CVE-2021-3490
7.8
HIGH
CVSS 3.1
EPSS 27.5%
描述
The eBPF ALU32 bounds tracking for bitwise ops (AND, OR and XOR) in the Linux kernel did not properly update 32-bit bounds, which could be turned into out of bounds reads and writes in the Linux kernel and therefore, arbitrary code execution. This issue was fixed via commit 049c4e13714e ("bpf: Fix alu32 const subreg bound tracking on bitwise operations") (v5.13-rc4) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. The AND/OR issues were introduced by commit 3f50f132d840 ("bpf: Verifier, do explicit ALU32 bounds tracking") (5.7-rc1) and the XOR variant was introduced by 2921c90d4718 ("bpf:Fix a verifier failure with xor") ( 5.10-rc1).
如何修補 CVE-2021-3490
要修補 CVE-2021-3490,請將受影響套件升級到下列已修補版本。
- —升級至 5.10.38-1 或更新版本
CVE-2021-3490 正在被利用嗎?
中等 — EPSS 為 27.5%,可持續追蹤但非最高優先。
受影響套件(1)
- from 0, < 5.10.38-1
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.8 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |