CVE-2021-46992: netfilter: nftables: avoid overflows in nft_hash_buckets()
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nftables: avoid overflows in nft_hash_buckets()
Number of buckets being stored in 32bit variables, we have to
ensure that no overflows occur in nft_hash_buckets()
syzbot injected a size == 0x40000000 and reported:
UBSAN: shift-out-of-bounds in ./include/linux/log2.h:57:13
shift exponent 64 is too large for 64-bit type 'long unsigned int'
CPU: 1 PID: 29539 Comm: syz-executor.4 Not tainted 5.12.0-rc7-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:79 [inline]
dump_stack+0x141/0x1d7 lib/dump_stack.c:120
ubsan_epilogue+0xb/0x5a lib/ubsan.c:148
__ubsan_handle_shift_out_of_bounds.cold+0xb1/0x181 lib/ubsan.c:327
__roundup_pow_of_two include/linux/log2.h:57 [inline]
nft_hash_buckets net/netfilter/nft_set_hash.c:411 [inline]
nft_hash_estimate.cold+0x19/0x1e net/netfilter/nft_set_hash.c:652
nft_select_set_ops net/netfilter/nf_tables_api.c:3586 [inline]
nf_tables_newset+0xe62/0x3110 net/netfilter/nf_tables_api.c:4322
nfnetlink_rcv_batch+0xa09/0x24b0 net/netfilter/nfnetlink.c:488
nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:612 [inline]
nfnetlink_rcv+0x3af/0x420 net/netfilter/nfnetlink.c:630
netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline]
netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1338
netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1927
sock_sendmsg_nosec net/socket.c:654 [inline]
sock_sendmsg+0xcf/0x120 net/socket.c:674
____sys_sendmsg+0x6e8/0x810 net/socket.c:2350
___sys_sendmsg+0xf3/0x170 net/socket.c:2404
__sys_sendmsg+0xe5/0x1b0 net/socket.c:2433
do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
Security readout for executives and security teams
Plain-English summary
CVE-2021-46992 is a Linux kernel nftables bug where very large set sizing can overflow internal bucket calculations. The public record shows a syzbot-discovered crash condition, not confirmed real-world exploitation. Business urgency depends on whether affected Linux kernels are present in systems where untrusted local workloads can reach nftables functionality.
Executive priority
Treat this as a kernel maintenance priority, not an emergency based on current evidence. Move faster for shared compute, hosting, CI, or container platforms where untrusted workloads run on affected kernels.
Technical view
The flaw is in netfilter nftables nft_hash_buckets(). Bucket counts stored in 32-bit variables can overflow, leading to shift-out-of-bounds behavior during nft_hash_estimate() and nf_tables_newset() processing over nfnetlink. The source bundle lists Linux stable fixes and affected kernel version data, but provides no CVSS, CWE, or complete impact statement.
Likely exposure
Likely exposure is Linux hosts running affected kernel versions with nftables support. The source bundle does not state privilege requirements, exploitability, or distribution package mappings, so exposure should be validated against each vendor kernel build and backport status.
Exploitation context
The record cites syzbot injecting an extreme size value and triggering UBSAN shift-out-of-bounds. CISA KEV status is false, and the bundle provides no evidence of active exploitation, public exploit use, or attacker impact beyond the reported kernel bug path.
Researcher notes
Evidence is limited to the CVE record and kernel stable references. The available text identifies the vulnerable code path and syzbot trigger but not practical exploitability, required privileges, confidentiality or integrity impact, or distribution-specific fixed package versions.
Mitigation direction
Update to a Linux stable kernel containing the referenced nftables fixes.
Check distribution vendor advisories for backported kernel packages.
Prioritize hosts running affected kernels and using nftables.
Restrict nftables administration to trusted privileged operators.
Monitor vendor guidance for impact or exploitability updates.
Validation and detection
Inventory Linux kernel versions across servers, containers hosts, and appliances.
Compare kernel builds with vendor backport advisories and referenced stable commits.
Confirm whether nftables is enabled or operationally required on exposed systems.
Review kernel logs for related UBSAN or nftables set creation failures.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2021-46992 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.