#VU90474 NULL pointer dereference in Linux kernel - CVE-2021-47267

Vulnerability identifier: #VU90474

Vulnerability risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2021-47267

CWE-ID: CWE-476

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Linux kernel
Operating systems & Components / Operating system

Vendor: Linux Foundation

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to NULL pointer dereference within the usb_assign_descriptors() function in drivers/usb/gadget/config.c. A local user can perform a denial of service (DoS) attack.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Linux kernel: All versions

---

External links
https://git.kernel.org/stable/c/fd24be23abf3e94260be0f00bb42c7e91d495f87
https://git.kernel.org/stable/c/70cd19cb5bd94bbb5bacfc9c1e4ee0071699a604
https://git.kernel.org/stable/c/45f9a2fe737dc0a5df270787f2231aee8985cd59
https://git.kernel.org/stable/c/5ef23506695b01d5d56a13a092a97f2478069d75
https://git.kernel.org/stable/c/b972eff874637402ddc4a7dd11fb22538a0b6d28
https://git.kernel.org/stable/c/ca6bc277430d90375452b60b047763a090b7673e
https://git.kernel.org/stable/c/032e288097a553db5653af552dd8035cd2a0ba96

---

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.