CVE-2021-3489

The eBPF RINGBUF bpf_ringbuf_reserve() function in the Linux kernel did not check that the allocated size was smaller than the ringbuf size, allowing an attacker to perform out-of-bounds writes within the kernel and therefore, arbitrary code execution. This issue was fixed via commit 4b81ccebaeee ("bpf, ringbuf: Deny reserve of buffers larger than ringbuf") (v5.13-rc4) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. It was introduced via 457f44363a88 ("bpf: Implement BPF ring buffer and verifier support for it") (v5.8-rc1).

Published: Jun 4, 2021
Updated: Apr 14, 2023
CVE: CVE-2021-3489
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.8
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: High
Score: 7.2
AV:L/AC:L/Au:N/C:C/I:C/A:C

CWEs:

CWE-787

Affected Software
References

Software	From	Fixed in
linux / linux_kernel	5.13-rc1	5.13-rc1.x
linux / linux_kernel	5.13-rc2	5.13-rc2.x
linux / linux_kernel	5.11	5.11.21
linux / linux_kernel	5.12	5.12.4
linux / linux_kernel	5.13	5.13.x
linux / linux_kernel	5.13-rc3	5.13-rc3.x
linux / linux_kernel	5.8	5.10.37
canonical / ubuntu_linux	20.04	20.04.x
canonical / ubuntu_linux	20.10	20.10.x
canonical / ubuntu_linux	21.04	21.04.x

Vulnerability Database

289,599

CVE-2021-3489