CVE-2021-4203 — Race Condition in Kernel

CWE-362 — Race Condition CWE-416 — Use After Free CWE-366 — Race Condition within a Thread10 documents8 sources

Severity

6.8MEDIUMNVD

EPSS

0.1%

top 74.06%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Linux Kernel Netapp E-series Santricity OS Controller Oracle Communications Cloud Native Core Binding Support Function +2 more

Timeline

PublishedMar 25

Latest updateApr 12

Description

A use-after-free read flaw was found in sock_getsockopt() in net/core/sock.c due to SO_PEERCRED and SO_PEERGROUPS race with listen() (and connect()) in the Linux kernel. In this flaw, an attacker with a user privileges may crash the system or leak internal kernel information.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:HExploitability: 1.6 | Impact: 5.2

Affected Packages7 packages

▶NVDlinux/linux_kernel< 5.15+1

▶Debianlinux/linux_kernel< 5.10.84-1+3

▶CVEListV5linux/linux_kernelkernel 5.15 rc4

▶NVDoracle/communications_cloud_native_core_policy22.2.0

▶NVDoracle/communications_cloud_native_core_binding_support_function22.1.3

Patches

Patch: bugs.chromium.org ↗Patch: bugzilla.redhat.com ↗Patch: git.kernel.org ↗

🔴Vulnerability Details

GHSA

GHSA-rh28-76xv-jcqc: A use-after-free read flaw was found in sock_getsockopt() in net/core/sock↗2022-03-26

▶

OSV

CVE-2021-4203: A use-after-free read flaw was found in sock_getsockopt() in net/core/sock↗2022-03-25

▶

CVEList

CVE-2021-4203: A use-after-free read flaw was found in sock_getsockopt() in net/core/sock↗2022-03-25

▶

📋Vendor Advisories

Ubuntu

Linux kernel (AWS) vulnerabilities↗2023-04-12

▶

Ubuntu

Linux kernel vulnerabilities↗2023-04-12

▶

Ubuntu

Linux kernel (AWS) vulnerabilities↗2023-04-06

▶

Microsoft

▶

Red Hat

kernel: Race condition in races in sk_peer_pid and sk_peer_cred accesses↗2021-09-29

▶