CVE-2021-3490
published 2021-06-04CVE-2021-3490: The eBPF ALU32 bounds tracking for bitwise ops (AND, OR and XOR) in the Linux kernel did not properly update 32-bit bounds, which could be turned into out of…
PriorityP263high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
EXPLOIT
EPSS
27.48%
97.8th percentile
The eBPF ALU32 bounds tracking for bitwise ops (AND, OR and XOR) in the Linux kernel did not properly update 32-bit bounds, which could be turned into out of bounds reads and writes in the Linux kernel and therefore, arbitrary code execution. This issue was fixed via commit 049c4e13714e ("bpf: Fix alu32 const subreg bound tracking on bitwise operations") (v5.13-rc4) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. The AND/OR issues were introduced by commit 3f50f132d840 ("bpf: Verifier, do explicit ALU32 bounds tracking") (5.7-rc1) and the XOR variant was introduced by 2921c90d4718 ("bpf:Fix a verifier failure with xor") ( 5.10-rc1).
Affected
17 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | linux | < linux 5.10.38-1 (bookworm) | linux 5.10.38-1 (bookworm) |
| linux | linux_kernel | — | — |
| linux | linux_kernel | >= 0 < 5.10.38-1 | 5.10.38-1 |
| linux | linux_kernel | >= 0 < 5.10.38-1 | 5.10.38-1 |
| linux | linux_kernel | >= 0 < 5.10.38-1 | 5.10.38-1 |
| linux | linux_kernel | >= 0 < 5.10.38-1 | 5.10.38-1 |
| linux | linux_kernel | >= 5.10 < 5.10.37 | 5.10.37 |
| linux | linux_kernel | >= 5.11 < 5.11.21 | 5.11.21 |
| linux | linux_kernel | >= 5.12 < 5.12.4 | 5.12.4 |
| linux | linux_kernel | >= linux-5.10.y < v5.10.37 | v5.10.37 |
| linux | linux_kernel | >= linux-5.11.y < v5.11.21 | v5.11.21 |
| linux | linux_kernel | >= linux-5.12.y < v5.12.4 | v5.12.4 |
| linux | linux_kernel | >= trunk < v5.13-rc4 | v5.13-rc4 |
| linux | linux_kernel | >= v5.7-rc1 < 5.7* | 5.7* |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for unprivileged eBPF program loads (bpf() syscall) from non-root processes; exploitation requires kernel.unprivileged_bpf_disabled to be unset (0) ↗
- →Detect exploitation attempts via the Metasploit module targeting the scalar32_min_max_and function in the eBPF verifier's ALU32 AND operation bounds check ↗
- →Exploit is data-only and misuses only legitimate system calls, making process-level detection difficult; focus on behavioral anomalies such as unexpected privilege escalation from container processes ↗
- →In container environments, watch for use of sched_setaffinity() syscall as part of exploit chain to manipulate task struct and achieve container escape ↗
- →Alert on processes inside containers that attempt to read or write kernel symbols (ksymtab/kstrtab) as part of the exploit's kernel read/write primitive establishment ↗
- ·Exploitation requires kernel.unprivileged_bpf_disabled=0; if set to 1, unprivileged users cannot load eBPF programs. However, a privileged user (root or CAP_SYS_ADMIN) can still exploit the flaw, and the Metasploit module notes it can still bypass protections like SELinux when run as a privileged user. ↗
- ·Affected kernel versions: 5.7-rc1 through 5.13-rc4 (AND/OR), 5.10-rc1 through 5.10.37 (XOR). Fixed in v5.13-rc4, v5.12.4, v5.11.21, and v5.10.37. ↗
- ·Red Hat Enterprise Linux 6, 7, and 8 are listed as Not Affected; RHEL 7 always disables eBPF for unprivileged users. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
osv7.8HIGH
vendor_debian7.8HIGH
vendor_redhat7.8HIGH
vendor_ubuntu7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
kernel: Linux kernel eBPF bitwise ops ALU32 bounds tracking
vendor_redhat·2021-05-11·CVSS 7.8
CVE-2021-3490 [HIGH] CWE-119 kernel: Linux kernel eBPF bitwise ops ALU32 bounds tracking
kernel: Linux kernel eBPF bitwise ops ALU32 bounds tracking
The eBPF ALU32 bounds tracking for bitwise ops (AND, OR and XOR) in the Linux kernel did not properly update 32-bit bounds, which could be turned into out of bounds reads and writes in the Linux kernel and therefore, arbitrary code execution. This issue was fixed via commit 049c4e13714e ("bpf: Fix alu32 const subreg bound tracking on bitwise operations") (v5.13-rc4) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. The AND/OR issues were introduced by commit 3f50f132d840 ("bpf: Verifier, do explicit ALU32 bounds tracking") (5.7-rc1) and the XOR variant was introduced by 2921c90d4718 ("bpf:Fix a verifier failure with xor") ( 5.10-rc1).
A flaw was found in the Linux kernels eBPF verification code. It was dis
Ubuntu
Linux kernel (OEM) vulnerabilities
vendor_ubuntu·2021-05-11·CVSS 7.8
CVE-2021-3489 [HIGH] Linux kernel (OEM) vulnerabilities
Title: Linux kernel (OEM) vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
Ryota Shiga discovered that the eBPF implementation in the Linux kernel did
not properly verify that a BPF program only reserved as much memory for a
ring buffer as was allocated. A local attacker could use this to cause a
denial of service (system crash) or execute arbitrary code. (CVE-2021-3489)
Manfred Paul discovered that the eBPF implementation in the Linux kernel
did not properly track bounds on bitwise operations. A local attacker could
use this to cause a denial of service (system crash) or execute arbitrary
code. (CVE-2021-3490)
Billy Jheng Bing-Jhong discovered that the io_uring implementation of the
Linux kernel did not properly enforce the MAX_RW_COUNT limit in some
si
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2021-05-11·CVSS 7.8
CVE-2021-3489 [HIGH] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
Ryota Shiga discovered that the eBPF implementation in the Linux kernel did
not properly verify that a BPF program only reserved as much memory for a
ring buffer as was allocated. A local attacker could use this to cause a
denial of service (system crash) or execute arbitrary code. (CVE-2021-3489)
Manfred Paul discovered that the eBPF implementation in the Linux kernel
did not properly track bounds on bitwise operations. A local attacker could
use this to cause a denial of service (system crash) or execute arbitrary
code. (CVE-2021-3490)
Billy Jheng Bing-Jhong discovered that the io_uring implementation of the
Linux kernel did not properly enforce the MAX_RW_COUNT limit in some
situatio
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2021-05-11·CVSS 4.4
CVE-2021-29265 [MEDIUM] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
Ryota Shiga discovered that the eBPF implementation in the Linux kernel did
not properly verify that a BPF program only reserved as much memory for a
ring buffer as was allocated. A local attacker could use this to cause a
denial of service (system crash) or execute arbitrary code. (CVE-2021-3489)
Manfred Paul discovered that the eBPF implementation in the Linux kernel
did not properly track bounds on bitwise operations. A local attacker could
use this to cause a denial of service (system crash) or execute arbitrary
code. (CVE-2021-3490)
Billy Jheng Bing-Jhong discovered that the io_uring implementation of the
Linux kernel did not properly enforce the MAX_RW_COUNT limit in some
situatio
Debian
CVE-2021-3490: linux - The eBPF ALU32 bounds tracking for bitwise ops (AND, OR and XOR) in the Linux ke...
vendor_debian·2021·CVSS 7.8
CVE-2021-3490 [HIGH] CVE-2021-3490: linux - The eBPF ALU32 bounds tracking for bitwise ops (AND, OR and XOR) in the Linux ke...
The eBPF ALU32 bounds tracking for bitwise ops (AND, OR and XOR) in the Linux kernel did not properly update 32-bit bounds, which could be turned into out of bounds reads and writes in the Linux kernel and therefore, arbitrary code execution. This issue was fixed via commit 049c4e13714e ("bpf: Fix alu32 const subreg bound tracking on bitwise operations") (v5.13-rc4) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. The AND/OR issues were introduced by commit 3f50f132d840 ("bpf: Verifier, do explicit ALU32 bounds tracking") (5.7-rc1) and the XOR variant was introduced by 2921c90d4718 ("bpf:Fix a verifier failure with xor") ( 5.10-rc1).
Scope: local
bookworm: resolved (fixed in 5.10.38-1)
bullseye: resolved (fixed in 5.10.38-1)
forky: resolved (fixed in 5.10.38-1)
sid:
GHSA
GHSA-9wfm-q59x-qc3x: The eBPF ALU32 bounds tracking for bitwise ops (AND, OR and XOR) in the Linux kernel did not properly update 32-bit bounds, which could be turned into
ghsa_unreviewed·2022-05-24
CVE-2021-3490 [HIGH] CWE-125 GHSA-9wfm-q59x-qc3x: The eBPF ALU32 bounds tracking for bitwise ops (AND, OR and XOR) in the Linux kernel did not properly update 32-bit bounds, which could be turned into
The eBPF ALU32 bounds tracking for bitwise ops (AND, OR and XOR) in the Linux kernel did not properly update 32-bit bounds, which could be turned into out of bounds reads and writes in the Linux kernel and therefore, arbitrary code execution. This issue was fixed via commit 049c4e13714e ("bpf: Fix alu32 const subreg bound tracking on bitwise operations") (v5.13-rc4) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. The AND/OR issues were introduced by commit 3f50f132d840 ("bpf: Verifier, do explicit ALU32 bounds tracking") (5.7-rc1) and the XOR variant was introduced by 2921c90d4718 ("bpf:Fix a verifier failure with xor") ( 5.10-rc1).
OSV
CVE-2021-3490: In scalar32_min_max_and and related functions of verifier
osv·2021-10-01
CVE-2021-3490 CVE-2021-3490: In scalar32_min_max_and and related functions of verifier
In scalar32_min_max_and and related functions of verifier.c, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.
OSV
CVE-2021-3490: The eBPF ALU32 bounds tracking for bitwise ops (AND, OR and XOR) in the Linux kernel did not properly update 32-bit bounds, which could be turned into
osv·2021-06-04·CVSS 7.8
CVE-2021-3490 [HIGH] CVE-2021-3490: The eBPF ALU32 bounds tracking for bitwise ops (AND, OR and XOR) in the Linux kernel did not properly update 32-bit bounds, which could be turned into
The eBPF ALU32 bounds tracking for bitwise ops (AND, OR and XOR) in the Linux kernel did not properly update 32-bit bounds, which could be turned into out of bounds reads and writes in the Linux kernel and therefore, arbitrary code execution. This issue was fixed via commit 049c4e13714e ("bpf: Fix alu32 const subreg bound tracking on bitwise operations") (v5.13-rc4) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. The AND/OR issues were introduced by commit 3f50f132d840 ("bpf: Verifier, do explicit ALU32 bounds tracking") (5.7-rc1) and the XOR variant was introduced by 2921c90d4718 ("bpf:Fix a verifier failure with xor") ( 5.10-rc1).
OSV
linux, linux-aws, linux-azure, linux-gcp, linux-hwe-5.8, linux-kvm, linux-oracle, linux-raspi vulnerabilities
osv·2021-05-11·CVSS 4.4
CVE-2021-3489 [MEDIUM] linux, linux-aws, linux-azure, linux-gcp, linux-hwe-5.8, linux-kvm, linux-oracle, linux-raspi vulnerabilities
linux, linux-aws, linux-azure, linux-gcp, linux-hwe-5.8, linux-kvm, linux-oracle, linux-raspi vulnerabilities
Ryota Shiga discovered that the eBPF implementation in the Linux kernel did
not properly verify that a BPF program only reserved as much memory for a
ring buffer as was allocated. A local attacker could use this to cause a
denial of service (system crash) or execute arbitrary code. (CVE-2021-3489)
Manfred Paul discovered that the eBPF implementation in the Linux kernel
did not properly track bounds on bitwise operations. A local attacker could
use this to cause a denial of service (system crash) or execute arbitrary
code. (CVE-2021-3490)
Billy Jheng Bing-Jhong discovered that the io_uring implementation of the
Linux kernel did not properly enforce the MAX_RW_COUNT limit in some
OSV
linux-oem-5.10 vulnerabilities
osv·2021-05-11·CVSS 7.8
CVE-2021-3489 [HIGH] linux-oem-5.10 vulnerabilities
linux-oem-5.10 vulnerabilities
Ryota Shiga discovered that the eBPF implementation in the Linux kernel did
not properly verify that a BPF program only reserved as much memory for a
ring buffer as was allocated. A local attacker could use this to cause a
denial of service (system crash) or execute arbitrary code. (CVE-2021-3489)
Manfred Paul discovered that the eBPF implementation in the Linux kernel
did not properly track bounds on bitwise operations. A local attacker could
use this to cause a denial of service (system crash) or execute arbitrary
code. (CVE-2021-3490)
Billy Jheng Bing-Jhong discovered that the io_uring implementation of the
Linux kernel did not properly enforce the MAX_RW_COUNT limit in some
situations. A local attacker could use this to cause a denial of service
(syste
arXiv
KernJC: Automated Vulnerable Environment Generation for Linux Kernel Vulnerabilities
arxiv_fulltext·2024-09-24
KernJC: Automated Vulnerable Environment Generation for Linux Kernel Vulnerabilities
: Automated Vulnerable Environment Generation for Linux Kernel Vulnerabilities
Bonan Ruan
National University of Singapore
Jiahao Liu
National University of Singapore
Chuqi Zhang
National University of Singapore
Zhenkai Liang
National University of Singapore
## Abstract
Linux kernel vulnerability reproduction is a critical task in system security.
To reproduce a kernel vulnerability, the vulnerable environment and the Proof of Concept (PoC) program are needed.
Most existing research focuses on the generation of PoC, while the construction of environment is overlooked.
However, establishing an effective vulnerable environment to trigger a vulnerability is challenging.
Firstly, it is hard to guarantee that the selected kernel version for reproduction is vulnerable, as the vulner
arXiv
SafeBPF: Hardware-assisted Defense-in-depth for eBPF Kernel Extensions
arxiv_fulltext·2024-09-11
SafeBPF: Hardware-assisted Defense-in-depth for eBPF Kernel Extensions
: Hardware-assisted Defense-in-depth for Kernel Extensions
Soo Yee Lim
[email protected]
0000-0002-3418-4982
University of British Columbia
Vancouver
British Columbia
Canada
Tanya Prasad
[email protected]
0009-0000-5378-1857
University of British Columbia
Vancouver
British Columbia
Canada
Xueyuan Han
[email protected]
0000-0003-1374-153X
Wake Forest University
Winston-Salem
North Carolina
USA
Thomas Pasquier
[email protected]
0000-0001-6876-1306
University of British Columbia
Vancouver
British Columbia
Canada
## Abstract
The framework enables
execution
of user-provided code
in the Linux kernel.
In the last few years,
a large ecosystem of cloud services has leveraged to enhance container security, system observability, and network management.
Meanwhile,
incessant discoveries
of memory
Crowdstrike
Exploiting CVE-2021-3490 for Container Escapes
blogs_crowdstrike·CVSS 7.8
CVE-2026-20929 [HIGH] Exploiting CVE-2021-3490 for Container Escapes
How CrowdStrike is Accelerating Exposure Evaluation as Adversaries Gain Speed Apr 06, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How CrowdStrike is Accelerating Exposure Evaluation as Adversaries Gain Speed Apr 06, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019
Helping Non-Security Stakeholders Understand AT
Crowdstrike
Exploiting CVE-2021-3490 for Container Escapes
blogs_crowdstrike·CVSS 7.8
CVE-2026-20929 [HIGH] Exploiting CVE-2021-3490 for Container Escapes
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019
Helping Non-Security Stakeholders Understand ATT&CK in 10 Minutes or Less [VI
http://packetstormsecurity.com/files/164015/Linux-eBPF-ALU32-32-bit-Invalid-Bounds-Tracking-Local-Privilege-Escalation.htmlhttps://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/commit/?id=049c4e13714ecbca567b4d5f6d563f05d431c80ehttps://security.netapp.com/advisory/ntap-20210716-0004/https://ubuntu.com/security/notices/USN-4949-1https://ubuntu.com/security/notices/USN-4950-1https://www.openwall.com/lists/oss-security/2021/05/11/11https://www.zerodayinitiative.com/advisories/ZDI-21-606/http://packetstormsecurity.com/files/164015/Linux-eBPF-ALU32-32-bit-Invalid-Bounds-Tracking-Local-Privilege-Escalation.htmlhttps://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/commit/?id=049c4e13714ecbca567b4d5f6d563f05d431c80ehttps://security.netapp.com/advisory/ntap-20210716-0004/https://ubuntu.com/security/notices/USN-4949-1https://ubuntu.com/security/notices/USN-4950-1https://www.openwall.com/lists/oss-security/2021/05/11/11https://www.zerodayinitiative.com/advisories/ZDI-21-606/
2021-06-04
Published