#VU90496 NULL pointer dereference in Linux kernel - CVE-2021-47337

Vulnerability identifier: #VU90496

Vulnerability risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2021-47337

CWE-ID: CWE-476

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Linux kernel
Operating systems & Components / Operating system

Vendor: Linux Foundation

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to NULL pointer dereference within the scsi_host_alloc() function in drivers/scsi/hosts.c. A local user can perform a denial of service (DoS) attack.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Linux kernel: All versions

---

External links
https://git.kernel.org/stable/c/d2f0b960d07e52bb664471b4de0ed8b08c636b3a
https://git.kernel.org/stable/c/f3d0a109240c9bed5c60d819014786be3a2fe515
https://git.kernel.org/stable/c/e1bd3fac2baa3d5c04375980c1d5263a3335af92
https://git.kernel.org/stable/c/887bfae2732b5b02a86a859fd239d34f7ff93c05
https://git.kernel.org/stable/c/ea518b70ed5e4598c8d706f37fc16f7b06e440bd
https://git.kernel.org/stable/c/8e4212ecf0713dd57d0e3209a66201da582149b1
https://git.kernel.org/stable/c/c1671d2d2ef8a84837eea1b4d99ca0c6a66fb691
https://git.kernel.org/stable/c/93aa71ad7379900e61c8adff6a710a4c18c7c99b

---

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.