Vulnerability Details : CVE-2021-4202
Potential exploit
A use-after-free flaw was found in nci_request in net/nfc/nci/core.c in NFC Controller Interface (NCI) in the Linux kernel. This flaw could allow a local attacker with user privileges to cause a data race problem while the device is getting removed, leading to a privilege escalation problem.
Vulnerability category: Memory CorruptionGain privilege
Products affected by CVE-2021-4202
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-4202
0.05%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 19 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-4202
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.9
|
MEDIUM | AV:L/AC:M/Au:N/C:C/I:C/A:C |
3.4
|
10.0
|
NIST | |
7.0
|
HIGH | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
1.0
|
5.9
|
NIST |
CWE ids for CVE-2021-4202
-
The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.Assigned by:
- nvd@nist.gov (Primary)
- secalert@redhat.com (Secondary)
-
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.Assigned by:
- nvd@nist.gov (Primary)
- secalert@redhat.com (Secondary)
References for CVE-2021-4202
-
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=3e3b5dfcd16a3e254aab61bd1e8c417dd4503102
kernel/git/stable/linux.git - Linux kernel stable treeExploit;Patch;Vendor Advisory
-
https://bugzilla.redhat.com/show_bug.cgi?id=2036682
2036682 – (CVE-2021-4202) CVE-2021-4202 kernel: Race condition in nci_request() leads to use after free while the device is getting removedIssue Tracking;Patch;Third Party Advisory
-
http://www.openwall.com/lists/oss-security/2022/06/04/2
oss-security - Re: CVE-2021-4204: Linux Kernel eBPF Improper Input Validation VulnerabilityMailing List;Third Party Advisory
-
http://www.openwall.com/lists/oss-security/2022/06/01/2
oss-security - Re: CVE-2021-4204: Linux Kernel eBPF Improper Input Validation VulnerabilityMailing List;Third Party Advisory
-
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=86cdf8e38792545161dbe3350a7eced558ba4d15
kernel/git/stable/linux.git - Linux kernel stable treeExploit;Patch;Vendor Advisory
-
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=48b71a9e66c2eab60564b1b1c85f4928ed04e406
kernel/git/stable/linux.git - Linux kernel stable treeExploit;Patch;Vendor Advisory
-
https://security.netapp.com/advisory/ntap-20220513-0002/
CVE-2021-4202 Linux Kernel Vulnerability in NetApp Products | NetApp Product SecurityThird Party Advisory
-
http://www.openwall.com/lists/oss-security/2022/06/07/2
oss-security - Re: CVE-2021-4204: Linux Kernel eBPF Improper Input Validation VulnerabilityMailing List;Third Party Advisory
Jump to