CVE-2021-3714 — Sensitive Information Exposure in Kernel

CWE-200 — Sensitive Information Exposure CWE-1236 — Improper Neutralization of Formula Elements in a CSV File8 documents8 sources

Severity

5.9MEDIUMNVD

EPSS

0.1%

top 79.66%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Craftcms CMS Linux Kernel Redhat Enterprise Linux

Timeline

PublishedAug 23

Latest updateAug 24

Description

A flaw was found in the Linux kernels memory deduplication mechanism. Previous work has shown that memory deduplication can be attacked via a local exploitation mechanism. The same technique can be used if an attacker can upload page sized files and detect the change in access time from a networked service to determine if the page has been merged.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages2 packages

▶CVEListV5linux/linux_kernelNot known

▶Packagistcraftcms/cms3.4.0 — 3.7.14

Also affects: Enterprise Linux 6.0, 7.0, 8.0

🔴Vulnerability Details

GHSA

GHSA-p9ch-h5p3-4xcq: A flaw was found in the Linux kernels memory deduplication mechanism↗2022-08-24

▶

OSV

CVE-2021-3714: A flaw was found in the Linux kernels memory deduplication mechanism↗2022-08-23

▶

CVEList

CVE-2021-3714: A flaw was found in the Linux kernels memory deduplication mechanism↗2022-08-23

▶

GHSA

CSV Injection Vulnerability↗2021-10-18

▶

📋Vendor Advisories

Red Hat

kernel: Remote Page Deduplication Attacks↗2021-11-16

▶

Debian

CVE-2021-3714: linux - A flaw was found in the Linux kernels memory deduplication mechanism. Previous w...↗2021

▶

📄Research Papers

arXiv

Remote Memory-Deduplication Attacks↗2021-11-16

▶