CVE-2021-4442

MEDIUM EPSS 31.2%
Published Aug 29, 20241y ago · Modified Jun 17, 20261w ago
5.5 CVSS 3.1
Medium
Find Similar
Published Aug 29, 2024 1y ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: tcp: add sanity tests to TCP_QUEUE_SEQ Qingyu Li reported a syzkaller bug where the repro changes RCV SEQ _after_ restoring data in the receive queue. mprotect(0x4aa000, 12288, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 socket(AF_INET6, SOCK_STREAM, IPPROTO_IP) = 3 setsockopt(3, SOL_TCP, TCP_REPAIR, [1], 4) = 0 connect(3, {sa_family=AF_INET6, sin6_port=htons(0), sin6_flowinfo=htonl(0), inet_pton(AF_INET6, "::1", &sin6_addr), sin6_scope_id=0}, 28) = 0 setsockopt(3, SOL_TCP, TCP_REPAIR_QUEUE, [1], 4) = 0 sendmsg(3, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="0x0000000000000003\0\0", iov_len=20}], msg_iovlen=1, msg_controllen=0, msg_flags=0}, 0) = 20 setsockopt(3, SOL_TCP, TCP_REPAIR, [0], 4) = 0 setsockopt(3, SOL_TCP, TCP_QUEUE_SEQ, [128], 4) = 0 recvfrom(3, NULL, 20, 0, NULL, NULL) = -1 ECONNRESET (Connection reset by peer) syslog shows: [ 111.205099] TCP recvmsg seq # bug 2: copied 80, seq 0, rcvnxt 80, fl 0 [ 111.207894] WARNING: CPU: 1 PID: 356 at net/ipv4/tcp.c:2343 tcp_recvmsg_locked+0x90e/0x29a0 This should not be allowed. TCP_QUEUE_SEQ should only be used when queues are empty. This patch fixes this case, and the tx path as well.

CVSS Details

Base Score
5.5
Exploitability
1.8
Impact
3.6
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
31.2% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Affected Products 6

VendorProductVersionRange
linuxlinux_kernel*≥3.5  –  <4.19.181
linuxlinux_kernel*≥4.20  –  <5.4.106
linuxlinux_kernel*≥5.5  –  <5.10.24
linuxlinux_kernel*≥5.11  –  <5.11.7
linuxlinux_kernel5.12any
linuxlinux_kernel5.12any

References 5

  • git.kernel.org https://git.kernel.org/stable/c/046f3c1c2ff450fb7ae53650e9a95e0074a61f3e
    ExploitPatch
  • git.kernel.org https://git.kernel.org/stable/c/319f460237fc2965a80aa9a055044e1da7b3692a
    ExploitPatch
  • git.kernel.org https://git.kernel.org/stable/c/3b72d5a703842f582502d97906f17d6ee122dac2
    ExploitPatch
  • git.kernel.org https://git.kernel.org/stable/c/3bf899438c123c444f6b644a57784dfbb6b15ad6
    ExploitPatch
  • git.kernel.org https://git.kernel.org/stable/c/8811f4a9836e31c14ecdf79d9f3cb7c5d463265d
    ExploitPatch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/046f3c1c2ff450fb7ae53650e9a95e0074a61f3e
    ExploitPatch
  • git.kernel.org https://git.kernel.org/stable/c/319f460237fc2965a80aa9a055044e1da7b3692a
    ExploitPatch
  • git.kernel.org https://git.kernel.org/stable/c/3b72d5a703842f582502d97906f17d6ee122dac2
    ExploitPatch
  • git.kernel.org https://git.kernel.org/stable/c/3bf899438c123c444f6b644a57784dfbb6b15ad6
    ExploitPatch
  • git.kernel.org https://git.kernel.org/stable/c/8811f4a9836e31c14ecdf79d9f3cb7c5d463265d
    ExploitPatch