NULL pointer dereference in Linux kernel

#VU90474 NULL pointer dereference in Linux kernel

Published: 2024-05-31

Vulnerability identifier: #VU90474

Vulnerability risk: Low

CVSSv3.1: 4.8 [AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-47267

CWE-ID: CWE-476

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Linux kernel
Operating systems & Components / Operating system

Vendor: Linux Foundation

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to NULL pointer dereference within the usb_assign_descriptors() function in drivers/usb/gadget/config.c. A local user can perform a denial of service (DoS) attack.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Linux kernel:

External links
http://git.kernel.org/stable/c/fd24be23abf3e94260be0f00bb42c7e91d495f87
http://git.kernel.org/stable/c/70cd19cb5bd94bbb5bacfc9c1e4ee0071699a604
http://git.kernel.org/stable/c/45f9a2fe737dc0a5df270787f2231aee8985cd59
http://git.kernel.org/stable/c/5ef23506695b01d5d56a13a092a97f2478069d75
http://git.kernel.org/stable/c/b972eff874637402ddc4a7dd11fb22538a0b6d28
http://git.kernel.org/stable/c/ca6bc277430d90375452b60b047763a090b7673e
http://git.kernel.org/stable/c/032e288097a553db5653af552dd8035cd2a0ba96

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

openEuler 20.03 LTS SP4 update for kernel

NULL pointer dereference in Linux kernel usb gadget driver