CVE-2021-23133 Overview
CVE-2021-23133 is a race condition vulnerability in the Linux kernel's Stream Control Transmission Protocol (SCTP) socket implementation (net/sctp/socket.c). The flaw exists in kernel versions before 5.12-rc8 and can be exploited to escalate privileges from a network service context or an unprivileged process to root. The root cause is that sctp_destroy_sock is called without holding sock_net(sk)->sctp.addr_wq_lock, allowing an element to be removed from the auto_asconf_splist list without proper locking. The vulnerability is classified as a race condition flaw [CWE-362] affecting the Linux kernel and downstream distributions including Fedora, Debian, NetApp appliances, and Broadcom Brocade Fabric OS.
Critical Impact
Local attackers with network service privileges or, under specific BPF cgroup configurations, unprivileged users can escalate to root by triggering the unlocked list manipulation in sctp_destroy_sock.
Affected Products
- Linux kernel versions before 5.12-rc8
- Fedora 32, 33, and 34; Debian Linux 9.0
- NetApp SolidFire/HCI Management Node, Cloud Backup, H-series firmware (H300S, H500S, H700S, H410S, H300E, H500E, H700E, H410C), SolidFire Baseboard Management Controller, and Broadcom Brocade Fabric Operating System
Discovery Timeline
- 2021-04-22 - CVE-2021-23133 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-23133
Vulnerability Analysis
The Linux kernel implements SCTP, a transport-layer protocol that supports auto-asconf address reconfiguration. Each SCTP socket with auto-asconf enabled is tracked on a per-net-namespace linked list called auto_asconf_splist. Insertion and removal from this list must be serialized using the sctp.addr_wq_lock spinlock to preserve list integrity across concurrent operations.
The destructor function sctp_destroy_sock removed the socket from auto_asconf_splist without acquiring addr_wq_lock. When socket destruction races with concurrent list operations, the unlocked unlink corrupts list pointers. An attacker who controls the timing can convert this corruption into a use-after-free condition affecting kernel memory, leading to kernel-mode code execution and privilege escalation to root.
Root Cause
The defect is a synchronization failure [CWE-362]. The sctp_destroy_sock path performed list manipulation against auto_asconf_splist without holding the lock that other writers respect. The upstream fix, committed as b166a20b07382b8bc1dcee2a448715c9c2c81b5b, moves the list removal under proper locking and restructures destruction ordering to eliminate the race window.
Attack Vector
Exploitation requires local access and the ability to create SCTP sockets. The standard path requires CAP_NET_ADMIN or equivalent network service privileges to create and tear down SCTP sockets at high frequency. A secondary unprivileged path exists when a BPF_CGROUP_INET_SOCK_CREATE program is attached and denies creation of an SCTP socket, because the failure path still invokes sctp_destroy_sock. An attacker triggers concurrent SCTP socket creation and destruction to race the unprotected list unlink, corrupt the auto_asconf_splist structure, and pivot the corruption into a kernel control-flow hijack. No verified public exploit code is available; the vulnerability is described in prose based on the upstream patch and Openwall oss-security discussion threads from April and May 2021.
Detection Methods for CVE-2021-23133
Indicators of Compromise
- Unexpected kernel oops or general protection faults referencing sctp_destroy_sock, auto_asconf_splist, or SCTP list traversal functions in dmesg or /var/log/kern.log.
- Processes with limited privileges spawning shells or executing commands as UID 0 shortly after generating high volumes of SCTP socket activity.
- Unusual socket(AF_INET, SOCK_STREAM, IPPROTO_SCTP) syscall bursts from non-network services or unprivileged users.
Detection Strategies
- Audit kernel logs for SCTP-related crashes, slab corruption warnings, or list debug asserts on systems where lib/list_debug.c checks are enabled.
- Use auditd rules to record socket() syscalls with IPPROTO_SCTP (protocol 132) and correlate with process privilege transitions.
- Hunt for attached BPF_CGROUP_INET_SOCK_CREATE programs that deny SCTP socket creation, since this enables the unprivileged exploitation path.
Monitoring Recommendations
- Enable kernel lockdep and KASAN on test systems to surface race conditions and memory corruption tied to SCTP destruction paths.
- Forward kernel ring buffer and audit logs to a centralized analytics platform and alert on SCTP-related faults paired with subsequent privilege escalation events.
- Track installed kernel package versions across the fleet and flag hosts running kernels older than the distribution-supplied fix.
How to Mitigate CVE-2021-23133
Immediate Actions Required
- Update the Linux kernel to 5.12-rc8 or later, or apply the distribution backport that incorporates commit b166a20b07382b8bc1dcee2a448715c9c2c81b5b.
- Apply vendor patches from the Debian LTS announcement, Fedora package updates, and the NetApp Security Advisory NTAP-20210611-0008.
- Reboot affected hosts after patching, since live kernel changes are required to remove the vulnerable code path.
Patch Information
The upstream fix landed in the Linux kernel mainline as commit b166a20b07382b8bc1dcee2a448715c9c2c81b5b, shipped in 5.12-rc8. Distribution backports are available from Debian, Fedora, NetApp, and Broadcom. Additional context is published on the Openwall oss-security list.
Workarounds
- Blacklist the sctp kernel module on systems that do not require SCTP, preventing the vulnerable code from being loaded.
- Remove or audit any BPF_CGROUP_INET_SOCK_CREATE programs that deny SCTP socket creation to close the unprivileged exploitation path until patches are applied.
- Restrict CAP_NET_ADMIN and SCTP socket creation to trusted services using seccomp or LSM policies.
# Blacklist the SCTP module to mitigate exposure until patched
echo "install sctp /bin/true" | sudo tee /etc/modprobe.d/disable-sctp.conf
sudo rmmod sctp 2>/dev/null || true
# Verify installed kernel version meets the fix level
uname -r
# Debian/Ubuntu: apply updates
sudo apt-get update && sudo apt-get install --only-upgrade linux-image-$(uname -r | sed 's/.*-//')
# Fedora: apply updates
sudo dnf update kernel
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
