CVE-2021-29154 Overview
CVE-2021-29154 is a local privilege escalation vulnerability in the Berkeley Packet Filter (BPF) Just-In-Time (JIT) compilers in the Linux kernel through version 5.11.12. The flaw is rooted in incorrect computation of branch displacements within arch/x86/net/bpf_jit_comp.c and arch/x86/net/bpf_jit_comp32.c. A local attacker with the ability to load BPF programs can leverage this miscalculation to execute arbitrary code within kernel context, resulting in full system compromise. The vulnerability affects upstream Linux kernels and downstream distributions including Debian, Fedora, and multiple NetApp appliances that ship Linux-based firmware.
Critical Impact
Local attackers able to invoke the BPF subsystem can achieve arbitrary kernel-mode code execution, leading to full root privilege escalation and loss of confidentiality, integrity, and availability.
Affected Products
- Linux kernel versions up to and including 5.11.12 (x86 and x86_32 BPF JIT)
- Debian Linux 9.0 and Fedora 33
- NetApp HCI Management Node, SolidFire, Cloud Backup, and H-Series firmware (H300S/E, H500S/E, H700S/E, H410S)
Discovery Timeline
- 2021-04-08 - CVE-2021-29154 published to NVD and disclosed on the Openwall oss-security mailing list
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-29154
Vulnerability Analysis
The Linux kernel BPF JIT compiler translates verified BPF bytecode into native x86 machine instructions for performance. During this translation, the compiler emits relative jump instructions whose displacement values are calculated from the addresses of source and target instructions. In the affected versions, the displacement computation logic in bpf_jit_comp.c and bpf_jit_comp32.c produces incorrect values for certain branch instructions. The resulting native code branches to an address that does not correspond to a legitimate, verifier-validated instruction boundary.
Because BPF programs execute in kernel mode after JIT compilation, a miscalculated branch can redirect control flow to attacker-influenced memory inside the kernel address space. This bypasses the safety guarantees the BPF verifier is intended to enforce. The flaw is categorized under [CWE-77] for improper command construction in the generated instruction stream.
Root Cause
The root cause is an arithmetic error in computing the relative offset between a branch instruction and its target during the JIT emit phase. When the displacement is computed against an incorrect base or instruction length, the emitted jmp or conditional jump lands at an attacker-controlled location instead of the verified BPF basic block. See the upstream fix commits 26f55a59dc65 and e4d4d456436b for the corrected displacement logic.
Attack Vector
Exploitation requires local access and the ability to load BPF programs. On systems where unprivileged BPF is enabled (kernel.unprivileged_bpf_disabled=0), any local user can trigger the flaw. On hardened systems, the attacker must hold CAP_SYS_ADMIN or CAP_BPF. The attacker crafts a BPF program whose verified bytecode is safe but whose JIT-compiled output contains a miscalculated branch. When the kernel executes the compiled program, control flow diverts into attacker-prepared instruction bytes, yielding arbitrary kernel code execution. No verified public exploit is listed in ExploitDB, and the vulnerability is not present on the CISA Known Exploited Vulnerabilities list. See the Openwall OSS Security Discussion for technical disclosure details.
Detection Methods for CVE-2021-29154
Indicators of Compromise
- Unexpected processes spawned with elevated privileges from user accounts that previously had no escalation path
- Loading of BPF programs by non-administrative users on systems where unprivileged BPF is not explicitly required
- Kernel oops, panic, or general protection fault messages referencing bpf_jit in dmesg or /var/log/kern.log
- New or unexpected kernel module-like behavior originating from JIT-allocated executable pages
Detection Strategies
- Audit bpf() syscall invocations using auditd rules to identify which users and processes load BPF programs
- Monitor the kernel.unprivileged_bpf_disabled sysctl value and alert on hosts where it remains set to 0
- Correlate BPF program load events with subsequent privilege-changing syscalls such as setuid, setresuid, or execve of root-owned binaries
- Inspect kernel version inventories against the patched baseline to identify hosts still running Linux kernels at or below 5.11.12
Monitoring Recommendations
- Forward kernel ring buffer (dmesg) and audit logs to a centralized analytics pipeline for behavioral analysis
- Track loaded BPF program counts per user with bpftool prog show and baseline normal activity
- Alert on any process that loads a BPF program and shortly after spawns a shell or modifies sensitive files in /etc, /root, or /boot
How to Mitigate CVE-2021-29154
Immediate Actions Required
- Patch affected Linux kernels to a version that includes commits 26f55a59dc65 and e4d4d456436b from the upstream tree
- Apply distribution updates: Debian LTS advisories DLA for linux and DLA for linux-4.19, and the Fedora Package Announcement
- Update NetApp HCI, SolidFire, and H-Series systems per the NetApp Security Advisory NTAP-20210604-0006
- Review Oracle environments using the Oracle Critical Patch Update July 2022
Patch Information
The upstream fixes correct the branch displacement arithmetic in the x86 and x86_32 BPF JIT compilers. Distributions backported these commits to their long-term support kernels in mid-2021. Live patching is available for some Ubuntu kernels per the Ubuntu Kernel Live Patch Notice LSN-0076-1.
Workarounds
- Disable unprivileged BPF by setting kernel.unprivileged_bpf_disabled=1 in /etc/sysctl.d/ and reloading sysctl
- Disable the BPF JIT by setting net.core.bpf_jit_enable=0, accepting the performance trade-off until patches are deployed
- Restrict CAP_BPF and CAP_SYS_ADMIN to administrative service accounts only, using systemd unit hardening or SELinux policy
# Configuration example - disable unprivileged BPF and the JIT
echo 'kernel.unprivileged_bpf_disabled=1' | sudo tee /etc/sysctl.d/90-bpf.conf
echo 'net.core.bpf_jit_enable=0' | sudo tee -a /etc/sysctl.d/90-bpf.conf
sudo sysctl --system
# Verify settings
sysctl kernel.unprivileged_bpf_disabled
sysctl net.core.bpf_jit_enable
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
