#VU90259 Use-after-free in Linux kernel - CVE-2021-46933

Vulnerability identifier: #VU90259

Vulnerability risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2021-46933

CWE-ID: CWE-416

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Linux kernel
Operating systems & Components / Operating system

Vendor: Linux Foundation

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a use-after-free error within the ffs_data_clear() and ffs_data_reset() functions in drivers/usb/gadget/function/f_fs.c. A local user can escalate privileges on the system.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Linux kernel: All versions

---

External links
https://git.kernel.org/stable/c/f976dd7011150244a7ba820f2c331e9fb253befa
https://git.kernel.org/stable/c/cc8c8028c21b2a3842a1e98e99e55028df275919
https://git.kernel.org/stable/c/52500239e3f2d6fc77b6f58632a9fb98fe74ac09
https://git.kernel.org/stable/c/33f6a0cbb7772146e1c11f38028fffbfed14728b
https://git.kernel.org/stable/c/240fc586e83d645912accce081a48aa63a45f6ee
https://git.kernel.org/stable/c/1c4ace3e6b8575745c50dca9e76e0021e697d645
https://git.kernel.org/stable/c/ebef2aa29f370b5096c16020c104e393192ef684
https://git.kernel.org/stable/c/b1e0887379422975f237d43d8839b751a6bcf154

---

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.