CVE-2021-47276

EPSS 0.01%
Veröffentlicht 21.05.2024 15:15:15
Zuletzt bearbeitet 30.04.2025 14:46:07
Quelle 416baaa9-dc9f-4396-8d5f-8c081f
Teams Watchlist Login
Unerledigt Login

In the Linux kernel, the following vulnerability has been resolved:

ftrace: Do not blindly read the ip address in ftrace_bug()

It was reported that a bug on arm64 caused a bad ip address to be used for
updating into a nop in ftrace_init(), but the error path (rightfully)
returned -EINVAL and not -EFAULT, as the bug caused more than one error to
occur. But because -EINVAL was returned, the ftrace_bug() tried to report
what was at the location of the ip address, and read it directly. This
caused the machine to panic, as the ip was not pointing to a valid memory
address.

Instead, read the ip address with copy_from_kernel_nofault() to safely
access the memory, and if it faults, report that the address faulted,
otherwise report what was in that location.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 11

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Linux ≫ Linux Kernel Version >= 2.6.28 < 4.4.273

Linux ≫ Linux Kernel Version >= 4.5 < 4.9.273

Linux ≫ Linux Kernel Version >= 4.10 < 4.14.237

Linux ≫ Linux Kernel Version >= 4.15 < 4.19.195

Linux ≫ Linux Kernel Version >= 4.20 < 5.4.126

Linux ≫ Linux Kernel Version >= 5.5 < 5.10.44

Linux ≫ Linux Kernel Version >= 5.11 < 5.12.11

Linux ≫ Linux Kernel Version5.13 Updaterc1

Linux ≫ Linux Kernel Version5.13 Updaterc2

Linux ≫ Linux Kernel Version5.13 Updaterc3

Linux ≫ Linux Kernel Version5.13 Updaterc4

Linux ≫ Linux Kernel Version5.13 Updaterc5

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.01%	0.005

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.5	1.8	3.6	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE-706 Use of Incorrectly-Resolved Name or Reference

The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere.

https://git.kernel.org/stable/c/0bc62e398bbd9e600959e610def5109957437b28

Patch

https://git.kernel.org/stable/c/3e4ddeb68751fb4fb657199aed9cfd5d02796875

Patch

https://git.kernel.org/stable/c/4aedc2bc2b32c93555f47c95610efb89cc1ec09b

Patch

https://git.kernel.org/stable/c/6c14133d2d3f768e0a35128faac8aa6ed4815051

Patch

https://git.kernel.org/stable/c/7e4e824b109f1d41ccf223fbb0565d877d6223a2

Patch

https://git.kernel.org/stable/c/862dcc14f2803c556bdd73b43c27b023fafce2fb

Patch