CVE-2021-43784
Severity
5.0MEDIUM
EPSS
0.1%
top 69.92%
CISA KEV
Not in KEV
Exploit
No known exploits
Timeline
PublishedDec 6
Latest updateMay 23
Description
runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc, netlink is used internally as a serialization system for specifying the relevant container configuration to the `C` portion of the code (responsible for the based namespace setup of containers). In all versions of runc prior to 1.0.3, the encoder did not handle the possibility of an integer overflow in the 16-bit length field for the byte array attribute type, meaning that a large enough …
CVSS vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:LExploitability: 1.8 | Impact: 3.7
Affected Packages5 packages
Also affects: Debian Linux 9.0
Patches
🔴Vulnerability Details
6GHSA▶
Overflow in netlink bytemsg length field allows attacker to override netlink-based container configuration in RunC↗2021-12-07
OSV▶
Overflow in netlink bytemsg length field allows attacker to override netlink-based container configuration in RunC↗2021-12-07
CVEList▶
Overflow in netlink bytemsg length field allows attacker to override netlink-based container configuration↗2021-12-06
📋Vendor Advisories
4Microsoft▶
Overflow in netlink bytemsg length field allows attacker to override netlink-based container configuration↗2021-12-14
Red Hat▶
runc: integer overflow in netlink bytemsg length field allows attacker to override netlink-based container configuration↗2021-12-06
Debian▶
CVE-2021-43784: runc - runc is a CLI tool for spawning and running containers on Linux according to the...↗2021