Resource exhaustion in Linux kernel

#VU63664 Resource exhaustion in Linux kernel

Published: 2022-05-25

Vulnerability identifier: #VU63664

Vulnerability risk: Low

CVSSv3.1:

CVE-ID: CVE-2021-3679

CWE-ID: CWE-400

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Linux kernel
Operating systems & Components / Operating system

Vendor: Linux Foundation

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to lack of CPU resource in the Linux kernel tracing module functionality when using trace ring buffer in a specific way. A privileged local user (with CAP_SYS_ADMIN capability) could use this flaw to starve the resources causing denial of service.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Linux kernel: All versions

CPE

cpe:2.3:o:linux_foundation:linux_kernel:*:*:*:*:*:*:*:*

External links
http://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=67f0d6d9883c13174669f88adac4f0ee656cc16a
http://bugzilla.redhat.com/show_bug.cgi?id=1989165
http://www.debian.org/security/2021/dsa-4978
http://lists.debian.org/debian-lts-announce/2021/10/msg00010.html
http://lists.debian.org/debian-lts-announce/2021/12/msg00012.html

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

Latest bulletins with this vulnerability

ClevOS update for IBM Cloud Object Storage Systems

Ubuntu update for linux