{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-08T15:21:12.028","vulnerabilities":[{"cve":{"id":"CVE-2021-47304","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2024-05-21T15:15:18.110","lastModified":"2025-05-12T20:00:45.173","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: fix tcp_init_transfer() to not reset icsk_ca_initialized\n\nThis commit fixes a bug (found by syzkaller) that could cause spurious\ndouble-initializations for congestion control modules, which could cause\nmemory leaks or other problems for congestion control modules (like CDG)\nthat allocate memory in their init functions.\n\nThe buggy scenario constructed by syzkaller was something like:\n\n(1) create a TCP socket\n(2) initiate a TFO connect via sendto()\n(3) while socket is in TCP_SYN_SENT, call setsockopt(TCP_CONGESTION),\n    which calls:\n       tcp_set_congestion_control() ->\n         tcp_reinit_congestion_control() ->\n           tcp_init_congestion_control()\n(4) receive ACK, connection is established, call tcp_init_transfer(),\n    set icsk_ca_initialized=0 (without first calling cc->release()),\n    call tcp_init_congestion_control() again.\n\nNote that in this sequence tcp_init_congestion_control() is called\ntwice without a cc->release() call in between. Thus, for CC modules\nthat allocate memory in their init() function, e.g, CDG, a memory leak\nmay occur. The syzkaller tool managed to find a reproducer that\ntriggered such a leak in CDG.\n\nThe bug was introduced when that commit 8919a9b31eb4 (\"tcp: Only init\ncongestion control if not initialized already\")\nintroduced icsk_ca_initialized and set icsk_ca_initialized to 0 in\ntcp_init_transfer(), missing the possibility for a sequence like the\none above, where a process could call setsockopt(TCP_CONGESTION) in\nstate TCP_SYN_SENT (i.e. after the connect() or TFO open sendmsg()),\nwhich would call tcp_init_congestion_control(). It did not intend to\nreset any initialization that the user had already explicitly made;\nit just missed the possibility of that particular sequence (which\nsyzkaller managed to find)."},{"lang":"es","value":"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: tcp: corrige tcp_init_transfer() para no restablecer icsk_ca_initialized Esta confirmación corrige un error (encontrado por syzkaller) que podría causar dobles inicializaciones falsas para los módulos de control de congestión, lo que podría causar pérdidas de memoria o Otros problemas para los módulos de control de congestión (como CDG) que asignan memoria en sus funciones de inicio. El escenario con errores construido por syzkaller era algo así como: (1) crear un socket TCP (2) iniciar una conexión TFO a través de sendto() (3) mientras el socket está en TCP_SYN_SENT, llamar a setsockopt(TCP_CONGESTION), que llama a: tcp_set_congestion_control() - > tcp_reinit_congestion_control() -> tcp_init_congestion_control() (4) recibe ACK, se establece la conexión, llama a tcp_init_transfer(), establece icsk_ca_initialized=0 (sin llamar primero a cc->release()), llama a tcp_init_congestion_control() nuevamente. Tenga en cuenta que en esta secuencia tcp_init_congestion_control() se llama dos veces sin una llamada cc->release() en el medio. Por lo tanto, para los módulos CC que asignan memoria en su función init(), por ejemplo, CDG, puede ocurrir una pérdida de memoria. La herramienta syzkaller logró encontrar un reproductor que desencadenó dicha filtración en CDG. El error se introdujo cuando la confirmación 8919a9b31eb4 (\"tcp: solo inicia el control de congestión si aún no está inicializado\") introdujo icsk_ca_initialized y estableció icsk_ca_initialized en 0 en tcp_init_transfer(), perdiendo la posibilidad de una secuencia como la anterior, donde un proceso podría llamar setsockopt(TCP_CONGESTION) en el estado TCP_SYN_SENT (es decir, después de connect() o TFO open sendmsg()), que llamaría a tcp_init_congestion_control(). No tenía la intención de restablecer ninguna inicialización que el usuario ya hubiera realizado explícitamente; simplemente perdió la posibilidad de esa secuencia particular (que Syzkaller logró encontrar)."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-415"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.10","versionEndExcluding":"5.10.53","matchCriteriaId":"3DEFC6EF-3F05-496C-9CCD-DF3BDE77EC04"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.11","versionEndExcluding":"5.13.5","matchCriteriaId":"808DF8D9-4913-4CC7-B91F-B4146556B7ED"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:5.14:rc1:*:*:*:*:*:*","matchCriteriaId":"71268287-21A8-4488-AA4F-23C473153131"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/ad4ba3404931745a5977ad12db4f0c34080e52f7","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/be5d1b61a2ad28c7e57fe8bfa277373e8ecffcdc","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/fe77b85828ca9ddc42977b79de9e40d18545b4fe","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/ad4ba3404931745a5977ad12db4f0c34080e52f7","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/be5d1b61a2ad28c7e57fe8bfa277373e8ecffcdc","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/fe77b85828ca9ddc42977b79de9e40d18545b4fe","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]}]}}]}