The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2021-22555

CVE-2021-22555: Netapp C400 Privilege Escalation Flaw

CVE-2021-22555 is a privilege escalation vulnerability in Netapp C400 Firmware caused by a heap out-of-bounds write in the Linux kernel. This post covers the technical details, affected versions, impact, and mitigation.

Published: March 4, 2026

CVE-2021-22555 Overview

CVE-2021-22555 is a heap out-of-bounds write vulnerability in the Linux kernel's Netfilter subsystem, specifically within net/netfilter/x_tables.c. This vulnerability has existed since Linux kernel version 2.6.19-rc1 and allows an attacker with local access to gain elevated privileges or cause a denial of service through heap memory corruption. The vulnerability is exploitable through user namespaces, making it particularly dangerous in containerized environments where unprivileged users may have access to create user namespaces.

Critical Impact

This vulnerability is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, indicating confirmed active exploitation in the wild. Successful exploitation enables local privilege escalation to root, potentially compromising the entire system.

Affected Products

  • Linux Kernel (versions since 2.6.19-rc1)
  • NetApp C400/C250 Firmware
  • NetApp H410C/H300S/H500S/H700S/H410S Firmware
  • NetApp FAS 8300/8700 Firmware
  • NetApp AFF A400/A250/500F Firmware
  • NetApp H610C/H610S/H615C Firmware
  • NetApp Cloud Backup
  • NetApp HCI Management Node
  • NetApp SolidFire
  • Brocade Fabric Operating System

Discovery Timeline

  • July 7, 2021 - CVE-2021-22555 published to NVD
  • October 27, 2025 - Last updated in NVD database

Technical Details for CVE-2021-22555

Vulnerability Analysis

This vulnerability resides in the Netfilter x_tables component, which is responsible for handling packet filtering rules in the Linux kernel. The flaw occurs during the translation of IPT_SO_SET_REPLACE operations when processing compat structures. When converting between 32-bit and 64-bit representations of iptables rules, the code fails to properly validate memory boundaries, leading to a heap out-of-bounds write condition.

The vulnerability is particularly significant because it can be triggered through user namespaces. In many Linux distributions, unprivileged users can create user namespaces, which grants them access to Netfilter operations. This means the attack surface extends beyond just privileged users to any local user on affected systems.

Root Cause

The root cause lies in improper memory offset calculations within the xt_compat_target_from_user() and related functions in x_tables.c. When the kernel processes compat iptables rules, it allocates a buffer based on the 64-bit target size but fails to account for padding differences between 32-bit and 64-bit structures. This miscalculation allows an attacker to write data beyond the allocated heap buffer, corrupting adjacent kernel memory structures.

The vulnerability specifically manifests when padding bytes are written outside the intended memory region during the compat translation process, enabling controlled heap corruption that can be leveraged for privilege escalation.

Attack Vector

The attack requires local access to the system with the ability to interact with Netfilter through system calls. The exploitation flow involves:

  1. Creating a user namespace to gain access to Netfilter operations
  2. Crafting malicious iptables rules with carefully calculated padding values
  3. Triggering the compat translation code path to cause out-of-bounds writes
  4. Leveraging the heap corruption to overwrite kernel structures
  5. Achieving arbitrary code execution in kernel context for privilege escalation

The attack can be performed by unprivileged local users on systems where user namespaces are enabled (which is the default on many distributions).

Detection Methods for CVE-2021-22555

Indicators of Compromise

  • Unexpected kernel crashes or panics related to Netfilter/x_tables subsystem
  • Suspicious iptables or netfilter-related system calls from unprivileged processes
  • Processes running with elevated privileges that originated from unprivileged user context
  • Audit logs showing unusual setsockopt() calls with IPT_SO_SET_REPLACE options
  • Memory corruption artifacts in kernel logs referencing x_tables.c or Netfilter components

Detection Strategies

  • Monitor for processes creating user namespaces followed by Netfilter operations using syscall auditing
  • Implement kernel integrity monitoring to detect unauthorized privilege changes
  • Deploy SIEM rules to correlate user namespace creation with subsequent privileged operations
  • Use eBPF-based monitoring tools to track Netfilter-related system calls from non-root processes

Monitoring Recommendations

  • Enable auditd rules for setsockopt syscalls involving IPPROTO_IP and IPPROTO_IPV6
  • Monitor /proc/sys/kernel/unprivileged_userns_clone for changes
  • Implement real-time alerting on unexpected privilege escalation events
  • Review kernel logs for Netfilter-related errors or warnings

How to Mitigate CVE-2021-22555

Immediate Actions Required

  • Apply the latest kernel patches from your Linux distribution immediately
  • If patching is not immediately possible, disable unprivileged user namespaces by setting kernel.unprivileged_userns_clone=0
  • Audit systems for signs of exploitation using the indicators of compromise listed above
  • Prioritize patching systems running containerized workloads where user namespaces are commonly used

Patch Information

Patches are available through the official Linux kernel repository. Two key commits address this vulnerability:

  • Kernel.org Commit - x_tables.c Update
  • Kernel.org Commit - x_tables.c Change

Additionally, NetApp has released Security Advisory NTAP-20210805-0010 for affected products. Kernel live patches are also available as documented in Kernel Live Patch Security Notices.

Workarounds

  • Disable unprivileged user namespaces to prevent exploitation by non-root users
  • Restrict access to Netfilter operations using SELinux or AppArmor policies
  • Implement network segmentation to limit the impact of potential privilege escalation
  • Use container runtime security features to restrict namespace operations
bash
# Disable unprivileged user namespaces (temporary mitigation)
echo 0 > /proc/sys/kernel/unprivileged_userns_clone

# Make the change persistent across reboots
echo "kernel.unprivileged_userns_clone = 0" >> /etc/sysctl.conf
sysctl -p

# Verify the setting is applied
sysctl kernel.unprivileged_userns_clone

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypePrivilege Escalation
  • Vendor/TechNetapp
  • SeverityHIGH
  • CVSS Score7.8
  • EPSS Probability85.24%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityHigh
  • CISA KEV Information
  • In CISA KEVYes
  • CWE References
  • CWE-787
  • Technical References
  • Packet Storm Exploit File
  • Packet Storm Security Notice LSN-0080-1
  • Packet Storm Security Notice LSN-0081-1
  • Packet Storm Privilege Escalation Exploit
  • Packet Storm Security Notice LSN-0083-1
  • GitHub Security Advisory GHSA-xxx5-8mvq-3528
  • NetApp Security Advisory NTAP-20210805-0010
  • CISA Known Exploited Vulnerabilities CVE-2021-22555
  • Vendor Resources
  • Kernel.org Commit - x_tables.c Update
  • Kernel.org Commit - x_tables.c Change
  • Related CVEs
  • CVE-2023-4911: Netapp Bootstrap Os Privilege Escalation
  • CVE-2021-22600: Netapp 8300 Privilege Escalation Flaw
  • CVE-2025-24928: Netapp Active IQ Buffer Overflow Flaw
  • CVE-2023-29552: NetApp SMI-S Provider DoS Vulnerability
Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English