CVE-2021-38209Observable Discrepancy in Kernel

CWE-203Observable DiscrepancyCWE-200Sensitive Information Exposure6 documents6 sources
Severity
3.3LOWNVD
EPSS
0.1%
top 75.10%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Linux KernelDebian LinuxMsrc Cbl2 Kernel 5.10.78.1-1 ON CBL Mariner 2.0+1 more
Timeline
PublishedAug 8
Latest updateMay 24

Description

net/netfilter/nf_conntrack_standalone.c in the Linux kernel before 5.12.2 allows observation of changes in any net namespace because these changes are leaked into all other net namespaces. This is related to the NF_SYSCTL_CT_MAX, NF_SYSCTL_CT_EXPECT_MAX, and NF_SYSCTL_CT_BUCKETS sysctls.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 1.8 | Impact: 1.4

Affected Packages5 packages

NVDlinux/linux_kernel< 5.12.2
Debianlinux/linux_kernel< 5.10.38-1+3
debiandebian/linux< linux 5.10.38-1 (bookworm)

Patches

Patch: cdn.kernel.orgPatch: github.comPatch: cdn.kernel.org

🔴Vulnerability Details

2
GHSA
GHSA-vj8v-34wr-vjm9: net/netfilter/nf_conntrack_standalone2022-05-24
OSV
CVE-2021-38209: net/netfilter/nf_conntrack_standalone2021-08-08

📋Vendor Advisories

3
Microsoft
net/netfilter/nf_conntrack_standalone.c in the Linux kernel before 5.12.2 allows observation of changes in any net namespace because these changes are leaked into all other net namespaces. This is rel2021-08-10
Red Hat
kernel: net/netfilter/nf_conntrack_standalone.c allows observation of changes in any net namespace because these changes are leaked into all other net namespaces2021-04-12
Debian
CVE-2021-38209: linux - net/netfilter/nf_conntrack_standalone.c in the Linux kernel before 5.12.2 allows...2021
CVE-2021-38209 — Observable Discrepancy in Linux Kernel | cvebase