Vulnerability Details : CVE-2021-20226
A use-after-free flaw was found in the io_uring in Linux kernel, where a local attacker with a user privilege could cause a denial of service problem on the system The issue results from the lack of validating the existence of an object prior to performing operations on the object by not incrementing the file reference counter while in use. The highest threat from this vulnerability is to data integrity, confidentiality and system availability.
Vulnerability category: Memory CorruptionDenial of service
Exploit prediction scoring system (EPSS) score for CVE-2021-20226
Probability of exploitation activity in the next 30 days: 0.45%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 74 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2021-20226
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
6.1
|
MEDIUM | AV:L/AC:L/Au:N/C:P/I:P/A:C |
3.9
|
8.5
|
NIST |
7.8
|
HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
1.8
|
5.9
|
NIST |
CWE ids for CVE-2021-20226
-
Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.Assigned by:
- nvd@nist.gov (Secondary)
- secalert@redhat.com (Primary)
References for CVE-2021-20226
-
https://bugzilla.redhat.com/show_bug.cgi?id=1873476
1873476 – (CVE-2021-20226) CVE-2021-20226 kernel: use-after-free in io_uring featureIssue Tracking;Third Party Advisory
-
https://security.netapp.com/advisory/ntap-20210401-0001/
CVE-2021-20226 Linux Kernel Vulnerability in NetApp Products | NetApp Product SecurityThird Party Advisory
Products affected by CVE-2021-20226
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:cloud_backup:-:*:*:*:*:*:*:*