CVE-2021-3939

CWE-590 CWE-7636 documents6 sources

Severity

7.8HIGH

EPSS

0.1%

top 68.41%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Ubuntu Accountsservice Canonical Accountsservice Canonical Ubuntu Linux

Timeline

PublishedNov 17

Latest updateMay 24

Description

Ubuntu-specific modifications to accountsservice (in patch file debian/patches/0010-set-language.patch) caused the fallback_locale variable, pointing to static storage, to be freed, in the user_change_language_authorized_cb function. This is reachable via the SetLanguage dbus function. This is fixed in versions 0.6.55-0ubuntu12~20.04.5, 0.6.55-0ubuntu13.3, 0.6.55-0ubuntu14.1.

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:HExploitability: 1.1 | Impact: 6.0

Affected Packages3 packages

▶CVEListV5ubuntu/accountsservice0.6.55-0ubuntu12~20.04 — 0.6.55-0ubuntu12~20.04.5+2

▶NVDcanonical/accountsservice0.6.55-0ubuntu12\~20.04 — 0.6.55-0ubuntu12\~20.05+2

▶Ubuntuaccountsservice< 0.6.55-0ubuntu12~20.04.5+1

Also affects: Ubuntu Linux 20.04, 21.04, 21.10

🔴Vulnerability Details

GHSA

GHSA-jxh7-q7rm-43ww: Ubuntu-specific modifications to accountsservice (in patch file debian/patches/0010-set-language↗2022-05-24

▶

CVEList

Free of static data in accountsservice↗2021-11-17

▶

OSV

CVE-2021-3939: Ubuntu-specific modifications to accountsservice (in patch file debian/patches/0010-set-language↗2021-11-16

▶

📋Vendor Advisories

Ubuntu

AccountsService vulnerability↗2021-11-16

▶

Debian

CVE-2021-3939: accountsservice - Ubuntu-specific modifications to accountsservice (in patch file debian/patches/0...↗2021

▶