CVE-2021-3612

Description

An out-of-bounds memory write flaw was found in the Linux kernel's joystick devices subsystem in versions before 5.9-rc1, in the way the user calls ioctl JSIOCSBTNMAP. This flaw allows a local user to crash the system or possibly escalate their privileges on the system. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.

CVSS Metrics

• v3.1•HIGH•Score: 7.8CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
• v2.0•HIGH•Score: 7.2AV:L/AC:L/Au:N/C:C/I:C/A:C

EPSS Trends

Current EPSS score: 0.09%• Percentile: 25%

Techniques & Countermeasures

• CWE-787•Out-of-bounds Write

  The product writes data past the end, or before the beginning, of the intended buffer.

• CWE-20•Improper Input Validation

  The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Affected Systems

• debian•debian_linux

  9.0

• fedoraproject•fedora

  34

• linux•linux_kernel

  < 5.9.0

• netapp•cloud_backup

  na

• netapp•h300e

  na

• netapp•h300s_firmware

  na

• netapp•h410c_firmware

  na

• netapp•h410s_firmware

  na

• netapp•h500e

  na

• netapp•h500s_firmware

  na

• netapp•h700e

  na

• netapp•h700s_firmware

  na

• netapp•solidfire_baseboard_management_controller_firmware

  na

• oracle•communications_cloud_native_core_binding_support_function

  22.1.3

• oracle•communications_cloud_native_core_network_exposure_function

  22.1.1

• oracle•communications_cloud_native_core_policy

  22.2.0

• redhat•enterprise_linux

  7.0 | 8.0

References (7)

• https://bugzilla.redhat.com/show_bug.cgi?id=1974079
• https://lore.kernel.org/linux-input/20210620120030.1513655-1-avlarkin82%40gmail.com/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YKGI562LFV5MESTMVTCG5RORSBT6NGBN/
• https://lists.debian.org/debian-lts-announce/2021/10/msg00010.html
• https://lists.debian.org/debian-lts-announce/2021/12/msg00012.html
• https://www.oracle.com/security-alerts/cpujul2022.html
• https://security.netapp.com/advisory/ntap-20210805-0005/