In the Linux kernel, the following vulnerability has been resolved:
net: stmmac: fix tc flower deletion for VLAN priority Rx steering
To replicate the issue:-
1) Add 1 flower filter for VLAN Priority based frame steering:-
$ IFDEVNAME=eth0
$ tc qdisc add dev $IFDEVNAME ingress
$ tc qdisc add dev $IFDEVNAME root mqprio num_tc 8 \
map 0 1 2 3 4 5 6 7 0 0 0 0 0 0 0 0 \
queues 1@0 1@1 1@2 1@3 1@4 1@5 1@6 1@7 hw 0
$ tc filter add dev $IFDEVNAME parent ffff: protocol 802.1Q \
flower vlan_prio 0 hw_tc 0
2) Get the 'pref' id
$ tc filter show dev $IFDEVNAME ingress
3) Delete a specific tc flower record (say pref 49151)
$ tc filter del dev $IFDEVNAME parent ffff: pref 49151
From dmesg, we will observe kernel NULL pointer ooops
[ 197.170464] BUG: kernel NULL pointer dereference, address: 0000000000000000
[ 197.171367] #PF: supervisor read access in kernel mode
[ 197.171367] #PF: error_code(0x0000) - not-present page
[ 197.171367] PGD 0 P4D 0
[ 197.171367] Oops: 0000 [#1] PREEMPT SMP NOPTI
<snip>
[ 197.171367] RIP: 0010:tc_setup_cls+0x20b/0x4a0 [stmmac]
<snip>
[ 197.171367] Call Trace:
[ 197.171367] <TASK>
[ 197.171367] ? __stmmac_disable_all_queues+0xa8/0xe0 [stmmac]
[ 197.171367] stmmac_setup_tc_block_cb+0x70/0x110 [stmmac]
[ 197.171367] tc_setup_cb_destroy+0xb3/0x180
[ 197.171367] fl_hw_destroy_filter+0x94/0xc0 [cls_flower]
The above issue is due to previous incorrect implementation of
tc_del_vlan_flow(), shown below, that uses flow_cls_offload_flow_rule()
to get struct flow_rule *rule which is no longer valid for tc filter
delete operation.
struct flow_rule *rule = flow_cls_offload_flow_rule(cls);
struct flow_dissector *dissector = rule->match.dissector;
So, to ensure tc_del_vlan_flow() deletes the right VLAN cls record for
earlier configured RX queue (configured by hw_tc) in tc_add_vlan_flow(),
this patch introduces stmmac_rfs_entry as driver-side flow_cls_offload
record for 'RX frame steering' tc flower, currently used for VLAN
priority. The implementation has taken consideration for future extension
to include other type RX frame steering such as EtherType based.
v2:
- Clean up overly extensive backtrace and rewrite git message to better
explain the kernel NULL pointer issue.
Security readout for executives and security teams
Plain-English summary
CVE-2021-47592 is a Linux kernel denial-of-service flaw in the stmmac Ethernet driver. A local user with relevant privileges can trigger a kernel NULL pointer crash when deleting a specific tc flower VLAN priority steering rule. The known impact is availability loss, not data theft or tampering.
Executive priority
Treat this as a targeted availability risk for affected Linux network interfaces, not a broad internet-facing compromise. Patch through normal kernel maintenance, with faster handling for appliances, edge systems, or production hosts using stmmac and traffic-control steering.
Technical view
The bug is a CWE-476 NULL pointer dereference in stmmac tc flower deletion for VLAN priority Rx steering. During tc filter delete, the driver used flow_cls_offload_flow_rule() even though that rule is no longer valid for delete operations, leading to a kernel oops in tc_setup_cls().
Likely exposure
Exposure is limited to Linux systems using the stmmac Ethernet driver and tc flower VLAN priority hardware steering. General Linux hosts without this driver or traffic-control configuration are less likely to be affected based on the provided sources.
Exploitation context
The source describes local reproduction using tc traffic-control operations and reports a kernel NULL pointer oops. The CVSS vector is local, low complexity, low privileges, no user interaction, and high availability impact. KEV is false, and no cited source confirms active exploitation.
Researcher notes
Evidence supports a driver-side delete-path NULL dereference with availability impact. The provided bundle does not show confidentiality or integrity impact, remote reachability, or active exploitation. Avoid broad claims beyond stmmac, tc flower, VLAN priority Rx steering, and the referenced Linux stable fixes.
Mitigation direction
Apply Linux kernel or distribution updates containing the referenced stable fixes.
Prioritize systems using stmmac Ethernet hardware and tc flower VLAN steering.
Check vendor kernel advisories before assuming a specific downstream version is fixed.
Restrict traffic-control administration to trusted operators.
Monitor affected hosts for kernel oops or unexpected reboots.
Validation and detection
Inventory Linux hosts using the stmmac Ethernet driver.
Identify systems using tc flower filters for VLAN priority Rx steering.
Compare running kernel builds against vendor advisories or referenced stable commits.
Review logs for stmmac, tc_setup_cls, or NULL pointer oops messages.
Confirm updated kernels remain stable during normal network policy changes.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-476: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-476 · source CWE mapping
NULL Pointer Dereference
NULL Pointer Dereference represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.