#VU89745 Improper locking in Linux kernel - CVE-2021-47041


Vulnerability identifier: #VU89745

Vulnerability risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2021-47041

CWE-ID: CWE-667

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Linux kernel
Operating systems & Components / Operating system

Vendor: Linux Foundation

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper locking within the nvmet_tcp_state_change() function in drivers/nvme/target/tcp.c. An remote attacker can send specially crafted packets to the system and perform a denial of service (DoS) attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Linux kernel: All versions

External links
https://git.kernel.org/stable/c/999d606a820c36ae9b9e9611360c8b3d8d4bb777
https://git.kernel.org/stable/c/60ade0d56b06537a28884745059b3801c78e03bc
https://git.kernel.org/stable/c/06beaa1a9f6e501213195e47c30416032fd2bbd5
https://git.kernel.org/stable/c/906c538340dde6d891df89fe7dac8eaa724e40da
https://git.kernel.org/stable/c/b5332a9f3f3d884a1b646ce155e664cc558c1722

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in Dell Cloud Tiering Appliance
Multiple vulnerabilities in Dell PowerStore T Family
SUSE update for the Linux Kernel
SUSE update for the Linux Kernel
SUSE update for the Linux Kernel
Remote denial of service in Linux kernel nvme driver