Cyber Resilience

CVE-2021-22555

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 07 July 2021

Published
07 July 2021
Modified
27 October 2025
KEV Added
06 October 2025
Patch
CVSS Score v3.1 8.3 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.8524 99.4th percentile
Risk Priority 88 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-22555 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Linux Linux Kernel. Its CVSS base score is 8.3 (High).

Operationally, ranked in the top 0.6% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-2 (Flaw Remediation).

Deeper analysis

A heap out-of-bounds write vulnerability was discovered in the Linux kernel's net/netfilter/x_tables.c file, affecting versions since v2.6.19-rc1. The flaw, assigned CVE-2021-22555 and CWE-787, resides in the netfilter subsystem and can result in heap memory corruption.

An attacker with access to a user namespace can exploit the issue to escalate privileges or trigger a denial of service. The vulnerability carries a CVSS 3.1 score of 8.3, reflecting an adjacent-network attack vector with high complexity but no required privileges or user interaction, and potential impact across confidentiality, integrity, and availability in certain configurations.

Public references include multiple kernel live-patch notices (LSN-0080-1, LSN-0081-1, LSN-0083-1) that address the flaw, along with proof-of-concept code demonstrating privilege-escalation and heap-out-of-bounds write exploitation.

EU & UK References

Vulnerability details

A heap out-of-bounds write affecting Linux since v2.6.19-rc1 was discovered in net/netfilter/x_tables.c. This allows an attacker to gain privileges or cause a DoS (via heap memory corruption) through user name space

CWE(s)
KEV Date Added
06 October 2025

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

netapp
c400 firmware
all versions
netapp
c250 firmware
all versions
netapp
h410c firmware
all versions
netapp
h300s firmware
all versions
netapp
h500s firmware
all versions
netapp
h700s firmware
all versions
netapp
h410s firmware
all versions
linux
linux kernel
2.6.19 — 4.4.267 · 4.5 — 4.9.267 · 4.10 — 4.14.231
brocade
fabric operating system
all versions
netapp
fas 8300 firmware
all versions
+11 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of the published kernel live patches that eliminate the out-of-bounds write in x_tables.c.

prevent

Enforces least-privilege restrictions on user-namespace creation and NET_ADMIN capabilities required to reach the vulnerable netfilter path.

prevent

Kernel memory-protection mechanisms can detect or block the heap corruption that results from successful exploitation of the flaw.

References