SB2021072290 - Information disclosure in Linux kernel
Published: July 22, 2021
Security Bulletin ID
SB2021072290
CSH Severity
Low
Patch available
NO
Number of vulnerabilities
1
Exploitation vector
Local access
Highest impact
Information disclosure
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Use of uninitialized resource (CVE-ID: CVE-2021-34693)
CWE-ID: CWE-908 - Use of Uninitialized Resource
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to gain access to sensitive information.
The vulnerability exists due to net/can/bcm.c in the Linux kernel through 5.12.10 allows local users to obtain sensitive information from kernel stack memory because parts of a data structure are uninitialized.
Remediation
Cybersecurity Help is not aware of any official remediation provided by the vendor.
References
- https://lore.kernel.org/netdev/trinity-87eaea25-2a7d-4aa9-92a5-269b822e5d95-1623609211076@3c-app-gmx-bs04/T/
- http://www.openwall.com/lists/oss-security/2021/06/15/1
- https://lists.debian.org/debian-lts-announce/2021/07/msg00016.html
- https://lists.debian.org/debian-lts-announce/2021/07/msg00015.html
- https://lists.debian.org/debian-lts-announce/2021/07/msg00014.html