CVE-2021-46913: 
Linux Kernel vulnerability analysis and mitigation

CVE-2021-46913 affects the Linux kernel's netfilter nftables subsystem. The vulnerability was discovered when using connlimit in set elements, where a memcpy() operation breaks during clone set element expression template handling. This issue affects Linux kernel versions from 5.7.0 up to (excluding) 5.10.64 and from 5.11.0 up to (excluding) 5.11.16 (NVD).

The vulnerability occurs in the netfilter nftables subsystem when cloning set element expression templates. The issue arises because memcpy() is used instead of nft_expr_clone() to initialize the connlimit expression list. This causes the connlimit garbage collector to crash when walking on the list head copy. The vulnerability has a CVSS v3.1 Base Score of 5.5 (Medium) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

When exploited, this vulnerability can cause a system crash through the connlimit garbage collector, resulting in a denial of service condition. The crash occurs specifically during the nft_rhash_gc operation when the garbage collector attempts to walk through an improperly initialized list head copy (Kernel Patch).

The vulnerability has been fixed by replacing memcpy() with nft_expr_clone() to properly initialize the connlimit expression list. The fix ensures proper cloning of set element expression templates. Users should upgrade to Linux kernel versions 5.10.64 or later (for 5.10.x series) or 5.11.16 or later (for 5.11.x series) (Kernel Patch).