CVE-2021-37159Double Free in Linux

CWE-415Double FreeCWE-416Use After Free25 documents8 sources
Severity
6.4MEDIUMNVD
OSV6.5OSV5.5OSV5.3OSV4.7OSV3.3
EPSS
0.0%
top 90.21%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
9
Linux KernelDebian LinuxDebian Linux+6 more
Timeline
PublishedJul 21
Latest updateAug 21

Description

hso_free_net_device in drivers/net/usb/hso.c in the Linux kernel through 5.13.4 calls unregister_netdev without checking for the NETREG_REGISTERED state, leading to a use-after-free and a double free.

CVSS vector

CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 0.5 | Impact: 5.9

Affected Packages10 packages

Debianlinux/linux_kernel< 5.10.70-1+3
Ubuntulinux/linux_kernel< 4.15.0-163.171+3
NVDlinux/linux_kernel5.13.4
debiandebian/linux< linux 5.14.6-1 (bookworm)

Also affects: Debian Linux 9.0

Patches

Patch: www.oracle.comPatch: www.spinics.netPatch: www.oracle.com

🔴Vulnerability Details

12
OSV
linux vulnerabilities2024-08-21
GHSA
GHSA-jh5h-88qq-m547: hso_free_net_device in drivers/net/usb/hso2022-05-24
OSV
linux, linux-aws, linux-kvm, linux-lts-xenial vulnerabilities2022-04-01
OSV
CVE-2021-37159: In hso_free_net_device of net/usb/hso2022-03-01
OSV
linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-dell300x, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux-raspi2, linux-snapdragon vulnerabilities2021-11-30

📋Vendor Advisories

12
Ubuntu
Linux kernel vulnerabilities2024-08-21
Palo Alto
PAN-SA-2024-0001 Informational Bulletin: Impact of OSS CVEs in PAN-OS2024-02-14
Ubuntu
Linux kernel vulnerabilities2022-04-01
Ubuntu
Linux kernel vulnerabilities2021-11-30
Ubuntu
Linux kernel vulnerabilities2021-11-30
CVE-2021-37159 — Double Free in Debian Linux | cvebase