CVE-2021-3600 Overview
CVE-2021-3600 is a Linux kernel vulnerability in the extended Berkeley Packet Filter (eBPF) verifier. The eBPF implementation did not correctly track bounds information for 32-bit registers when performing div and mod operations. A local attacker with the ability to load eBPF programs can leverage this flaw to corrupt verifier state and potentially execute arbitrary code in kernel context. The issue is classified under [CWE-125] and affects Linux kernel branches up to and including 5.11 release candidates, along with Ubuntu, Fedora, and Red Hat Enterprise Linux distributions that ship affected kernels.
Critical Impact
A local, low-privileged user can escape the eBPF verifier's safety guarantees and gain kernel-level code execution, leading to full system compromise.
Affected Products
- Linux kernel (including 5.11 release candidates rc1 through rc7)
- Canonical Ubuntu Linux 14.04 ESM, 16.04 ESM, and 18.04 ESM
- Fedora 34 and Red Hat Enterprise Linux 8.0
Discovery Timeline
- 2024-01-08 - CVE-2021-3600 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-3600
Vulnerability Analysis
The eBPF verifier in the Linux kernel statically analyzes BPF programs before they execute in kernel space. It tracks value ranges for each register to prove that memory accesses and arithmetic operations remain within safe bounds. The verifier maintains both 64-bit and 32-bit bounds metadata for every register. CVE-2021-3600 stems from the verifier failing to update the 32-bit bounds tracking after BPF_DIV and BPF_MOD ALU32 operations. After these operations execute, the recorded 32-bit minimum and maximum values diverge from the actual runtime values produced by the JIT-compiled program.
An attacker crafts a BPF program that performs a 32-bit divide or modulo against an attacker-controlled value. Because the verifier mis-tracks the post-operation bounds, subsequent arithmetic and memory operations that depend on those bounds pass verification despite being unsafe. This enables out-of-bounds pointer arithmetic inside the kernel, leading to arbitrary kernel memory read and write primitives.
Root Cause
The defect resides in the adjust_scalar_min_max_vals() logic path in kernel/bpf/verifier.c. The handler for ALU32 div and mod cases did not invoke the routines that recompute s32_min_value, s32_max_value, u32_min_value, and u32_max_value after the operation. The upstream fix is committed as e88b2c6e5a4d9ce30d75391e4d950da74bb2bd90, which adds explicit 32-bit bounds recalculation for these operations.
Attack Vector
Exploitation requires local access and the capability to load eBPF programs. On unprivileged systems where kernel.unprivileged_bpf_disabled is set to 0, any local user can trigger the flaw. Where unprivileged BPF is disabled, the attacker requires CAP_SYS_ADMIN or CAP_BPF. The attacker crafts a BPF program containing a 32-bit divide or modulo, uses the resulting verifier confusion to construct out-of-bounds pointer arithmetic, and pivots to a kernel read/write primitive used for privilege escalation.
No public proof-of-concept is referenced in the NVD entry, and CISA has not added this CVE to the Known Exploited Vulnerabilities catalog. Refer to the Kernel Git Commit for the upstream patch details.
Detection Methods for CVE-2021-3600
Indicators of Compromise
- Unexpected loading of BPF programs by non-root or non-system processes, observed via bpf() syscall auditing
- Kernel oops, panic, or BUG: messages referencing kernel/bpf/verifier.c or BPF JIT pages in dmesg
- Sudden privilege transitions where an unprivileged process spawns a child with uid=0 shortly after issuing bpf() syscalls
Detection Strategies
- Enable Linux audit rules for the bpf syscall and correlate BPF_PROG_LOAD events with the loading user and process lineage
- Compare running kernel versions against vendor advisories such as Ubuntu Security Notice USN-5003-1 to identify unpatched hosts
- Hunt for processes that load BPF programs and subsequently invoke setuid, commit_creds, or other credential-modifying paths in close temporal proximity
Monitoring Recommendations
- Forward kernel ring buffer and audit logs to a centralized analytics platform for retention and correlation across the fleet
- Track the value of kernel.unprivileged_bpf_disabled across hosts and alert on regressions to 0
- Baseline which workloads legitimately use eBPF (observability agents, network policy engines) and flag deviations from that baseline
How to Mitigate CVE-2021-3600
Immediate Actions Required
- Apply vendor kernel updates that incorporate commit e88b2c6e5a4d9ce30d75391e4d950da74bb2bd90 and reboot affected hosts
- Set kernel.unprivileged_bpf_disabled=1 on systems that do not require unprivileged BPF program loading
- Inventory hosts running Linux kernel 5.11 release candidates, Ubuntu ESM 14.04/16.04/18.04, Fedora 34, and RHEL 8.0 and prioritize them for patching
Patch Information
The upstream Linux kernel fix is available in the Kernel Git Commit. Distribution-level patches are documented in the Ubuntu Security Notice USN-5003-1 and via Red Hat and Fedora errata. See the MITRE CVE Details entry for cross-references.
Workarounds
- Disable unprivileged eBPF program loading by writing 1 to /proc/sys/kernel/unprivileged_bpf_disabled and persisting the setting in /etc/sysctl.d/
- Restrict CAP_BPF and CAP_SYS_ADMIN to trusted system accounts only and audit any process holding these capabilities
- Where eBPF is not required, build or boot kernels with CONFIG_BPF_SYSCALL=n to remove the attack surface entirely
# Disable unprivileged BPF program loading at runtime and persist across reboots
sudo sysctl -w kernel.unprivileged_bpf_disabled=1
echo 'kernel.unprivileged_bpf_disabled=1' | sudo tee /etc/sysctl.d/90-disable-unpriv-bpf.conf
sudo sysctl --system
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
