#VU90408 NULL pointer dereference in Linux kernel - CVE-2021-47440

Vulnerability identifier: #VU90408

Vulnerability risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2021-47440

CWE-ID: CWE-476

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Linux kernel
Operating systems & Components / Operating system

Vendor: Linux Foundation

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to NULL pointer dereference within the encx24j600_spi_probe() function in drivers/net/ethernet/microchip/encx24j600.c, within the devm_regmap_init_encx24j600() function in drivers/net/ethernet/microchip/encx24j600-regmap.c. A local user can perform a denial of service (DoS) attack.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Linux kernel: All versions

---

External links
https://git.kernel.org/stable/c/66358471fa75a713fd76bc8a4bd74cb14cd50a4f
https://git.kernel.org/stable/c/f043fac1133a6c5ef960a8422c0f6dd711dee462
https://git.kernel.org/stable/c/fddc7f678d7fb93caa0d7bc512f968ff1e2bddbc
https://git.kernel.org/stable/c/5e5494e6fc8a29c927e0478bec4a078a40da8901
https://git.kernel.org/stable/c/4c2eb80fc90b05559ce6ed1b8dfb2348420b5644
https://git.kernel.org/stable/c/e19c10d6e07c59c96e90fe053a72683ad8b0397e
https://git.kernel.org/stable/c/322c0e53496309e634d9db7349678eaad1d25b55
https://git.kernel.org/stable/c/f03dca0c9e2297c84a018e306f8a9cd534ee4287

---

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.