Search
On this page ▾
CVE-2021-22555 — Linux Kernel Heap Out-of-Bounds Write Vulnerability

CVE-2021-22555

Linux Netfilter (Xtables) — Heap OOB Write via User Namespace Enables Container Escape and Local Privilege Escalation to Root; Kernel 2.6.19–5.12 Affected
⚠️ CVSS 3.1  8.3 / 10 — HIGH 🔴 CISA Known Exploited Vulnerability

What is Linux Netfilter and Xtables?

Netfilter is the Linux kernel's packet filtering framework — the foundation for iptables, nftables, and Linux firewalling. The Xtables (x_tables) subsystem within Netfilter manages match and target modules used to define packet filtering rules. Xtables processes rule configurations supplied by user-space tools (iptables, ip6tables), and critically, it is accessible through user namespaces — an unprivileged Linux feature that allows processes to have their own isolated view of system resources. Because user namespaces grant access to Netfilter configuration APIs without requiring root, vulnerabilities in Xtables that are reachable through user namespaces allow unprivileged users — including processes running inside containers — to trigger kernel memory corruption and escalate to root.

Overview

CVE-2021-22555 is a heap out-of-bounds write vulnerability (CWE-787) in the Linux kernel's Netfilter Xtables subsystem, exploitable through Linux user namespaces to achieve local privilege escalation to root and container escape. The vulnerability exists in xt_compat_target_from_user() — a function handling 32-bit compatibility mode for Xtables — which writes one or two zero bytes beyond an allocated heap buffer. This small OOB write is sufficient to corrupt adjacent kernel heap structures and escalate privileges. The bug has existed since Linux kernel 2.6.19 (2006) and was patched in Linux 5.12.9. Google Security Research published a working proof-of-concept exploit. CISA added this to KEV in October 2025.

Affected Versions

Product Vulnerable Fixed
Linux kernel 2.6.19 through 5.12.8 Yes Linux 5.12.9 (2021-06-07)
Ubuntu, Debian, RHEL, CentOS (unpatched) Yes Distro-specific kernel update
Container environments with user namespaces enabled Yes Kernel patch + disable user namespaces if not needed

Technical Details

  • Root cause: Heap out-of-bounds write (CWE-787) in xt_compat_target_from_user() — in the 32-bit compatibility path for Xtables target processing, a size alignment calculation uses the wrong alignment value, resulting in a write of 1–2 zero bytes beyond the end of a heap-allocated buffer
  • User namespace access: Linux user namespaces allow unprivileged processes to access Netfilter/iptables configuration APIs; an unprivileged process (or process in a container) creates a user namespace and uses the iptables API to trigger the vulnerable code path without requiring CAP_NET_ADMIN privileges outside the namespace
  • Heap exploitation: The small OOB zero write corrupts an adjacent heap object — typically a msg_msg structure (used by System V message queues); with heap grooming, the corruption enables kernel heap read/write primitives, leading to overwriting a process's credentials structure and setting UID/GID to 0 (root)
  • Container escape: In containerized environments (Docker, Kubernetes) where user namespaces are enabled, a process within a container can exploit this to escape the container and gain root on the host
  • Scope: Changed (S:C): The container escape scenario justifies the Scope: Changed CVSS value — the attacker starts in an isolated container and impacts the host system outside the container boundary
  • Long-lived bug: The vulnerable code existed since Linux 2.6.19 (released November 2006) — a 15-year-old bug that affected virtually all deployed Linux systems

Discovery

Discovered by Andy Nguyen (theflow0) of Google Security Research. Google published the advisory and a detailed proof-of-concept exploit on July 7, 2021, after the kernel patch had been released in June 2021. The PoC demonstrated reliable local root privilege escalation on Ubuntu 20.04 LTS.

Exploitation Context

CVE-2021-22555 is particularly significant for cloud and container security: it enables a compromised container to escape to root on the host, defeating a primary security boundary of containerized environments. The CISA KEV addition in October 2025 — over four years after the patch — reflects exploitation of this vulnerability against Linux servers, cloud infrastructure, and containerized environments that were never updated. Long-lived Linux kernel vulnerabilities are commonly exploited by threat actors targeting Linux-based web servers, cloud instances, and NAS/IoT devices where kernel patching may be infrequent or deferred.

Remediation

  1. Update the Linux kernel to 5.12.9 or later (or the equivalent patched version from your Linux distribution's security repository)
  2. For Ubuntu: apt update && apt upgrade linux-image-generic; for RHEL/CentOS: yum update kernel; for Debian: apt update && apt upgrade linux-image-amd64
  3. Reboot after kernel update — the new kernel takes effect only after reboot
  4. Mitigate without patching: Disable unprivileged user namespaces if not required:
    sysctl -w kernel.unprivileged_userns_clone=0
    (Ubuntu) or set user.max_user_namespaces=0 in sysctl
  5. For container environments: use a container runtime that does not rely on unprivileged user namespaces (e.g., configure Docker/Kubernetes to use a patched host kernel); audit whether containers run with elevated namespace capabilities
  6. Monitor for exploit indicators: unexpected root process spawning from container processes, unusual iptables/ip6tables system calls from non-privileged processes

Key Details

PropertyValue
CVE ID CVE-2021-22555
Vendor / Product Linux — Kernel
NVD Published2021-07-07
NVD Last Modified2025-10-27
CVSS 3.1 Score8.3
CVSS 3.1 VectorCVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
SeverityHIGH
CWE CWE-787 find similar ↗
CISA KEV Added2025-10-06
CISA KEV Deadline2025-10-27
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Adjacent
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2025-10-27. Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Timeline

DateEvent
2021-05-07Linux kernel fix committed to mainline — patch for xt_compat_target_from_user() OOB write
2021-06-07Fix included in Linux 5.12.9 stable release
2021-07-07Google Security Research publishes CVE-2021-22555 advisory and proof-of-concept exploit; CVE published
2021-08-05NetApp advisory published for affected storage products
2025-10-06Added to CISA Known Exploited Vulnerabilities catalog — reflecting continued exploitation against unpatched Linux systems over four years later
2025-10-27CISA BOD 22-01 remediation deadline

References

ResourceType
Linux Kernel Git — Patch commit for CVE-2021-22555 Patch
Google Security Research — CVE-2021-22555 Advisory Security Research
NetApp Advisory NTAP-20210805-0010 Vendor Advisory
NVD — CVE-2021-22555 Vulnerability Database
CISA KEV Catalog Entry US Government

Last updated: 2026-05-24

Suggest an update ↗

Gavin Hollinger & AI assembled this air-gap friendly HTML