NULL pointer dereference in Linux kernel ethernet microchip driver

1) NULL pointer dereference

EUVDB-ID: #VU90408

Risk: Low

CVSSv3.1: 4.8 [AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-47440

CWE-ID: CWE-476 - NULL Pointer Dereference

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to NULL pointer dereference within the encx24j600_spi_probe() function in drivers/net/ethernet/microchip/encx24j600.c, within the devm_regmap_init_encx24j600() function in drivers/net/ethernet/microchip/encx24j600-regmap.c. A local user can perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Linux kernel: All versions

External links

http://git.kernel.org/stable/c/66358471fa75a713fd76bc8a4bd74cb14cd50a4f
http://git.kernel.org/stable/c/f043fac1133a6c5ef960a8422c0f6dd711dee462
http://git.kernel.org/stable/c/fddc7f678d7fb93caa0d7bc512f968ff1e2bddbc
http://git.kernel.org/stable/c/5e5494e6fc8a29c927e0478bec4a078a40da8901
http://git.kernel.org/stable/c/4c2eb80fc90b05559ce6ed1b8dfb2348420b5644
http://git.kernel.org/stable/c/e19c10d6e07c59c96e90fe053a72683ad8b0397e
http://git.kernel.org/stable/c/322c0e53496309e634d9db7349678eaad1d25b55
http://git.kernel.org/stable/c/f03dca0c9e2297c84a018e306f8a9cd534ee4287

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.