#VU89262 Out-of-bounds read in Linux kernel - CVE-2021-46952

Cybersecurity Help s.r.o.

Published: 2024-05-08

Vulnerability identifier: #VU89262

Vulnerability risk: Medium

CVSSv4.0: 2.3 [CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2021-46952

CWE-ID: CWE-125

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Linux kernel
Operating systems & Components / Operating system

Vendor: Linux Foundation

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to a boundary condition within the nfs23_parse_monolithic() function in fs/nfs/fs_context.c when handling UDP retrans. A remote attacker can trigger an out-of-bounds read error and gain access to sensitive information or perform a denial of service (DoS) attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Linux kernel: before 5.10.36, 5.10.36

External links
https://git.kernel.org/stable/c/96fa26b74cdcf9f5c98996bf36bec9fb5b19ffe2
https://git.kernel.org/stable/c/2f3380121d49e829fb73ba86240c181bc32ad897
https://git.kernel.org/stable/c/3d0163821c035040a46d816a42c0780f0f0a30a8
https://git.kernel.org/stable/c/c09f11ef35955785f92369e25819bf0629df2e59

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

openEuler 20.03 LTS SP4 update for kernel

openEuler 20.03 LTS SP1 update for kernel

Out-of-bounds read in Linux kernel NFS support