CVE-2021-4159
Advisory lineage Upstream: 0 Downstream: 11
Modified
Published: 24 Aug 2022, 15:10
Last modified:03 Aug 2024, 17:16
Vulnerability Summary
Overall Risk (default)
low
18/100 CVSS Score
4.4 MEDIUM
v3.1 (nvd)
EPSS Score
0.07% LOW
0% probability +0.06%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected
Timeline
24 Aug 2022, 15:10
Published
Vulnerability first disclosed
03 Aug 2024, 17:16
Last Modified
Vulnerability information updated
Description
A vulnerability was found in the Linux kernel's EBPF verifier when handling internal data structures. Internal memory locations could be returned to userspace. A local attacker with the permissions to insert eBPF code to the kernel can use this to leak internal kernel memory details defeating some of the exploit mitigations in place for the kernel.
CVSS Metrics
- v3.1•MEDIUM•Score: 4.4CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
EPSS Trends
Current EPSS score: 0.07%• Percentile: 22%
Techniques & Countermeasures
- CWE-202•Exposure of Sensitive Information Through Data Queries
When trying to keep information confidential, an attacker can often infer some of the information by using statistics.
Affected Systems
- debian•debian_linux
10.0
- linux•linux_kernel
< 5.7
- redhat•enterprise_linux
8.0
References (5)
- https://bugzilla.redhat.com/show_bug.cgi?id=2036024
- https://access.redhat.com/security/cve/CVE-2021-4159
- https://security-tracker.debian.org/tracker/CVE-2021-4159
- https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=294f2fc6da27620a506e6c050241655459ccd6bd
- https://lists.debian.org/debian-lts-announce/2022/10/msg00000.html