CVE-2021-26708 — Improper Locking in Kernel

CWE-667 — Improper Locking CWE-269 — Improper Privilege Management CWE-362 — Race Condition11 documents10 sources

Severity

7.0HIGHNVD

EPSS

0.9%

top 23.81%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Linux Kernel Netapp Baseboard Management Controller 500f Firmware Netapp Baseboard Management Controller A250 Firmware +18 more

Timeline

PublishedFeb 5

Latest updateSep 7

Description

A local privilege escalation was discovered in the Linux kernel before 5.10.13. Multiple race conditions in the AF_VSOCK implementation are caused by wrong locking in net/vmw_vsock/af_vsock.c. The race conditions were implicitly introduced in the commits that added VSOCK multi-transport support.

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.0 | Impact: 5.9

Affected Packages22 packages

▶NVDlinux/linux_kernel5.5 — 5.10.13

▶Debianlinux/linux_kernel< 5.10.13-1+3

▶debiandebian/linux< linux 5.10.13-1 (bookworm)

▶msrcmsrc/kernel-5.10.57.1-1.cm1.x86_64.rpm_on_cbl_mariner_1.0_x64

▶msrcmsrc/kernel-5.10.57.1-1.cm1.aarch64.rpm_on_cbl_mariner_1.0_arm

Patches

Patch: www.openwall.com ↗Patch: git.kernel.org ↗Patch: security.netapp.com ↗

🔴Vulnerability Details

Kernel

ipc, msg: Use dedicated slab buckets for alloc_msg()↗2024-07-01

▶

GHSA

GHSA-hhxw-8c9w-q5q9: A local privilege escalation was discovered in the Linux kernel before 5↗2022-05-24

▶

OSV

CVE-2021-26708: A local privilege escalation was discovered in the Linux kernel before 5↗2021-02-05

▶

📋Vendor Advisories

Palo Alto

PAN-SA-2024-0001 Informational Bulletin: Impact of OSS CVEs in PAN-OS↗2024-02-14

▶

Ubuntu

Linux kernel vulnerability↗2021-02-10

▶

Microsoft

▶

Red Hat

kernel: race conditions caused by wrong locking in net/vmw_vsock/af_vsock.c↗2021-02-05

▶

Debian

CVE-2021-26708: linux - A local privilege escalation was discovered in the Linux kernel before 5.10.13. ...↗2021

▶

📄Research Papers

arXiv

Beyond Control: Exploring Novel File System Objects for Data-Only Attacks on Linux Systems↗2024-09-07

▶

arXiv

Timeloops: Automatic System Call Policy Learning for Containerized Microservices↗2022-09-26

▶