Vulnerability Details : CVE-2021-43412
An issue was discovered in GNU Hurd before 0.9 20210404-9. libports accepts fake notification messages from any client on any port, which can lead to port use-after-free. This can be exploited for local privilege escalation to get full root access.
Vulnerability category: Memory CorruptionGain privilege
Exploit prediction scoring system (EPSS) score for CVE-2021-43412
Probability of exploitation activity in the next 30 days: 0.04%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 6 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2021-43412
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
7.2
|
HIGH | AV:L/AC:L/Au:N/C:C/I:C/A:C |
3.9
|
10.0
|
NIST |
|
7.8
|
HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
1.8
|
5.9
|
NIST |
CWE ids for CVE-2021-43412
-
Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.Assigned by: nvd@nist.gov (Primary)
References for CVE-2021-43412
-
https://lists.gnu.org/archive/html/bug-hurd/2021-05/msg00079.html
How do I disclose a vulnerability?Exploit;Mailing List;Vendor Advisory
-
https://www.mail-archive.com/bug-hurd@gnu.org/msg32116.html
[VULN 1/4] Fake notificationsExploit;Vendor Advisory
Products affected by CVE-2021-43412
- cpe:2.3:a:gnu:hurd:*:*:*:*:*:*:*:*