CVE-2021-22555
Published: 07 July 2021
Summary
CVE-2021-22555 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Linux Linux Kernel. Its CVSS base score is 8.3 (High).
Operationally, ranked in the top 0.6% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-2 (Flaw Remediation).
Deeper analysis
A heap out-of-bounds write vulnerability was discovered in the Linux kernel's net/netfilter/x_tables.c file, affecting versions since v2.6.19-rc1. The flaw, assigned CVE-2021-22555 and CWE-787, resides in the netfilter subsystem and can result in heap memory corruption.
An attacker with access to a user namespace can exploit the issue to escalate privileges or trigger a denial of service. The vulnerability carries a CVSS 3.1 score of 8.3, reflecting an adjacent-network attack vector with high complexity but no required privileges or user interaction, and potential impact across confidentiality, integrity, and availability in certain configurations.
Public references include multiple kernel live-patch notices (LSN-0080-1, LSN-0081-1, LSN-0083-1) that address the flaw, along with proof-of-concept code demonstrating privilege-escalation and heap-out-of-bounds write exploitation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-9696
Vulnerability details
A heap out-of-bounds write affecting Linux since v2.6.19-rc1 was discovered in net/netfilter/x_tables.c. This allows an attacker to gain privileges or cause a DoS (via heap memory corruption) through user name space
- CWE(s)
- KEV Date Added
- 06 October 2025
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely application of the published kernel live patches that eliminate the out-of-bounds write in x_tables.c.
Enforces least-privilege restrictions on user-namespace creation and NET_ADMIN capabilities required to reach the vulnerable netfilter path.
Kernel memory-protection mechanisms can detect or block the heap corruption that results from successful exploitation of the flaw.