Vulnerability CVE-2021-20265

Vulnerability Name:

CVE-2021-20265 (CCN-197998)

Assigned:

2016-01-24

Published:

2016-01-24

Updated:

2022-08-05

Summary:

A flaw was found in the way memory resources were freed in the unix_stream_recvmsg function in the Linux kernel when a signal was pending. This flaw allows an unprivileged local user to crash the system by exhausting available memory. The highest threat from this vulnerability is to system availability.

CVSS v3 Severity:

5.5 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
4.8 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): Low User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): High

6.2 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
5.4 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): High

5.1 Medium (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)
4.5 Medium (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): High Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): High

CVSS v2 Severity:

4.9 Medium (CVSS v2 Vector: AV:L/AC:L/Au:N/C:N/I:N/A:C)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Complete

4.9 Medium (CCN CVSS v2 Vector: AV:L/AC:L/Au:N/C:N/I:N/A:C)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Complete

Vulnerability Type:

CWE-401
CWE-400

Vulnerability Consequences:

Denial of Service

References:

Source: MITRE
Type: CNA
CVE-2021-20265

Source: CCN
Type: Red Hat Bugzilla - Bug 1908827
(CVE-2021-20265) - CVE-2021-20265 kernel: increase slab leak leads to DoS

Source: MISC
Type: Issue Tracking, Patch, Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1908827

Source: XF
Type: UNKNOWN
linux-kernel-cve202120265-dos(197998)

Source: CCN
Type: Linux Kernel GIT Repository
af_unix: fix struct pid memory leak

Source: MISC
Type: Patch, Vendor Advisory
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=fa0dc04df259ba2df3ce1920e9690c7842f8fa4b

Source: CCN
Type: IBM Security Bulletin 6449972 (Data Risk Manager)
IBM Data Risk Manager is affected by multiple vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6490825 (Netezza Host Management)
Publicly disclosed vulnerabilities from Kernel affect IBM Netezza Host Management

Source: CCN
Type: IBM Security Bulletin 6525030 (Spectrum Protect Plus)
Vulnerabilities in the Linux Kernel, Docker, Python, and NGINX affect IBM Spectrum Protect Plus

Source: MISC
Type: Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html

Vulnerable Configuration:

Configuration 1:

cpe:/o:linux:linux_kernel:-:*:*:*:*:*:*:*

Configuration 2:

cpe:/a:oracle:tekelec_platform_distribution:*:*:*:*:*:*:*:* (Version >= 7.4.0 and <= 7.7.1)

Configuration RedHat 1:

cpe:/o:redhat:enterprise_linux:7:*:*:*:*:*:*:*

Configuration RedHat 2:

cpe:/o:redhat:enterprise_linux:7::client:*:*:*:*:*

Configuration RedHat 3:

cpe:/o:redhat:enterprise_linux:7::computenode:*:*:*:*:*

Configuration RedHat 4:

cpe:/o:redhat:enterprise_linux:7::server:*:*:*:*:*

Configuration RedHat 5:

cpe:/o:redhat:enterprise_linux:7::workstation:*:*:*:*:*

Configuration RedHat 6:

cpe:/a:redhat:rhel_extras_rt:7:*:*:*:*:*:*:*

Configuration RedHat 7:

cpe:/o:redhat:rhel_els:6:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/o:linux:linux_kernel:4.5:-:*:*:*:*:*:*

AND

cpe:/a:ibm:data_risk_manager:2.0.6:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:57538	P	Security update for the Linux Kernel (Important)	2021-12-06
oval:org.opensuse.security:def:29456	P	Security update for the Linux Kernel (Important)	2021-12-06
oval:org.opensuse.security:def:83365	P	Security update for the Linux Kernel (Important)	2021-12-06
oval:org.opensuse.security:def:55981	P	Security update for the Linux Kernel (Important)	2021-12-06
oval:org.opensuse.security:def:31715	P	Security update for the Linux Kernel (Important)	2021-12-06
oval:org.opensuse.security:def:85781	P	Security update for the Linux Kernel (Important)	2021-12-06
oval:org.opensuse.security:def:58056	P	Security update for the Linux Kernel (Important)	2021-12-06
oval:org.opensuse.security:def:30158	P	Security update for the Linux Kernel (Important)	2021-12-06
oval:org.opensuse.security:def:83485	P	Security update for the Linux Kernel (Important)	2021-12-06
oval:org.opensuse.security:def:56101	P	Security update for the Linux Kernel (Important)	2021-12-06
oval:org.opensuse.security:def:32233	P	Security update for the Linux Kernel (Important)	2021-12-06
oval:org.opensuse.security:def:19520	P	Security update for the Linux Kernel (Important)	2021-12-06
oval:org.opensuse.security:def:86179	P	Security update for the Linux Kernel (Important)	2021-12-06
oval:org.opensuse.security:def:51707	P	Security update for the Linux Kernel (Important)	2021-12-06
oval:org.opensuse.security:def:30278	P	Security update for the Linux Kernel (Important)	2021-12-06
oval:org.opensuse.security:def:84247	P	Security update for the Linux Kernel (Important)	2021-12-06
oval:org.opensuse.security:def:57140	P	Security update for the Linux Kernel (Important)	2021-12-06
oval:org.opensuse.security:def:23719	P	Security update for the Linux Kernel (Important)	2021-12-06
oval:org.opensuse.security:def:86697	P	Security update for the Linux Kernel (Important)	2021-12-06
oval:org.opensuse.security:def:82663	P	Security update for the Linux Kernel (Important)	2021-12-06
oval:org.opensuse.security:def:55279	P	Security update for the Linux Kernel (Important)	2021-12-06
oval:org.opensuse.security:def:31317	P	Security update for the Linux Kernel (Important)	2021-12-06
oval:org.opensuse.security:def:84705	P	Security update for the Linux Kernel (Important)	2021-12-06
oval:org.opensuse.security:def:41408	P	Security update for the Linux Kernel (Important)	2021-12-01
oval:org.opensuse.security:def:45838	P	Security update for the Linux Kernel (Important)	2021-12-01
oval:org.opensuse.security:def:87514	P	Security update for the Linux Kernel (Important)	2021-11-30
oval:org.opensuse.security:def:58873	P	Security update for the Linux Kernel (Important)	2021-11-30
oval:org.opensuse.security:def:33050	P	Security update for the Linux Kernel (Important)	2021-11-30
oval:org.opensuse.security:def:44821	P	Security update for the Linux Kernel (Important)	2021-11-22
oval:org.opensuse.security:def:40391	P	Security update for the Linux Kernel (Important)	2021-11-22
oval:com.redhat.rhsa:def:20211288	P	RHSA-2021:1288: kernel security and bug fix update (Important)	2021-04-20
oval:com.redhat.rhsa:def:20210856	P	RHSA-2021:0856: kernel security and bug fix update (Important)	2021-03-16
oval:com.redhat.rhsa:def:20210857	P	RHSA-2021:0857: kernel-rt security and bug fix update (Important)	2021-03-16

BACK