cbcvebase.
CVE-2021-3490
published 2021-06-04

CVE-2021-3490: The eBPF ALU32 bounds tracking for bitwise ops (AND, OR and XOR) in the Linux kernel did not properly update 32-bit bounds, which could be turned into out of…

PriorityP263high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
EXPLOIT
EPSS
27.48%
97.8th percentile
The eBPF ALU32 bounds tracking for bitwise ops (AND, OR and XOR) in the Linux kernel did not properly update 32-bit bounds, which could be turned into out of bounds reads and writes in the Linux kernel and therefore, arbitrary code execution. This issue was fixed via commit 049c4e13714e ("bpf: Fix alu32 const subreg bound tracking on bitwise operations") (v5.13-rc4) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. The AND/OR issues were introduced by commit 3f50f132d840 ("bpf: Verifier, do explicit ALU32 bounds tracking") (5.7-rc1) and the XOR variant was introduced by 2921c90d4718 ("bpf:Fix a verifier failure with xor") ( 5.10-rc1).

Affected

17 ranges
VendorProductVersion rangeFixed in
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
debianlinux< linux 5.10.38-1 (bookworm)linux 5.10.38-1 (bookworm)
linuxlinux_kernel
linuxlinux_kernel>= 0 < 5.10.38-15.10.38-1
linuxlinux_kernel>= 0 < 5.10.38-15.10.38-1
linuxlinux_kernel>= 0 < 5.10.38-15.10.38-1
linuxlinux_kernel>= 0 < 5.10.38-15.10.38-1
linuxlinux_kernel>= 5.10 < 5.10.375.10.37
linuxlinux_kernel>= 5.11 < 5.11.215.11.21
linuxlinux_kernel>= 5.12 < 5.12.45.12.4
linuxlinux_kernel>= linux-5.10.y < v5.10.37v5.10.37
linuxlinux_kernel>= linux-5.11.y < v5.11.21v5.11.21
linuxlinux_kernel>= linux-5.12.y < v5.12.4v5.12.4
linuxlinux_kernel>= trunk < v5.13-rc4v5.13-rc4
linuxlinux_kernel>= v5.7-rc1 < 5.7*5.7*

Detection & IOCsextracted from sources · hover to see the quote

path/proc/sys/kernel/unprivileged_bpf_disabled
  • Monitor for unprivileged eBPF program loads (bpf() syscall) from non-root processes; exploitation requires kernel.unprivileged_bpf_disabled to be unset (0)
  • Detect exploitation attempts via the Metasploit module targeting the scalar32_min_max_and function in the eBPF verifier's ALU32 AND operation bounds check
  • Exploit is data-only and misuses only legitimate system calls, making process-level detection difficult; focus on behavioral anomalies such as unexpected privilege escalation from container processes
  • In container environments, watch for use of sched_setaffinity() syscall as part of exploit chain to manipulate task struct and achieve container escape
  • Alert on processes inside containers that attempt to read or write kernel symbols (ksymtab/kstrtab) as part of the exploit's kernel read/write primitive establishment
  • ·Exploitation requires kernel.unprivileged_bpf_disabled=0; if set to 1, unprivileged users cannot load eBPF programs. However, a privileged user (root or CAP_SYS_ADMIN) can still exploit the flaw, and the Metasploit module notes it can still bypass protections like SELinux when run as a privileged user.
  • ·Affected kernel versions: 5.7-rc1 through 5.13-rc4 (AND/OR), 5.10-rc1 through 5.10.37 (XOR). Fixed in v5.13-rc4, v5.12.4, v5.11.21, and v5.10.37.
  • ·Red Hat Enterprise Linux 6, 7, and 8 are listed as Not Affected; RHEL 7 always disables eBPF for unprivileged users.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
osv7.8HIGH
vendor_debian7.8HIGH
vendor_redhat7.8HIGH
vendor_ubuntu7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.