CVE-2021-43267
published 2021-11-02CVE-2021-43267: An issue was discovered in net/tipc/crypto.c in the Linux kernel before 5.14.16. The Transparent Inter-Process Communication (TIPC) functionality allows remote…
PriorityP268critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
57.85%
99.0th percentile
An issue was discovered in net/tipc/crypto.c in the Linux kernel before 5.14.16. The Transparent Inter-Process Communication (TIPC) functionality allows remote attackers to exploit insufficient validation of user-supplied sizes for the MSG_CRYPTO message type.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | linux | < linux 5.14.16-1 (bookworm) | linux 5.14.16-1 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| linux | linux_kernel | >= 0 < 5.10.84-1 | 5.10.84-1 |
| linux | linux_kernel | >= 0 < 5.14.16-1 | 5.14.16-1 |
| linux | linux_kernel | >= 0 < 5.14.16-1 | 5.14.16-1 |
| linux | linux_kernel | >= 0 < 5.14.16-1 | 5.14.16-1 |
| linux | linux_kernel | >= 5.10 < 5.10.77 | 5.10.77 |
| linux | linux_kernel | >= 5.11 < 5.14.16 | 5.14.16 |
| msrc | cbl2_kernel_5.10.78.1-1_on_cbl_mariner_2.0 | — | — |
| msrc | cm1_kernel_5.10.78.1-1_on_cbl_mariner_1.0 | — | — |
| paloalto | pan-os | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect MSG_CRYPTO (message type 14) TIPC packets on UDP port 6118; unexpected MSG_CRYPTO messages from untrusted peers should be treated as suspicious and may indicate exploitation attempts. ↗
- →Look for TIPC MSG_CRYPTO packets where the keylen field in the message body is significantly larger than the message payload size (size field from header), indicating a heap overflow attempt — attacker sets a small body size for allocation but a large keylen to overflow. ↗
- →Detect crafted TIPC packets where the Message Size field in the header is set smaller than the actual packet length (skb->len), which is a prerequisite for the exploit to control overflow data. ↗
- →Monitor for unexpected loading of the 'tipc' kernel module on systems where it is not required; the module must be explicitly loaded and is not auto-loaded, so its presence on unexpected hosts is a strong signal. ↗
- →Use the Red Hat-provided SystemTap mitigation script to detect and neutralize MSG_CRYPTO messages by probing tipc_data_input and checking msg_user(hdr) == MSG_CRYPTO (value 14), which can also serve as a detection point. ↗
- →Vulnerable kernel versions are between 5.10-rc1 and 5.15 (specifically before 5.14.16); inventory Linux hosts running these kernel versions with the tipc module loaded as high-priority targets. ↗
- ·The TIPC module must be explicitly loaded by an administrator; it is not auto-loaded, so the attack surface only exists on systems where TIPC has been deliberately enabled. ↗
- ·Remote exploitation is only possible when TIPC is configured over UDP (port 6118); when configured over raw Ethernet, remote exploitation requires the ability to send raw Ethernet frames, limiting the remote attack surface. ↗
- ·Red Hat Enterprise Linux 8 is only affected starting with kernel-4.18.0-305.el8 (shipped with RHEL 8.4 GA); earlier RHEL 8 kernels did not include the vulnerable MSG_CRYPTO functionality. ↗
- ·The SystemTap-based mitigation that blocks MSG_CRYPTO messages will DISABLE TIPC protocol-level encryption; only apply it on systems that use alternative secure communication methods (e.g., IPSec/MACsec, physical separation). ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_msrc9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_ubuntu7.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Palo Alto
PAN-SA-2024-0001 Informational Bulletin: Impact of OSS CVEs in PAN-OS
vendor_paloalto·2024-02-14·CVSS 9.8
CVE-2017-18342 [CRITICAL] PAN-SA-2024-0001 Informational Bulletin: Impact of OSS CVEs in PAN-OS
PAN-SA-2024-0001 Informational Bulletin: Impact of OSS CVEs in PAN-OS
The Palo Alto Networks Product Security Assurance team has evaluated the following open source software (OSS) CVEs as they relate to PAN-OS software. While PAN-OS software may include the
CVEs: CVE-2017-18342, CVE-2017-8923, CVE-2017-9120, CVE-2019-1551, CVE-2019-16865, CVE-2019-16905, CVE-2019-19523, CVE-2019-19528, CVE-2019-19911, CVE-2020-0404, CVE-2020-0431, CVE-2020-0466, CVE-2020-10379, CVE-2020-11538, CVE-2020-11608, CVE-2020-12114, CVE-2020-12321, CVE-2020-12362, CVE-2020-12363, CVE-2020-12364, CVE-2020-13757, CVE-2020-14314, CVE-2020-14351, CVE-2020-15778, CVE-2020-1967, CVE-2020-24394, CVE-2020-24504, CVE-2020-25211, CVE-2020-25212, CVE-2020-25284, CVE-2020-25285, CVE-2020-25717, CVE-2020-26541, CVE-2020-2715
Ubuntu
Linux kernel (OEM) vulnerabilities
vendor_ubuntu·2022-01-11·CVSS 4.7
CVE-2021-41864 [MEDIUM] Linux kernel (OEM) vulnerabilities
Title: Linux kernel (OEM) vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
Nadav Amit discovered that the hugetlb implementation in the Linux kernel
did not perform TLB flushes under certain conditions. A local attacker
could use this to leak or alter data from other processes that use huge
pages. (CVE-2021-4002)
It was discovered that the eBPF implementation in the Linux kernel did
not properly validate the memory size of certain ring buffer operation
arguments. A local attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code. (CVE-2021-4204)
It was discovered that a race condition existed in the overlay file system
implementation in the Linux kernel. A local attacker could use this to
cause a denial of serv
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2022-01-06·CVSS 4.7
CVE-2021-43389 [MEDIUM] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
Nadav Amit discovered that the hugetlb implementation in the Linux kernel
did not perform TLB flushes under certain conditions. A local attacker
could use this to leak or alter data from other processes that use huge
pages. (CVE-2021-4002)
It was discovered that a race condition existed in the overlay file system
implementation in the Linux kernel. A local attacker could use this to
cause a denial of service (system crash). (CVE-2021-20321)
It was discovered that the NFC subsystem in the Linux kernel contained a
use-after-free vulnerability in its NFC Controller Interface (NCI)
implementation. A local attacker could possibly use this to cause a denial
of service (system crash) or execut
Ubuntu
Linux kernel (OEM) vulnerabilities
vendor_ubuntu·2022-01-05·CVSS 4.1
CVE-2021-42739 [MEDIUM] Linux kernel (OEM) vulnerabilities
Title: Linux kernel (OEM) vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
Nadav Amit discovered that the hugetlb implementation in the Linux kernel
did not perform TLB flushes under certain conditions. A local attacker
could use this to leak or alter data from other processes that use huge
pages. (CVE-2021-4002)
It was discovered that the eBPF implementation in the Linux kernel
contained a race condition around read-only maps. A privileged attacker
could use this to modify read-only maps. (CVE-2021-4001)
Luo Likang discovered that the FireDTV Firewire driver in the Linux kernel
did not properly perform bounds checking in some situations. A local
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-
Ubuntu
Linux kernel (OEM) vulnerabilities
vendor_ubuntu·2021-11-30·CVSS 7.8
CVE-2021-3772 [HIGH] Linux kernel (OEM) vulnerabilities
Title: Linux kernel (OEM) vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
It was discovered that the NFC subsystem in the Linux kernel contained a
use-after-free vulnerability in its NFC Controller Interface (NCI)
implementation. A local attacker could possibly use this to cause a denial
of service (system crash) or execute arbitrary code. (CVE-2021-3760)
It was discovered that the SCTP protocol implementation in the Linux kernel
did not properly verify VTAGs in some situations. A remote attacker could
possibly use this to cause a denial of service (connection disassociation).
(CVE-2021-3772)
It was discovered that the AMD Radeon GPU driver in the Linux kernel did
not properly validate writes in the debugfs file system. A privileged
attacker could use t
Microsoft
An issue was discovered in net/tipc/crypto.c in the Linux kernel before 5.14.16. The Transparent Inter-Process Communication (TIPC) functionality allows remote attackers to exploit insufficient valida
vendor_msrc·2021-11-09·CVSS 9.8
CVE-2021-43267 [CRITICAL] CWE-1284 An issue was discovered in net/tipc/crypto.c in the Linux kernel before 5.14.16. The Transparent Inter-Process Communication (TIPC) functionality allows remote attackers to exploit insufficient valida
An issue was discovered in net/tipc/crypto.c in the Linux kernel before 5.14.16. The Transparent Inter-Process Communication (TIPC) functionality allows remote attackers to exploit insufficient validation of user-supplied sizes for the MSG_CRYPTO message type.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If imp
Red Hat
kernel: Insufficient validation of user-supplied sizes for the MSG_CRYPTO message type
vendor_redhat·2021-11-02·CVSS 9.8
CVE-2021-43267 [CRITICAL] CWE-20 kernel: Insufficient validation of user-supplied sizes for the MSG_CRYPTO message type
kernel: Insufficient validation of user-supplied sizes for the MSG_CRYPTO message type
An issue was discovered in net/tipc/crypto.c in the Linux kernel before 5.14.16. The Transparent Inter-Process Communication (TIPC) functionality allows remote attackers to exploit insufficient validation of user-supplied sizes for the MSG_CRYPTO message type.
A flaw was discovered in the cryptographic receive code in the Linux kernel's implementation of transparent interprocess communication. An attacker, with the ability to send TIPC messages to the target, can corrupt memory and escalate privileges on the target system.
Statement: This issue affects Red Hat Enterprise Linux 8 starting with the kernel that shipped with Red Hat Enterprise Linux 8.4 GA (kernel-4.18.0-305.el8). Previous Red Hat Enterpr
Debian
CVE-2021-43267: linux - An issue was discovered in net/tipc/crypto.c in the Linux kernel before 5.14.16....
vendor_debian·2021·CVSS 9.8
CVE-2021-43267 [CRITICAL] CVE-2021-43267: linux - An issue was discovered in net/tipc/crypto.c in the Linux kernel before 5.14.16....
An issue was discovered in net/tipc/crypto.c in the Linux kernel before 5.14.16. The Transparent Inter-Process Communication (TIPC) functionality allows remote attackers to exploit insufficient validation of user-supplied sizes for the MSG_CRYPTO message type.
Scope: local
bookworm: resolved (fixed in 5.14.16-1)
bullseye: resolved (fixed in 5.10.84-1)
forky: resolved (fixed in 5.14.16-1)
sid: resolved (fixed in 5.14.16-1)
trixie: resolved (fixed in 5.14.16-1)
GHSA
GHSA-c22h-4v9p-5cx2: An issue was discovered in net/tipc/crypto
ghsa_unreviewed·2022-05-24
CVE-2021-43267 [CRITICAL] CWE-20 GHSA-c22h-4v9p-5cx2: An issue was discovered in net/tipc/crypto
An issue was discovered in net/tipc/crypto.c in the Linux kernel before 5.14.16. The Transparent Inter-Process Communication (TIPC) functionality allows remote attackers to exploit insufficient validation of user-supplied sizes for the MSG_CRYPTO message type.
OSV
CVE-2021-43267: In tipc_crypto_key_rcv of net/tipc/crypto
osv·2022-03-01
CVE-2021-43267 CVE-2021-43267: In tipc_crypto_key_rcv of net/tipc/crypto
In tipc_crypto_key_rcv of net/tipc/crypto.c , there is a possible out of bounds write due to a heap buffer overflow. This could lead to remote code execution with System execution privileges needed. User interaction is not needed for exploitation.
OSV
linux-oem-5.13 vulnerabilities
osv·2022-01-11·CVSS 4.7
CVE-2021-4002 [MEDIUM] linux-oem-5.13 vulnerabilities
linux-oem-5.13 vulnerabilities
Nadav Amit discovered that the hugetlb implementation in the Linux kernel
did not perform TLB flushes under certain conditions. A local attacker
could use this to leak or alter data from other processes that use huge
pages. (CVE-2021-4002)
It was discovered that the eBPF implementation in the Linux kernel did
not properly validate the memory size of certain ring buffer operation
arguments. A local attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code. (CVE-2021-4204)
It was discovered that a race condition existed in the overlay file system
implementation in the Linux kernel. A local attacker could use this to
cause a denial of service (system crash). (CVE-2021-20321)
It was discovered that the NFC subsyste
OSV
linux, linux-aws, linux-aws-5.11, linux-azure, linux-azure-5.11, linux-gcp, linux-gcp-5.11, linux-hwe-5.11, linux-kvm, linux-oracle, linux-oracle-5.11, linux-raspi vulnerabilities
osv·2022-01-06·CVSS 4.7
CVE-2021-4002 [MEDIUM] linux, linux-aws, linux-aws-5.11, linux-azure, linux-azure-5.11, linux-gcp, linux-gcp-5.11, linux-hwe-5.11, linux-kvm, linux-oracle, linux-oracle-5.11, linux-raspi vulnerabilities
linux, linux-aws, linux-aws-5.11, linux-azure, linux-azure-5.11, linux-gcp, linux-gcp-5.11, linux-hwe-5.11, linux-kvm, linux-oracle, linux-oracle-5.11, linux-raspi vulnerabilities
Nadav Amit discovered that the hugetlb implementation in the Linux kernel
did not perform TLB flushes under certain conditions. A local attacker
could use this to leak or alter data from other processes that use huge
pages. (CVE-2021-4002)
It was discovered that a race condition existed in the overlay file system
implementation in the Linux kernel. A local attacker could use this to
cause a denial of service (system crash). (CVE-2021-20321)
It was discovered that the NFC subsystem in the Linux kernel contained a
use-after-free vulnerability in its NFC Controller Interface (NCI)
implementation. A local attacker
OSV
linux-oem-5.10 vulnerabilities
osv·2022-01-05·CVSS 4.1
CVE-2021-4002 [MEDIUM] linux-oem-5.10 vulnerabilities
linux-oem-5.10 vulnerabilities
Nadav Amit discovered that the hugetlb implementation in the Linux kernel
did not perform TLB flushes under certain conditions. A local attacker
could use this to leak or alter data from other processes that use huge
pages. (CVE-2021-4002)
It was discovered that the eBPF implementation in the Linux kernel
contained a race condition around read-only maps. A privileged attacker
could use this to modify read-only maps. (CVE-2021-4001)
Luo Likang discovered that the FireDTV Firewire driver in the Linux kernel
did not properly perform bounds checking in some situations. A local
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2021-42739)
It was discovered that the TIPC Protocol implementation in the L
OSV
linux-oem-5.14 vulnerabilities
osv·2021-11-30·CVSS 7.8
CVE-2021-3760 [HIGH] linux-oem-5.14 vulnerabilities
linux-oem-5.14 vulnerabilities
It was discovered that the NFC subsystem in the Linux kernel contained a
use-after-free vulnerability in its NFC Controller Interface (NCI)
implementation. A local attacker could possibly use this to cause a denial
of service (system crash) or execute arbitrary code. (CVE-2021-3760)
It was discovered that the SCTP protocol implementation in the Linux kernel
did not properly verify VTAGs in some situations. A remote attacker could
possibly use this to cause a denial of service (connection disassociation).
(CVE-2021-3772)
It was discovered that the AMD Radeon GPU driver in the Linux kernel did
not properly validate writes in the debugfs file system. A privileged
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary
Kernel
tipc: only accept encrypted MSG_CRYPTO msgs
kernel_security·2021-11-15·CVSS 9.8
CVE-2021-43267 [CRITICAL] tipc: only accept encrypted MSG_CRYPTO msgs
tipc: only accept encrypted MSG_CRYPTO msgs
The MSG_CRYPTO msgs are always encrypted and sent to other nodes
for keys' deployment. But when receiving in peers, if those nodes
do not validate it and make sure it's encrypted, one could craft
a malicious MSG_CRYPTO msg to deploy its key with no need to know
other nodes' keys.
This patch is to do that by checking TIPC_SKB_CB(skb)->decrypted
and discard it if this packet never got decrypted.
Note that this is also a supplementary fix to CVE-2021-43267 that
can be triggered by an unencrypted malicious MSG_CRYPTO msg.
Fixes: 1ef6f7c9390f ("tipc: add automatic session key exchange")
Acked-by: Ying Xue
Acked-by: Jon Maloy
Signed-off-by: Xin Long
Signed-off-by: David S. Miller
OSV
CVE-2021-43267: An issue was discovered in net/tipc/crypto
osv·2021-11-02·CVSS 9.8
CVE-2021-43267 [CRITICAL] CVE-2021-43267: An issue was discovered in net/tipc/crypto
An issue was discovered in net/tipc/crypto.c in the Linux kernel before 5.14.16. The Transparent Inter-Process Communication (TIPC) functionality allows remote attackers to exploit insufficient validation of user-supplied sizes for the MSG_CRYPTO message type.
No detection rules found.
No public exploits indexed.
Checkpoint
8th November – Threat Intelligence Report
blogs_checkpoint·2021-11-08
CVE-2021-34473 8th November – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 8th November – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 8th November, please download our Threat Intelligence Bulletin .
Top Attacks and Breaches
Check Point Research warns of scammers using Google Ads to steal crypto wallets, after seeing over $500k worth of cryptocurrency stolen from victims during one weekend. Scammers are placing ads at the top of Google Search that imitate popular wallet brands, such as Phantom and MetaMask, to trick users into giving up their
Sentinelone
CVE-2021-43267: Remote Linux Kernel Heap Overflow | TIPC Module Allows Arbitrary Code Execution
blogs_sentinelone·2021-11-04·CVSS 9.8
[CRITICAL] CVE-2021-43267: Remote Linux Kernel Heap Overflow | TIPC Module Allows Arbitrary Code Execution
## Executive Summary
- SentinelLabs has discovered a heap overflow vulnerability in the TIPC module of the Linux Kernel.
- The vulnerability can be exploited either locally or remotely within a network to gain kernel privileges, allowing an attacker to compromise the entire system.
- The TIPC module comes with all major Linux distributions but needs to be loaded in order to enable the protocol.
- A patch has been released on the 29th of October and affects kernel versions between 5.10 and 5.15.
- At this time, SentinelOne has not identified evidence of in-the-wild abuse.
## Introduction and Methodology
As a researcher, it’s important to add new techniques and software to your bug hunting methodology. A year ago, I started using CodeQL for my own research on open source projects and deci
Sentinelone
CVE-2021-43267: Remote Linux Kernel Heap Overflow | TIPC Module Allows Arbitrary Code Execution
blogs_sentinelone·2021-11-04·CVSS 9.8
CVE-2021-43267 [CRITICAL] CVE-2021-43267: Remote Linux Kernel Heap Overflow | TIPC Module Allows Arbitrary Code Execution
## CVE-2021-43267: Remote Linux Kernel Heap Overflow | TIPC Module Allows Arbitrary Code Execution
## Executive Summary
SentinelLabs has discovered a heap overflow vulnerability in the TIPC module of the Linux Kernel.
The vulnerability can be exploited either locally or remotely within a network to gain kernel privileges, allowing an attacker to compromise the entire system.
The TIPC module comes with all major Linux distributions but needs to be loaded in order to enable the protocol.
A patch has been released on the 29th of October and affects kernel versions between 5.10 and 5.15.
At this time, SentinelOne has not identified evidence of in-the-wild abuse.
## Introduction and Methodology
As a researcher, it’s important to add new techniques and software to your bug hunting method
http://www.openwall.com/lists/oss-security/2022/02/10/1https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.14.16https://github.com/torvalds/linux/commit/fa40d9734a57bcbfa79a280189799f76c88f7bb0https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CVWL7HZV5T5OEKJPO2D67RMFMKBBXGGB/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RDDEW4APTYKJK365HC2JZIVXYUV7ZRN7/https://security.netapp.com/advisory/ntap-20211125-0002/http://www.openwall.com/lists/oss-security/2022/02/10/1https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.14.16https://github.com/torvalds/linux/commit/fa40d9734a57bcbfa79a280189799f76c88f7bb0https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CVWL7HZV5T5OEKJPO2D67RMFMKBBXGGB/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RDDEW4APTYKJK365HC2JZIVXYUV7ZRN7/https://security.netapp.com/advisory/ntap-20211125-0002/
2021-11-02
Published