CVE-2021-3492 — Missing Release of Memory after Effective Lifetime in Linux Kernel
Severity
7.8HIGHNVD
CNA8.8
EPSS
24.4%
top 3.88%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedApr 17
Latest updateMay 24
Description
Shiftfs, an out-of-tree stacking file system included in Ubuntu Linux kernels, did not properly handle faults occurring during copy_from_user() correctly. These could lead to either a double-free situation or memory not being freed at all. An attacker could use this to cause a denial of service (kernel memory exhaustion) or gain privileges via executing arbitrary code. AKA ZDI-CAN-13562.
CVSS vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9
Affected Packages3 packages
Patches
🔴Vulnerability Details
5GHSA▶
GHSA-hr5j-7qj8-mpp3: Shiftfs, an out-of-tree stacking file system included in Ubuntu Linux kernels, did not properly handle faults occurring during copy_from_user() correc↗2022-05-24
OSV▶
CVE-2021-3492: Shiftfs, an out-of-tree stacking file system included in Ubuntu Linux kernels, did not properly handle faults occurring during copy_from_user() correc↗2021-04-15
📋Vendor Advisories
5Debian▶
CVE-2021-3492: linux - Shiftfs, an out-of-tree stacking file system included in Ubuntu Linux kernels, d...↗2021