CVE-2021-3491

CVSS v3.1 8.8 (High)

CVSS v2.0 7.2 (High)

EPSS 0.05 % (22^th)

Affected Products 2

Advisories 21

The io_uring subsystem in the Linux kernel allowed the MAX_RW_COUNT limit to be bypassed in the PROVIDE_BUFFERS operation, which led to negative values being usedin mem_rw when reading /proc/<PID>/mem. This could be used to create a heap overflow leading to arbitrary code execution in the kernel. It was addressed via commit d1f82808877b ("io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers") (v5.13-rc1) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. It was introduced in ddf0322db79c ("io_uring: add IORING_OP_PROVIDE_BUFFERS") (v5.7-rc1).

Weaknesses

CWE-131: Incorrect Calculation of Buffer Size
CWE-787: Out-of-bounds Write

CVE Status: PUBLISHED
CNA: Canonical Ltd.
Published Date: 2021-06-04 02:15:07
(3 years ago)
Updated Date: 2021-09-14 14:31:37
(3 years ago)

Affected Products

Canonical

Ubuntu Linux

Linux

Linux Kernel

Configuration #1

	CPE23	From	Up To
Linux Kernel from 5.7 version and prior 5.10.37 version	cpe:2.3:o:linux:linux_kernel	>= 5.7	< 5.10.37
Linux Kernel from 5.11 version and prior 5.11.21 version	cpe:2.3:o:linux:linux_kernel	>= 5.11	< 5.11.21
Linux Kernel from 5.12 version and prior 5.12.4 version	cpe:2.3:o:linux:linux_kernel	>= 5.12	< 5.12.4

Configuration #2

		CPE23	From	Up To
	Canonical Ubuntu Linux 20.04	cpe:2.3:o:canonical:ubuntu_linux:20.04:::*:lts
	Canonical Ubuntu Linux 20.10	cpe:2.3:o:canonical:ubuntu_linux:20.10
	Canonical Ubuntu Linux 21.04	cpe:2.3:o:canonical:ubuntu_linux:21.04