CVE-2021-22600

What is Linux AF_PACKET?

The Linux AF_PACKET socket family provides raw packet access to network interfaces — allowing user-space applications to send and receive network packets at the data link layer, bypassing normal network stack processing. AF_PACKET is used by tools like tcpdump, Wireshark, and network monitoring software. When a process creates an AF_PACKET socket with a ring buffer (PACKET_RX_RING or PACKET_TX_RING), the kernel allocates a shared memory region mapped between user space and kernel space. Double-free vulnerabilities in the ring buffer management code allow a local attacker to trigger kernel memory corruption — potentially enabling privilege escalation from a low-privilege user to root, or container escape when the attacker has access to AF_PACKET in a containerized environment.

Overview

CVE-2021-22600 is a double-free vulnerability (CWE-415) in the Linux kernel's AF_PACKET socket implementation (packet_set_ring function). A local user with access to AF_PACKET sockets can trigger incorrect memory freeing, leading to heap corruption exploitable for privilege escalation or denial of service. The Scope: Changed (S:C) classification reflects that in containerized environments, exploitation can escape the container boundary to affect the host kernel. The vulnerability requires High Complexity and User Interaction in addition to local access, reflecting the need for specific timing or triggering conditions. Patched in Linux kernel versions 5.15.11, 5.10.88, 5.4.168, 4.19.222 and later. CISA added it to the KEV catalog in April 2022.

Affected Versions

Technical Details

• Root cause: Double-free (CWE-415) in packet_set_ring() — the AF_PACKET ring buffer setup code incorrectly frees a kernel memory object under certain conditions (likely during error handling or ring buffer reconfiguration), allowing the same memory region to be freed twice; the second free corrupts the kernel's allocator metadata for the freed block
• Kernel heap corruption: A double-free in the kernel heap (slab/slub allocator) allows the attacker to control what object occupies the freed memory — by using kernel heap spray techniques to allocate a sensitive kernel object (such as a credential structure or function pointer table) in the freed slot, the attacker achieves type confusion and can overwrite kernel security data
• Container escape via S:C: In Linux container environments (Docker, Kubernetes, LXC), if the container has CAP_NET_RAW capability (required for AF_PACKET), CVE-2021-22600 can be exploited to corrupt the host kernel's memory from within the container — escaping the container's namespaces and cgroups to achieve root on the host
• AC:H complexity: The double-free requires specific timing or conditions (such as concurrent operations or specific kernel state) — not trivially exploitable but demonstrated as exploitable by researchers with kernel exploitation experience
• Denial of service alternative: Even without achieving privilege escalation, the double-free can reliably crash the kernel (A:H availability impact) — useful for disruption attacks targeting Linux servers or containers

Discovery

Disclosed on the oss-security mailing list in December 2021 after kernel patches were released. The CISA KEV addition in April 2022 reflects active exploitation in container escape attacks — specifically cases where the vulnerability was used to break out of containerized environments with CAP_NET_RAW capability in cloud or Kubernetes deployments.

Exploitation Context

CVE-2021-22600 is particularly significant in containerized cloud environments. The default Docker and Kubernetes container configurations may include CAP_NET_RAW — the capability that enables AF_PACKET socket access. An attacker with code execution inside a container (via a web application vulnerability, misconfigured service, or supply chain compromise) who encounters a kernel vulnerable to CVE-2021-22600 can exploit the double-free to escape the container and achieve root on the Kubernetes node or Docker host. This pivots from application-level container compromise to full host compromise, potentially exposing all containers on the same node, cloud credentials, and host filesystem access.

Remediation

1. Update the Linux kernel to the patched versions: 5.15.11 (mainline), 5.10.88 (LTS), 5.4.168 (LTS), 4.19.222 (LTS), or any later release
2. For cloud instances and servers: apply OS vendor kernel updates — Ubuntu, Red Hat, Debian, SUSE, and other distributions released kernel updates addressing CVE-2021-22600 in late 2021/early 2022
3. For container environments: restrict CAP_NET_RAW from containers that don't require raw packet access — use --cap-drop=NET_RAW for Docker containers; apply PodSecurityAdmission or OPA/Gatekeeper policies in Kubernetes to restrict capabilities
4. Enable seccomp profiles that block socket(AF_PACKET, ...) syscalls for containers that don't require raw packet access
5. Use Kernel Self-Protection (KSPP) hardening: KASLR, SMEP, SMAP, and stack protections limit the exploitation surface for kernel double-free vulnerabilities
6. Monitor container runtime logs for unexpected capability usage and privilege escalation attempts