CVE-2021-26708

HIGH

Linux Kernel 5.5-5.10.12 - Local Privilege Escalation via AF_VSOCK Race Condition

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2021-26708. PoCs published by jordan9001, azpema.

AI-analyzed exploit summary This repository provides a detailed technical analysis of CVE-2021-26708, a use-after-free vulnerability in the Linux kernel's vsock module. It includes a writeup explaining the root cause, patch analysis, and a proof-of-concept harness to demonstrate the vulnerability, though it lacks a full exploit.

Description

A local privilege escalation was discovered in the Linux kernel before 5.10.13. Multiple race conditions in the AF_VSOCK implementation are caused by wrong locking in net/vmw_vsock/af_vsock.c. The race conditions were implicitly introduced in the commits that added VSOCK multi-transport support.

Exploits (2)

nomisec WRITEUP 28 stars
by jordan9001 · poc
https://github.com/jordan9001/vsock_poc

This repository provides a detailed technical analysis of CVE-2021-26708, a use-after-free vulnerability in the Linux kernel's vsock module. It includes a writeup explaining the root cause, patch analysis, and a proof-of-concept harness to demonstrate the vulnerability, though it lacks a full exploit.

Classification
Writeup 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Linux kernel 5.10.13 (vsock module)
No auth needed
Prerequisites: Custom kernel build with patch reverted · Debugging setup with kgdb · Userfaultfd for race condition exploitation
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by azpema · poc
https://github.com/azpema/CVE-2021-26708

This repository contains a functional exploit for CVE-2021-26708, a Linux kernel vulnerability involving use-after-free in the vsock module. The exploit leverages userfaultfd and message queue manipulation to achieve arbitrary read/write primitives, leading to privilege escalation.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Linux kernel 5.10.38 (and similar versions)
No auth needed
Prerequisites: Linux kernel with vsock module enabled · User namespace access
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (7)

Core 7
Core References
Release Notes, Vendor Advisory x_refsource_misc
https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.13
Mailing List, Patch, Third Party Advisory x_refsource_misc
https://www.openwall.com/lists/oss-security/2021/02/04/5
Mailing List, Patch, Third Party Advisory mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2021/02/05/6
Patch, Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20210312-0008/
Mailing List mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2021/04/09/2
Mailing List mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2022/01/25/14

Scores

CVSS v3 7.0
EPSS 0.0094
EPSS Percentile 76.4%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-667
Status published
Products (9)
linux/linux_kernel 5.5 - 5.10.13
netapp/aff_baseboard_management_controller
netapp/baseboard_management_controller_500f_firmware < 15.3
netapp/baseboard_management_controller_a250_firmware < 15.3
netapp/cloud_backup
netapp/fas_baseboard_management_controller
netapp/hci_h410c_firmware
netapp/solidfire_\&_hci_management_node
netapp/solidfire_baseboard_management_controller
Published Feb 05, 2021
Tracked Since Feb 18, 2026