomalous creation of thousands of IPC message queues by a single process is a strong indicator.
  • ·Exploitation via unprivileged users is only possible when the kernel is compiled with CONFIG_USER_NS and CONFIG_NET_NS; on RHEL 7 only privileged users can trigger the bug.
  • ·On RHEL 8, the impact is limited to corruption of 4 bytes of memory for a regular user; full privilege escalation requires additional conditions.
  • ·Mitigation: disable unprivileged user namespaces by setting user.max_user_namespaces = 0 in /etc/sysctl.d/; note this breaks Linux container workloads.
  • ·The public exploit (exploit-db 50135) contains hardcoded kernel-specific ROP gadget offsets for KERNEL_COS_5_4_89 and KERNEL_UBUNTU_5_8_0_48; it will not work on other kernel builds without modification.
  • ·Kernels up to and including 5.11 are vulnerable; kernels beyond this version are not affected per NVD configuration data.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.04.6MEDIUMAV:L/AC:L/Au:N/C:P/I:P/A:P
osv7.8HIGH
vulncheck8.3HIGH
cisa7.8HIGH
vendor_debian8.3HIGH
vendor_redhat8.3HIGH
vendor_ubuntu8.3HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.