CVE-2021-21781

Advisory lineage Upstream: 0 Downstream: 16
Modified
Published: 18 Aug 2021, 14:37
Last modified:03 Aug 2024, 18:23

Vulnerability Summary

Overall Risk (default)
medium
26/100
CVSS Score
4 MEDIUM
v3.0 (cve.org)
EPSS Score
0.02% LOW
0% probability 0.00%
KEV
Not listed
Ransomware
No reports
Public exploits
1 found
Dark Web
Not detected

Timeline

18 Aug 2021, 14:37
Published
Vulnerability first disclosed
03 Aug 2024, 18:23
Last Modified
Vulnerability information updated

Description

An information disclosure vulnerability exists in the ARM SIGPAGE functionality of Linux Kernel v5.4.66 and v5.4.54. The latest version (5.11-rc4) seems to still be vulnerable. A userland application can read the contents of the sigpage, which can leak kernel memory contents. An attacker can read a process’s memory at a specific offset to trigger this vulnerability. This was fixed in kernel releases: 4.14.222 4.19.177 5.4.99 5.10.17 5.11

CVSS Metrics

  • v3.1LOWScore: 3.3CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
  • v3.0MEDIUMScore: 4CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
  • v2.0LOWScore: 2.1AV:L/AC:L/Au:N/C:P/I:N/A:N

EPSS Trends

Current EPSS score: 0.02% Percentile: 4%

Techniques & Countermeasures

  • CWE-908Use of Uninitialized Resource

    The product uses or accesses a resource that has not been initialized.

Affected Systems

  • linuxlinux_kernel

    5.4.54 | 5.4.66

  • oraclecommunications_cloud_native_core_binding_support_function

    22.1.3

  • oraclecommunications_cloud_native_core_network_exposure_function

    22.1.1

  • oraclecommunications_cloud_native_core_policy

    22.2.0

References (2)