CVE-2021-33909: Linux kernel local privilege escalation vulnerability alert

by ddos · July 22, 2021

On July 21, 2021, RedHat officially released a risk notice for the Linux kernel local privilege escalation vulnerability, the vulnerability number is CVE-2021-33909.

This vulnerability is a type conversion vulnerability in the Linux kernel file system layer. The type conversion vulnerability is a situation that occurs when converting between two types, which may cause overflow. Unprivileged local attackers can use this vulnerability to escalate privileges.

Vulnerability Detail

In the seq_file.c file of the Linux kernel file system layer, because the allocation of the seq buffer is not correctly restricted, the size_t-to-int conversion has not been verified, resulting in an integer overflow and out-of-bounds writing. Unprivileged local attackers can exploit this vulnerability by creating, mounting, and deleting deep directory structures with a total path length of more than 1GB. This vulnerability can enable unprivileged users to be upgraded to root users.

Affected version

Linux kernel: >=3.16 / <= 5.13.3

Unaffected veresion

Linux kernel: 5.13.4

Solution

In this regard, we recommend that users upgrade Linux to the latest version in time.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal