Ubuntu update for linux
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 13 |
| CVE-ID | CVE-2020-26147 CVE-2020-26558 CVE-2021-0129 CVE-2021-28972 CVE-2021-33034 CVE-2021-34693 CVE-2021-3483 CVE-2021-3564 CVE-2021-3612 CVE-2021-3679 CVE-2021-38204 CVE-2021-42008 CVE-2021-45485 |
| CWE-ID | CWE-20 CWE-254 CWE-284 CWE-119 CWE-416 CWE-908 CWE-415 CWE-787 CWE-400 CWE-200 |
| Exploitation vector | Network |
| Public exploit | Public exploit code for vulnerability #12 is available. |
| Vulnerable software Subscribe |
Ubuntu Operating systems & Components / Operating system linux-image-virtual-lts-xenial (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-lowlatency-lts-xenial (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-4.4.0-1099-aws (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-generic-lts-xenial (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-lowlatency (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-kvm (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-4.4.0-219-generic (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-4.4.0-1135-aws (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-4.4.0-1100-kvm (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-4.4.0-219-lowlatency (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-aws (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-generic (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-virtual (Ubuntu package) Operating systems & Components / Operating system package or component |
| Vendor | Canonical Ltd. |
Security Bulletin
This security bulletin contains information about 13 vulnerabilities.
1) Input validation error
EUVDB-ID: #VU53172
Risk: Low
CVSSv3.1: 5 [CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-26147
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to the WEP, WPA, WPA2, and WPA3 implementations reassemble fragments even though some of them were sent in plaintext. A remote attacker on the local network can inject packets and/or exfiltrate selected fragments
MitigationUpdate the affected package linux to the latest version.
Vulnerable software versionsUbuntu: 14.04 - 16.04
linux-image-virtual-lts-xenial (Ubuntu package): before 4.4.0.219.226
linux-image-lowlatency-lts-xenial (Ubuntu package): before 4.4.0.219.226
linux-image-4.4.0-1099-aws (Ubuntu package): before 4.4.0.219.226
linux-image-generic-lts-xenial (Ubuntu package): before 4.4.0.219.226
linux-image-lowlatency (Ubuntu package): before 4.4.0.219.226
linux-image-kvm (Ubuntu package): before 4.4.0.219.226
linux-image-4.4.0-219-generic (Ubuntu package): before 4.4.0.219.226
linux-image-4.4.0-1135-aws (Ubuntu package): before 4.4.0.219.226
linux-image-4.4.0-1100-kvm (Ubuntu package): before 4.4.0.219.226
linux-image-4.4.0-219-lowlatency (Ubuntu package): before 4.4.0.219.226
linux-image-aws (Ubuntu package): before 4.4.0.219.226
linux-image-generic (Ubuntu package): before 4.4.0.219.226
linux-image-virtual (Ubuntu package): before 4.4.0.219.226
External linkshttp://ubuntu.com/security/notices/USN-5299-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Security features bypass
EUVDB-ID: #VU53579
Risk: Low
CVSSv3.1: 4.7 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-26558
CWE-ID:
CWE-254 - Security Features
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to an impersonation in the Passkey Entry protocol flaw. A remote attacker on the local network can perform a man-in-the-middle (MITM) attack and impersonate the initiating device without any previous knowledge.
Note: This vulnerability affects the following specifications:
- BR/EDR Secure Simple Pairing in Bluetooth Core Specifications 2.1 through 5.2
- BR/EDR Secure Connections Pairing in Bluetooth Core Specifications 4.1 through 5.2
- LE Secure Connections Pairing in Bluetooth Core Specifications 4.2 through 5.2
Mitigation
Update the affected package linux to the latest version.
Vulnerable software versionsUbuntu: 14.04 - 16.04
linux-image-virtual-lts-xenial (Ubuntu package): before 4.4.0.219.226
linux-image-lowlatency-lts-xenial (Ubuntu package): before 4.4.0.219.226
linux-image-4.4.0-1099-aws (Ubuntu package): before 4.4.0.219.226
linux-image-generic-lts-xenial (Ubuntu package): before 4.4.0.219.226
linux-image-lowlatency (Ubuntu package): before 4.4.0.219.226
linux-image-kvm (Ubuntu package): before 4.4.0.219.226
linux-image-4.4.0-219-generic (Ubuntu package): before 4.4.0.219.226
linux-image-4.4.0-1135-aws (Ubuntu package): before 4.4.0.219.226
linux-image-4.4.0-1100-kvm (Ubuntu package): before 4.4.0.219.226
linux-image-4.4.0-219-lowlatency (Ubuntu package): before 4.4.0.219.226
linux-image-aws (Ubuntu package): before 4.4.0.219.226
linux-image-generic (Ubuntu package): before 4.4.0.219.226
linux-image-virtual (Ubuntu package): before 4.4.0.219.226
External linkshttp://ubuntu.com/security/notices/USN-5299-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Improper access control
EUVDB-ID: #VU54202
Risk: Low
CVSSv3.1: 5.6 [CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-0129
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions. A remote authenticated attacker on the local network can bypass implemented security restrictions and enable information disclosure
MitigationUpdate the affected package linux to the latest version.
Vulnerable software versionsUbuntu: 14.04 - 16.04
linux-image-virtual-lts-xenial (Ubuntu package): before 4.4.0.219.226
linux-image-lowlatency-lts-xenial (Ubuntu package): before 4.4.0.219.226
linux-image-4.4.0-1099-aws (Ubuntu package): before 4.4.0.219.226
linux-image-generic-lts-xenial (Ubuntu package): before 4.4.0.219.226
linux-image-lowlatency (Ubuntu package): before 4.4.0.219.226
linux-image-kvm (Ubuntu package): before 4.4.0.219.226
linux-image-4.4.0-219-generic (Ubuntu package): before 4.4.0.219.226
linux-image-4.4.0-1135-aws (Ubuntu package): before 4.4.0.219.226
linux-image-4.4.0-1100-kvm (Ubuntu package): before 4.4.0.219.226
linux-image-4.4.0-219-lowlatency (Ubuntu package): before 4.4.0.219.226
linux-image-aws (Ubuntu package): before 4.4.0.219.226
linux-image-generic (Ubuntu package): before 4.4.0.219.226
linux-image-virtual (Ubuntu package): before 4.4.0.219.226
External linkshttp://ubuntu.com/security/notices/USN-5299-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Buffer overflow
EUVDB-ID: #VU56819
Risk: Low
CVSSv3.1: 5.8 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-28972
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a local user to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in the drivers/pci/hotplug/rpadlpar_sysfs.c. A local administrator can trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected package linux to the latest version.
Vulnerable software versionsUbuntu: 14.04 - 16.04
linux-image-virtual-lts-xenial (Ubuntu package): before 4.4.0.219.226
linux-image-lowlatency-lts-xenial (Ubuntu package): before 4.4.0.219.226
linux-image-4.4.0-1099-aws (Ubuntu package): before 4.4.0.219.226
linux-image-generic-lts-xenial (Ubuntu package): before 4.4.0.219.226
linux-image-lowlatency (Ubuntu package): before 4.4.0.219.226
linux-image-kvm (Ubuntu package): before 4.4.0.219.226
linux-image-4.4.0-219-generic (Ubuntu package): before 4.4.0.219.226
linux-image-4.4.0-1135-aws (Ubuntu package): before 4.4.0.219.226
linux-image-4.4.0-1100-kvm (Ubuntu package): before 4.4.0.219.226
linux-image-4.4.0-219-lowlatency (Ubuntu package): before 4.4.0.219.226
linux-image-aws (Ubuntu package): before 4.4.0.219.226
linux-image-generic (Ubuntu package): before 4.4.0.219.226
linux-image-virtual (Ubuntu package): before 4.4.0.219.226
External linkshttp://ubuntu.com/security/notices/USN-5299-1
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Use-after-free
EUVDB-ID: #VU54454
Risk: Low
CVSSv3.1: 6.1 [CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-33034
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error in net/bluetooth/hci_event.c when destroying an hci_chan. A local user can escalate privileges on the system.
Update the affected package linux to the latest version.
Vulnerable software versionsUbuntu: 14.04 - 16.04
linux-image-virtual-lts-xenial (Ubuntu package): before 4.4.0.219.226
linux-image-lowlatency-lts-xenial (Ubuntu package): before 4.4.0.219.226
linux-image-4.4.0-1099-aws (Ubuntu package): before 4.4.0.219.226
linux-image-generic-lts-xenial (Ubuntu package): before 4.4.0.219.226
linux-image-lowlatency (Ubuntu package): before 4.4.0.219.226
linux-image-kvm (Ubuntu package): before 4.4.0.219.226
linux-image-4.4.0-219-generic (Ubuntu package): before 4.4.0.219.226
linux-image-4.4.0-1135-aws (Ubuntu package): before 4.4.0.219.226
linux-image-4.4.0-1100-kvm (Ubuntu package): before 4.4.0.219.226
linux-image-4.4.0-219-lowlatency (Ubuntu package): before 4.4.0.219.226
linux-image-aws (Ubuntu package): before 4.4.0.219.226
linux-image-generic (Ubuntu package): before 4.4.0.219.226
linux-image-virtual (Ubuntu package): before 4.4.0.219.226
External linkshttp://ubuntu.com/security/notices/USN-5299-1
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Use of uninitialized resource
EUVDB-ID: #VU55263
Risk: Low
CVSSv3.1: 2.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-34693
CWE-ID:
CWE-908 - Use of Uninitialized Resource
Exploit availability: No
DescriptionThe vulnerability allows a local user to gain access to sensitive information.
The vulnerability exists due to net/can/bcm.c in the Linux kernel through 5.12.10 allows local users to obtain sensitive information from kernel stack memory because parts of a data structure are uninitialized.
MitigationUpdate the affected package linux to the latest version.
Vulnerable software versionsUbuntu: 14.04 - 16.04
linux-image-virtual-lts-xenial (Ubuntu package): before 4.4.0.219.226
linux-image-lowlatency-lts-xenial (Ubuntu package): before 4.4.0.219.226
linux-image-4.4.0-1099-aws (Ubuntu package): before 4.4.0.219.226
linux-image-generic-lts-xenial (Ubuntu package): before 4.4.0.219.226
linux-image-lowlatency (Ubuntu package): before 4.4.0.219.226
linux-image-kvm (Ubuntu package): before 4.4.0.219.226
linux-image-4.4.0-219-generic (Ubuntu package): before 4.4.0.219.226
linux-image-4.4.0-1135-aws (Ubuntu package): before 4.4.0.219.226
linux-image-4.4.0-1100-kvm (Ubuntu package): before 4.4.0.219.226
linux-image-4.4.0-219-lowlatency (Ubuntu package): before 4.4.0.219.226
linux-image-aws (Ubuntu package): before 4.4.0.219.226
linux-image-generic (Ubuntu package): before 4.4.0.219.226
linux-image-virtual (Ubuntu package): before 4.4.0.219.226
External linkshttp://ubuntu.com/security/notices/USN-5299-1
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Use-after-free
EUVDB-ID: #VU63659
Risk: Low
CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-3483
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error in the Nosy driver in the Linux kernel. A local user can trigger use-after-free and to escalate privileges on the system.
MitigationUpdate the affected package linux to the latest version.
Vulnerable software versionsUbuntu: 14.04 - 16.04
linux-image-virtual-lts-xenial (Ubuntu package): before 4.4.0.219.226
linux-image-lowlatency-lts-xenial (Ubuntu package): before 4.4.0.219.226
linux-image-4.4.0-1099-aws (Ubuntu package): before 4.4.0.219.226
linux-image-generic-lts-xenial (Ubuntu package): before 4.4.0.219.226
linux-image-lowlatency (Ubuntu package): before 4.4.0.219.226
linux-image-kvm (Ubuntu package): before 4.4.0.219.226
linux-image-4.4.0-219-generic (Ubuntu package): before 4.4.0.219.226
linux-image-4.4.0-1135-aws (Ubuntu package): before 4.4.0.219.226
linux-image-4.4.0-1100-kvm (Ubuntu package): before 4.4.0.219.226
linux-image-4.4.0-219-lowlatency (Ubuntu package): before 4.4.0.219.226
linux-image-aws (Ubuntu package): before 4.4.0.219.226
linux-image-generic (Ubuntu package): before 4.4.0.219.226
linux-image-virtual (Ubuntu package): before 4.4.0.219.226
External linkshttp://ubuntu.com/security/notices/USN-5299-1
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Double Free
EUVDB-ID: #VU63660
Risk: Low
CVSSv3.1: 4 [CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-3564
CWE-ID:
CWE-415 - Double Free
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to perform a denial of service attack.
The vulnerability exists due to bluetooth subsystem in the Linux kernel does not properly handle HCI device detach events. An attacker with physical access to the system can trigger double free error and perform a denial of service attack.
MitigationUpdate the affected package linux to the latest version.
Vulnerable software versionsUbuntu: 14.04 - 16.04
linux-image-virtual-lts-xenial (Ubuntu package): before 4.4.0.219.226
linux-image-lowlatency-lts-xenial (Ubuntu package): before 4.4.0.219.226
linux-image-4.4.0-1099-aws (Ubuntu package): before 4.4.0.219.226
linux-image-generic-lts-xenial (Ubuntu package): before 4.4.0.219.226
linux-image-lowlatency (Ubuntu package): before 4.4.0.219.226
linux-image-kvm (Ubuntu package): before 4.4.0.219.226
linux-image-4.4.0-219-generic (Ubuntu package): before 4.4.0.219.226
linux-image-4.4.0-1135-aws (Ubuntu package): before 4.4.0.219.226
linux-image-4.4.0-1100-kvm (Ubuntu package): before 4.4.0.219.226
linux-image-4.4.0-219-lowlatency (Ubuntu package): before 4.4.0.219.226
linux-image-aws (Ubuntu package): before 4.4.0.219.226
linux-image-generic (Ubuntu package): before 4.4.0.219.226
linux-image-virtual (Ubuntu package): before 4.4.0.219.226
External linkshttp://ubuntu.com/security/notices/USN-5299-1
Q & A
Can this vulnerability be exploited remotely?
No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Out-of-bounds write
EUVDB-ID: #VU55231
Risk: Low
CVSSv3.1: 6.1 [CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-3612
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: No
Description The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error in joystick devices subsystem in Linux kernel. A local user can make a specially crafted JSIOCSBTNMAP IOCTL call, trigger out-of-bounds write and execute arbitrary code with escalated privileges.
Update the affected package linux to the latest version.
Vulnerable software versionsUbuntu: 14.04 - 16.04
linux-image-virtual-lts-xenial (Ubuntu package): before 4.4.0.219.226
linux-image-lowlatency-lts-xenial (Ubuntu package): before 4.4.0.219.226
linux-image-4.4.0-1099-aws (Ubuntu package): before 4.4.0.219.226
linux-image-generic-lts-xenial (Ubuntu package): before 4.4.0.219.226
linux-image-lowlatency (Ubuntu package): before 4.4.0.219.226
linux-image-kvm (Ubuntu package): before 4.4.0.219.226
linux-image-4.4.0-219-generic (Ubuntu package): before 4.4.0.219.226
linux-image-4.4.0-1135-aws (Ubuntu package): before 4.4.0.219.226
linux-image-4.4.0-1100-kvm (Ubuntu package): before 4.4.0.219.226
linux-image-4.4.0-219-lowlatency (Ubuntu package): before 4.4.0.219.226
linux-image-aws (Ubuntu package): before 4.4.0.219.226
linux-image-generic (Ubuntu package): before 4.4.0.219.226
linux-image-virtual (Ubuntu package): before 4.4.0.219.226
External linkshttp://ubuntu.com/security/notices/USN-5299-1
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Resource exhaustion
EUVDB-ID: #VU63664
Risk: Low
CVSSv3.1: 3.9 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-3679
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to lack of CPU resource in the Linux kernel tracing module functionality when using trace ring buffer in a specific way. A privileged local user (with CAP_SYS_ADMIN capability) could use this flaw to starve the resources causing denial of service.
MitigationUpdate the affected package linux to the latest version.
Vulnerable software versionsUbuntu: 14.04 - 16.04
linux-image-virtual-lts-xenial (Ubuntu package): before 4.4.0.219.226
linux-image-lowlatency-lts-xenial (Ubuntu package): before 4.4.0.219.226
linux-image-4.4.0-1099-aws (Ubuntu package): before 4.4.0.219.226
linux-image-generic-lts-xenial (Ubuntu package): before 4.4.0.219.226
linux-image-lowlatency (Ubuntu package): before 4.4.0.219.226
linux-image-kvm (Ubuntu package): before 4.4.0.219.226
linux-image-4.4.0-219-generic (Ubuntu package): before 4.4.0.219.226
linux-image-4.4.0-1135-aws (Ubuntu package): before 4.4.0.219.226
linux-image-4.4.0-1100-kvm (Ubuntu package): before 4.4.0.219.226
linux-image-4.4.0-219-lowlatency (Ubuntu package): before 4.4.0.219.226
linux-image-aws (Ubuntu package): before 4.4.0.219.226
linux-image-generic (Ubuntu package): before 4.4.0.219.226
linux-image-virtual (Ubuntu package): before 4.4.0.219.226
External linkshttp://ubuntu.com/security/notices/USN-5299-1
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Use-after-free
EUVDB-ID: #VU63666
Risk: Low
CVSSv3.1: 5.9 [CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-38204
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to perform a denial of service attack.
The vulnerability exists due to a use-after-free error in the drivers/usb/host/max3421-hcd.c in the Linux kernel. An attacker with physical access to the system can remove a MAX-3421 USB device to perform a denial of service attack.
MitigationUpdate the affected package linux to the latest version.
Vulnerable software versionsUbuntu: 14.04 - 16.04
linux-image-virtual-lts-xenial (Ubuntu package): before 4.4.0.219.226
linux-image-lowlatency-lts-xenial (Ubuntu package): before 4.4.0.219.226
linux-image-4.4.0-1099-aws (Ubuntu package): before 4.4.0.219.226
linux-image-generic-lts-xenial (Ubuntu package): before 4.4.0.219.226
linux-image-lowlatency (Ubuntu package): before 4.4.0.219.226
linux-image-kvm (Ubuntu package): before 4.4.0.219.226
linux-image-4.4.0-219-generic (Ubuntu package): before 4.4.0.219.226
linux-image-4.4.0-1135-aws (Ubuntu package): before 4.4.0.219.226
linux-image-4.4.0-1100-kvm (Ubuntu package): before 4.4.0.219.226
linux-image-4.4.0-219-lowlatency (Ubuntu package): before 4.4.0.219.226
linux-image-aws (Ubuntu package): before 4.4.0.219.226
linux-image-generic (Ubuntu package): before 4.4.0.219.226
linux-image-virtual (Ubuntu package): before 4.4.0.219.226
External linkshttp://ubuntu.com/security/notices/USN-5299-1
Q & A
Can this vulnerability be exploited remotely?
No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) Out-of-bounds write
EUVDB-ID: #VU63669
Risk: Low
CVSSv3.1: 6 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2021-42008
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: Yes
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error in the decode_data() function in drivers/net/hamradio/6pack.c in the Linux kernel. A local user can send input from a process that has the CAP_NET_ADMIN capability and escalate privileges on the system.
MitigationUpdate the affected package linux to the latest version.
Vulnerable software versionsUbuntu: 14.04 - 16.04
linux-image-virtual-lts-xenial (Ubuntu package): before 4.4.0.219.226
linux-image-lowlatency-lts-xenial (Ubuntu package): before 4.4.0.219.226
linux-image-4.4.0-1099-aws (Ubuntu package): before 4.4.0.219.226
linux-image-generic-lts-xenial (Ubuntu package): before 4.4.0.219.226
linux-image-lowlatency (Ubuntu package): before 4.4.0.219.226
linux-image-kvm (Ubuntu package): before 4.4.0.219.226
linux-image-4.4.0-219-generic (Ubuntu package): before 4.4.0.219.226
linux-image-4.4.0-1135-aws (Ubuntu package): before 4.4.0.219.226
linux-image-4.4.0-1100-kvm (Ubuntu package): before 4.4.0.219.226
linux-image-4.4.0-219-lowlatency (Ubuntu package): before 4.4.0.219.226
linux-image-aws (Ubuntu package): before 4.4.0.219.226
linux-image-generic (Ubuntu package): before 4.4.0.219.226
linux-image-virtual (Ubuntu package): before 4.4.0.219.226
External linkshttp://ubuntu.com/security/notices/USN-5299-1
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
13) Information disclosure
EUVDB-ID: #VU63668
Risk: Medium
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-45485
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to an error in the IPv6 implementation in the Linux kernel. A remote attacker can gain access to sensitive information.
MitigationUpdate the affected package linux to the latest version.
Vulnerable software versionsUbuntu: 14.04 - 16.04
linux-image-virtual-lts-xenial (Ubuntu package): before 4.4.0.219.226
linux-image-lowlatency-lts-xenial (Ubuntu package): before 4.4.0.219.226
linux-image-4.4.0-1099-aws (Ubuntu package): before 4.4.0.219.226
linux-image-generic-lts-xenial (Ubuntu package): before 4.4.0.219.226
linux-image-lowlatency (Ubuntu package): before 4.4.0.219.226
linux-image-kvm (Ubuntu package): before 4.4.0.219.226
linux-image-4.4.0-219-generic (Ubuntu package): before 4.4.0.219.226
linux-image-4.4.0-1135-aws (Ubuntu package): before 4.4.0.219.226
linux-image-4.4.0-1100-kvm (Ubuntu package): before 4.4.0.219.226
linux-image-4.4.0-219-lowlatency (Ubuntu package): before 4.4.0.219.226
linux-image-aws (Ubuntu package): before 4.4.0.219.226
linux-image-generic (Ubuntu package): before 4.4.0.219.226
linux-image-virtual (Ubuntu package): before 4.4.0.219.226
External linkshttp://ubuntu.com/security/notices/USN-5299-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
