#VU63764 Use-after-free in Linux kernel


Published: 2022-05-27

Vulnerability identifier: #VU63764

Vulnerability risk: Low

CVSSv3.1: 5.8 [CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-4202

CWE-ID: CWE-416

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Linux kernel
Operating systems & Components / Operating system

Vendor: Linux Foundation

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a use-after-free error in the nci_request() function in net/nfc/nci/core.c in NFC Controller Interface (NCI) in the Linux kernel. A local user can cause a data race problem while the device is getting removed and escalate privileges on the system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Linux kernel:

External links
http://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=86cdf8e38792545161dbe3350a7eced558ba4d15
http://bugzilla.redhat.com/show_bug.cgi?id=2036682
http://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=3e3b5dfcd16a3e254aab61bd1e8c417dd4503102
http://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=48b71a9e66c2eab60564b1b1c85f4928ed04e406
http://security.netapp.com/advisory/ntap-20220513-0002/

Q & A

Can this vulnerability be exploited remotely?

No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Ubuntu update for linux-aws
Ubuntu update for linux-kvm
Ubuntu update for linux
Debian update for linux
SUSE update for the Linux Kernel (Live Patch 41 for SLE 12 SP3)
Ubuntu update for linux
Ubuntu update for linux-aws
Ubuntu update for linux-gke
Ubuntu update for linux
SUSE update for the Linux Kernel (Live Patch 6 for SLE 15 SP3)