CVE-2021-3491 — Incorrect Calculation of Buffer Size in Kernel
Severity
8.8HIGHNVD
CNA7.8
EPSS
0.1%
top 81.42%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedJun 4
Latest updateMay 24
Description
The io_uring subsystem in the Linux kernel allowed the MAX_RW_COUNT limit to be bypassed in the PROVIDE_BUFFERS operation, which led to negative values being usedin mem_rw when reading /proc//mem. This could be used to create a heap overflow leading to arbitrary code execution in the kernel. It was addressed via commit d1f82808877b ("io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers") (v5.13-rc1) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. It was…
CVSS vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HExploitability: 2.0 | Impact: 6.0
Affected Packages3 packages
Also affects: Ubuntu Linux 20.04, 20.10, 21.04
Patches
🔴Vulnerability Details
5GHSA▶
GHSA-q4c9-gg27-f3pq: The io_uring subsystem in the Linux kernel allowed the MAX_RW_COUNT limit to be bypassed in the PROVIDE_BUFFERS operation, which led to negative value↗2022-05-24
OSV▶
CVE-2021-3491: The io_uring subsystem in the Linux kernel allowed the MAX_RW_COUNT limit to be bypassed in the PROVIDE_BUFFERS operation, which led to negative value↗2021-06-04
📋Vendor Advisories
5Debian▶
CVE-2021-3491: linux - The io_uring subsystem in the Linux kernel allowed the MAX_RW_COUNT limit to be ...↗2021