CVE-2021-31829 — Incorrect Authorization in Linux

CWE-863 — Incorrect Authorization CWE-200 — Sensitive Information Exposure19 documents8 sources

Severity

5.5MEDIUMNVD

OSV3.5

EPSS

0.1%

top 76.33%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Linux Kernel Debian Linux Debian Linux +4 more

Timeline

PublishedMay 6

Latest updateFeb 14

Description

kernel/bpf/verifier.c in the Linux kernel through 5.12.1 performs undesirable speculative loads, leading to disclosure of stack content via side-channel attacks, aka CID-801c6058d14a. The specific concern is not protecting the BPF stack area against speculative loads. Also, the BPF stack can contain uninitialized data that might represent sensitive information previously operated on by the kernel.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages7 packages

▶Debianlinux/linux_kernel< 5.10.38-1+3

▶Ubuntulinux/linux_kernel< 4.15.0-151.157+1

▶NVDlinux/linux_kernel5.12.1

▶msrcmsrc/cm1_kernel_5.10.60.1-1_on_cbl_mariner_1.0

▶msrcmsrc/cbl2_kernel_5.10.78.1-1_on_cbl_mariner_2.0

Also affects: Debian Linux 9.0, Fedora 32, 33, 34

Patches

Patch: www.openwall.com ↗Patch: www.openwall.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-f8g9-h6rj-mq5j: kernel/bpf/verifier↗2022-05-24

▶

OSV

linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux-raspi2, linux-snapdragon vulnerabilities↗2021-07-20

▶

OSV

linux-kvm vulnerabilities↗2021-06-25

▶

OSV

linux, linux-aws, linux-aws-5.8, linux-azure, linux-azure-5.8, linux-gcp, linux-gcp-5.8, linux-hwe-5.8, linux-kvm, linux-oracle, linux-oracle-5.8, linux-raspi vulnerabilities↗2021-06-23

▶

OSV

linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gke, linux-gke-5.4, linux-gkeop, linux-gkeop-5.4, linux-hwe-5.4, linux-oracle, linux-oracle-5.4, linux-ra↗2021-06-23

▶

📋Vendor Advisories

Palo Alto

PAN-SA-2024-0001 Informational Bulletin: Impact of OSS CVEs in PAN-OS↗2024-02-14

▶

Ubuntu

Linux kernel vulnerabilities↗2021-07-20

▶

Ubuntu

Linux kernel (KVM) vulnerabilities↗2021-06-25

▶

Ubuntu

Linux kernel (KVM) vulnerabilities↗2021-06-25

▶

Ubuntu

Linux kernel vulnerabilities↗2021-06-23

▶