LiveActive security incident?Get immediate response
CVE Record

CVE-2021-46992: netfilter: nftables: avoid overflows in nft_hash_buckets()

In the Linux kernel, the following vulnerability has been resolved: netfilter: nftables: avoid overflows in nft_hash_buckets() Number of buckets being stored in 32bit variables, we have to ensure that no overflows occur in nft_hash_buckets() syzbot injected a size == 0x40000000 and reported: UBSAN: shift-out-of-bounds in ./include/linux/log2.h:57:13 shift exponent 64 is too large for 64-bit type 'long unsigned int' CPU: 1 PID: 29539 Comm: syz-executor.4 Not tainted 5.12.0-rc7-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x141/0x1d7 lib/dump_stack.c:120 ubsan_epilogue+0xb/0x5a lib/ubsan.c:148 __ubsan_handle_shift_out_of_bounds.cold+0xb1/0x181 lib/ubsan.c:327 __roundup_pow_of_two include/linux/log2.h:57 [inline] nft_hash_buckets net/netfilter/nft_set_hash.c:411 [inline] nft_hash_estimate.cold+0x19/0x1e net/netfilter/nft_set_hash.c:652 nft_select_set_ops net/netfilter/nf_tables_api.c:3586 [inline] nf_tables_newset+0xe62/0x3110 net/netfilter/nf_tables_api.c:4322 nfnetlink_rcv_batch+0xa09/0x24b0 net/netfilter/nfnetlink.c:488 nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:612 [inline] nfnetlink_rcv+0x3af/0x420 net/netfilter/nfnetlink.c:630 netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline] netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1338 netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1927 sock_sendmsg_nosec net/socket.c:654 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:674 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2350 ___sys_sendmsg+0xf3/0x170 net/socket.c:2404 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2433 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysisunknown

Security readout for executives and security teams

Plain-English summary

CVE-2021-46992 is a Linux kernel nftables bug where very large set sizing can overflow internal bucket calculations. The public record shows a syzbot-discovered crash condition, not confirmed real-world exploitation. Business urgency depends on whether affected Linux kernels are present in systems where untrusted local workloads can reach nftables functionality.

Executive priority

Treat this as a kernel maintenance priority, not an emergency based on current evidence. Move faster for shared compute, hosting, CI, or container platforms where untrusted workloads run on affected kernels.

Technical view

The flaw is in netfilter nftables nft_hash_buckets(). Bucket counts stored in 32-bit variables can overflow, leading to shift-out-of-bounds behavior during nft_hash_estimate() and nf_tables_newset() processing over nfnetlink. The source bundle lists Linux stable fixes and affected kernel version data, but provides no CVSS, CWE, or complete impact statement.

Likely exposure

Likely exposure is Linux hosts running affected kernel versions with nftables support. The source bundle does not state privilege requirements, exploitability, or distribution package mappings, so exposure should be validated against each vendor kernel build and backport status.

Exploitation context

The record cites syzbot injecting an extreme size value and triggering UBSAN shift-out-of-bounds. CISA KEV status is false, and the bundle provides no evidence of active exploitation, public exploit use, or attacker impact beyond the reported kernel bug path.

Researcher notes

Evidence is limited to the CVE record and kernel stable references. The available text identifies the vulnerable code path and syzbot trigger but not practical exploitability, required privileges, confidentiality or integrity impact, or distribution-specific fixed package versions.

Mitigation direction

  • Update to a Linux stable kernel containing the referenced nftables fixes.
  • Check distribution vendor advisories for backported kernel packages.
  • Prioritize hosts running affected kernels and using nftables.
  • Restrict nftables administration to trusted privileged operators.
  • Monitor vendor guidance for impact or exploitability updates.

Validation and detection

  • Inventory Linux kernel versions across servers, containers hosts, and appliances.
  • Compare kernel builds with vendor backport advisories and referenced stable commits.
  • Confirm whether nftables is enabled or operationally required on exposed systems.
  • Review kernel logs for related UBSAN or nftables set creation failures.
Prepared
Confidence
medium
Sources
9

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2021-46992 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
2ADP providers
8Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: partial

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
other:ssvc
CVECVE Program Container
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinux0ed6389c483dc77cdbdd48de0ca7ce41723dd667, 0ed6389c483dc77cdbdd48de0ca7ce41723dd667, 0ed6389c483dc77cdbdd48de0ca7ce41723dd667, 0ed6389c483dc77cdbdd48de0ca7ce41723dd667, 0ed6389c483dc77cdbdd48de0ca7ce41723dd667, 0ed6389c483dc77cdbdd48de0ca7ce41723dd667, 0ed6389c483dc77cdbdd48de0ca7ce41723dd667unaffected
LinuxLinux4.9, 0, 4.14.233, 4.19.191, 5.4.120, 5.10.38, 5.11.22, 5.12.5, 5.13affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.