CVE-2021-3491

high
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

The io_uring subsystem in the Linux kernel allowed the MAX_RW_COUNT limit to be bypassed in the PROVIDE_BUFFERS operation, which led to negative values being usedin mem_rw when reading /proc/<PID>/mem. This could be used to create a heap overflow leading to arbitrary code execution in the kernel. It was addressed via commit d1f82808877b ("io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers") (v5.13-rc1) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. It was introduced in ddf0322db79c ("io_uring: add IORING_OP_PROVIDE_BUFFERS") (v5.7-rc1).

References

https://ubuntu.com/security/notices/USN-4949-1

https://ubuntu.com/security/notices/USN-4950-1

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d1f82808877bb10d3deee7cf3374a4eb3fb582db

https://www.zerodayinitiative.com/advisories/ZDI-21-589/

https://www.openwall.com/lists/oss-security/2021/05/11/13

https://security.netapp.com/advisory/ntap-20210716-0004/

Details

Source: MITRE

Published: 2021-06-04

Updated: 2021-09-14

Type: CWE-787

Risk Information

CVSS v2

Base Score: 7.2

Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C

Impact Score: 10

Exploitability Score: 3.9

Severity: HIGH

CVSS v3

Base Score: 8.8

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Impact Score: 6

Exploitability Score: 2

Severity: HIGH

Tenable Plugins

View all (20 total)

IDNameProductFamilySeverity
151986SUSE SLES15 Security Update : kernel (SUSE-SU-2021:2421-1)NessusSuSE Local Security Checks
high
151756openSUSE 15 Security Update : kernel (openSUSE-SU-2021:1977-1)NessusSuSE Local Security Checks
critical
151730openSUSE 15 Security Update : kernel (openSUSE-SU-2021:1975-1)NessusSuSE Local Security Checks
critical
151280openSUSE 15 Security Update : kernel (openSUSE-SU-2021:0947-1)NessusSuSE Local Security Checks
high
151205SUSE SLES15 Security Update : kernel (SUSE-SU-2021:2208-1)NessusSuSE Local Security Checks
high
150927SUSE SLES15 Security Update : kernel (SUSE-SU-2021:1975-1)NessusSuSE Local Security Checks
critical
150901SUSE SLED15 / SLES15 Security Update : kernel (SUSE-SU-2021:1977-1)NessusSuSE Local Security Checks
critical
150696SUSE SLES15 Security Update : kernel (SUSE-SU-2021:1888-1)NessusSuSE Local Security Checks
high
150687SUSE SLES12 Security Update : kernel (SUSE-SU-2021:1899-1)NessusSuSE Local Security Checks
high
150472SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2021:1913-1)NessusSuSE Local Security Checks
high
150470SUSE SLES15 Security Update : kernel (SUSE-SU-2021:1912-1)NessusSuSE Local Security Checks
high
150413SUSE SLES12 Security Update : kernel (SUSE-SU-2021:1887-1)NessusSuSE Local Security Checks
high
150407SUSE SLED15 / SLES15 Security Update : kernel (SUSE-SU-2021:1890-1)NessusSuSE Local Security Checks
high
150401SUSE SLES15 Security Update : kernel (SUSE-SU-2021:1889-1)NessusSuSE Local Security Checks
high
150396SUSE SLES12 Security Update : kernel (SUSE-SU-2021:1891-1)NessusSuSE Local Security Checks
high
150315openSUSE Security Update : the Linux Kernel (openSUSE-2021-843)NessusSuSE Local Security Checks
high
149437Photon OS 4.0: Linux PHSA-2021-4.0-0023NessusPhotonOS Local Security Checks
high
149411Ubuntu 20.04 LTS / 20.10 : Linux kernel vulnerabilities (USN-4949-1)NessusUbuntu Local Security Checks
high
149407Ubuntu 20.04 LTS : Linux kernel (OEM) vulnerabilities (USN-4948-1)NessusUbuntu Local Security Checks
high
149406Ubuntu 21.04 : Linux kernel vulnerabilities (USN-4950-1)NessusUbuntu Local Security Checks
high