CVE-2021-20197
MEDIUMGNU binutils < 2.35 - Race Condition in ar, objcopy, strip, ranlib
Title source: llmDescription
There is an open race window when writing output in the following utilities in GNU binutils version 2.35 and earlier:ar, objcopy, strip, ranlib. When these utilities are run as a privileged user (presumably as part of a script updating binaries across different users), an unprivileged user can trick these utilities into getting ownership of arbitrary files through a symlink.
References (4)
Core 4
Core References
Issue Tracking, Patch, Third Party Advisory x_refsource_misc
https://bugzilla.redhat.com/show_bug.cgi?id=1913743
Issue Tracking, Patch, Third Party Advisory x_refsource_misc
https://sourceware.org/bugzilla/show_bug.cgi?id=26945
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20210528-0009/
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/202208-30
Scores
CVSS v3
6.3
EPSS
0.0011
EPSS Percentile
29.8%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-362
CWE-59
Status
published
Products (6)
broadcom/brocade_fabric_operating_system_firmware
gnu/binutils
< 2.35
netapp/cloud_backup
netapp/ontap_select_deploy_administration_utility
netapp/solidfire_\&_hci_management_node
redhat/enterprise_linux
8.0
Published
Mar 26, 2021
Tracked Since
Feb 18, 2026