Security readout for executives and security teams
Plain-English summary
This Linux kernel issue affects Multipath TCP handling. Deleting an MPTCP endpoint could unexpectedly close a listening socket and trigger a kernel NULL pointer dereference. The main business risk shown by the sources is availability impact on systems using affected Linux kernels with MPTCP functionality.
Executive priority
Treat this as a targeted availability risk, not an internet-wide emergency based on current evidence. Patch during normal kernel maintenance, with higher priority for infrastructure using MPTCP or custom networking features.
Technical view
The MPTCP netlink path manager traversed local MPTCP sockets during endpoint deletion without excluding TCP_LISTEN sockets. If a listener was bound to the matching IP, its TCP listener could be closed, and syzbot demonstrated a NULL pointer dereference during accept handling. The fix explicitly skips MPTCP sockets in TCP_LISTEN state.
Likely exposure
Exposure is most likely on Linux systems running affected kernel versions around 5.13, 5.15.11, or 5.16 where MPTCP is enabled or used. The source bundle does not establish exposure for specific distributions, appliances, or managed services.
Exploitation context
The sources describe syzbot-triggered kernel crash behavior, not real-world exploitation. CISA KEV is false, and no cited source in the bundle reports active exploitation. Required privileges or remote reachability are not fully established by the provided evidence.
Researcher notes
The CVE record ties the bug to MPTCP path manager endpoint deletion and listener sockets. Affected-version data is sparse and commit-oriented, so distribution backport checks matter. No CVSS, CWE, or exploitation evidence is provided in the source bundle.
Mitigation direction
Upgrade to a vendor kernel containing the referenced stable fixes.
Prioritize systems that enable or rely on MPTCP.
Check Linux distribution advisories for backported fix status.
If patching is delayed, follow vendor guidance for temporary risk reduction.
Validation and detection
Inventory Linux kernel versions on systems where MPTCP may be enabled.
Confirm whether vendor packages include the referenced stable commits.
Review kernel configuration and runtime use of MPTCP.
Monitor for kernel crash reports involving MPTCP endpoint deletion or accept paths.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2021-47594 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.