CVE-2021-38300 — Code Injection in Kernel

CWE-94 — Code Injection6 documents6 sources

Severity

7.8HIGHNVD

EPSS

0.2%

top 64.11%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Linux Kernel Debian Linux Debian Linux +2 more

Timeline

PublishedSep 20

Latest updateMay 24

Description

arch/mips/net/bpf_jit.c in the Linux kernel before 5.4.10 can generate undesirable machine code when transforming unprivileged cBPF programs, allowing execution of arbitrary code within the kernel context. This occurs because conditional branches can exceed the 128 KB limit of the MIPS architecture.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages5 packages

▶NVDlinux/linux_kernel3.16 — 4.14.251+4

▶Debianlinux/linux_kernel< 5.10.70-1+3

▶msrcmsrc/cm1_kernel_5.10.74.1-1_on_cbl_mariner_1.0

▶msrcmsrc/cbl2_kernel_5.10.78.1-1_on_cbl_mariner_2.0

▶debiandebian/linux< linux 5.14.6-1 (bookworm)

Also affects: Debian Linux 10.0, 9.0

Patches

Patch: www.openwall.com ↗Patch: git.kernel.org ↗Patch: www.openwall.com ↗

🔴Vulnerability Details

GHSA

GHSA-7f3j-x5jc-j32w: arch/mips/net/bpf_jit↗2022-05-24

▶

OSV

CVE-2021-38300: arch/mips/net/bpf_jit↗2021-09-20

▶

📋Vendor Advisories

Microsoft

arch/mips/net/bpf_jit.c in the Linux kernel before 5.4.10 can generate undesirable machine code when transforming unprivileged cBPF programs allowing execution of arbitrary code within the kernel cont↗2021-09-14

▶

Red Hat

kernel: crafting anomalous machine code may lead to arbitrary Kernel code execution↗2021-09-14

▶

Debian

CVE-2021-38300: linux - arch/mips/net/bpf_jit.c in the Linux kernel before 5.4.10 can generate undesirab...↗2021

▶