CVE-2021-28714 Overview
CVE-2021-28714 is a resource exhaustion vulnerability in the Linux kernel's netback driver that allows a malicious guest VM to force the host to consume excessive kernel memory. The vulnerability exists in the packet buffering mechanism where incoming data packets for a guest are queued until the guest is ready to process them. While protective measures exist to prevent excessive data accumulation, a guest can bypass these controls by manipulating its RX queue ring page to maintain only one free slot when the next packet requires multiple slots (common with GSO, XDP, or software hashing), effectively preventing the timeout mechanism from ever triggering.
Critical Impact
A malicious guest virtual machine can exhaust host kernel memory resources, causing denial of service conditions that affect all VMs running on the hypervisor.
Affected Products
- Linux Kernel (all affected versions)
- Debian Linux 10.0
- Debian Linux 11.0
Discovery Timeline
- 2022-01-06 - CVE CVE-2021-28714 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-28714
Vulnerability Analysis
This vulnerability affects virtualization environments using the Xen hypervisor with Linux netback driver. The netback driver handles network packet processing between guest VMs and the host system. When a guest temporarily stops consuming network packets, the driver buffers incoming data until the guest resumes processing or a 60-second timeout expires.
The flaw allows a guest to circumvent this timeout protection entirely. When the guest's RX queue ring page has exactly one free slot remaining, and the next incoming packet requires more than one slot (which occurs with Generic Segmentation Offload, XDP processing, or software hashing), the driver cannot deliver the packet but also cannot trigger the stall timeout. This creates a condition where packets accumulate indefinitely in kernel memory without any protective mechanism activating.
Root Cause
The root cause is classified as CWE-770: Allocation of Resources Without Limits or Throttling. The netback driver's timeout-based protection mechanism contains a logic gap where the stall detection fails to trigger under specific queue state conditions. The driver assumes that if there is any free slot in the RX ring, the guest is not stalled, but it fails to account for scenarios where the available slot count is insufficient for the pending packet size.
Attack Vector
The attack requires local access from within a guest virtual machine. An attacker with access to a guest VM can exploit this vulnerability by:
- Configuring the guest's network stack to maintain exactly one free slot in the RX queue ring page
- Generating network traffic that produces packets requiring multiple slots (using GSO, XDP, or software hashing)
- Allowing packets to accumulate in host kernel memory without triggering stall detection
- Using a high-bandwidth UDP connection to rapidly fill host memory
The vulnerability can be exploited to cause denial of service against the host system, potentially affecting all co-located virtual machines.
Detection Methods for CVE-2021-28714
Indicators of Compromise
- Abnormal kernel memory consumption on Xen hypervisor hosts
- Network performance degradation in virtualized environments
- Guest VMs exhibiting unusual RX queue ring page patterns
- Kernel memory allocation failures or OOM (Out of Memory) conditions
Detection Strategies
- Monitor kernel memory allocation patterns on Xen hosts running Linux netback driver
- Implement alerts for unusual memory growth correlated with network traffic
- Review guest VM network configurations for suspicious RX queue settings
- Audit systems for unexplained memory pressure in virtualization environments
Monitoring Recommendations
- Configure memory usage thresholds and alerts on hypervisor hosts
- Monitor netback driver statistics for queued packet accumulation
- Track per-guest network buffer utilization metrics
- Implement resource usage auditing for all guest virtual machines
How to Mitigate CVE-2021-28714
Immediate Actions Required
- Apply kernel security patches from your distribution vendor immediately
- Review and limit network bandwidth allocated to untrusted guest VMs
- Consider network traffic shaping to limit UDP throughput to guests
- Monitor memory usage on affected hypervisor hosts until patching is complete
Patch Information
Security patches addressing this vulnerability have been released by major Linux distributions. Refer to the following vendor advisories for specific patch details:
- Xen Project Advisory XSA-392 - Primary security advisory with technical details
- Debian Security Advisory DSA-5050 - Debian stable security update
- Debian Security Advisory DSA-5096 - Additional Debian security update
- Debian LTS Announcement - Debian LTS security update
Workarounds
- Reduce the netback timeout value from the default 60 seconds to a shorter duration
- Implement strict resource quotas for guest VM memory consumption
- Use network traffic monitoring to detect and rate-limit suspicious traffic patterns
- Consider isolating untrusted workloads to dedicated hypervisor hosts
# Example: Monitoring kernel memory on Xen hosts
# Check current memory usage
free -m
# Monitor netback driver statistics
cat /sys/class/net/vif*/statistics/rx_dropped
# Review memory pressure indicators
cat /proc/meminfo | grep -E "(MemFree|Buffers|Cached|Slab)"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
