CVE-2021-29155

MEDIUM

Linux Kernel < 5.11.16 - Out-of-Bounds Read via BPF Verifier Pointer Arithmetic

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2021-29155. PoCs published by benschlueter.

AI-analyzed exploit summary This repository contains a functional proof-of-concept exploit for CVE-2021-29155, which leverages insufficient range tracking in the BPF verifier to perform out-of-bounds memory reads in the Linux kernel. The exploit demonstrates a Spectre-like side-channel attack to extract kernel data.

Description

An issue was discovered in the Linux kernel through 5.11.x. kernel/bpf/verifier.c performs undesirable out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory. Specifically, for sequences of pointer arithmetic operations, the pointer modification performed by the first operation is not correctly accounted for when restricting subsequent operations.

Exploits (2)

nomisec WORKING POC 3 stars
by benschlueter · poc
https://github.com/benschlueter/CVE-2021-29155

This repository contains a functional proof-of-concept exploit for CVE-2021-29155, which leverages insufficient range tracking in the BPF verifier to perform out-of-bounds memory reads in the Linux kernel. The exploit demonstrates a Spectre-like side-channel attack to extract kernel data.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Complex
Reliability
Racy
Target: Linux kernel (versions before 5.12 and unpatched LTS kernels)
Auth required
Prerequisites: Root/sudo access to disable Spectre mitigations · Multi-core CPU for thread pinning
devstral-2 · analyzed Feb 18, 2026 Full analysis →
inthewild WORKING POC
poc
https://github.com/kakashiiiiy/cve-2021-29155

This repository contains a functional proof-of-concept exploit for CVE-2021-29155, which leverages insufficient range tracking in the BPF verifier to perform out-of-bounds memory reads via speculative execution. The exploit demonstrates a Spectre-like side-channel attack to leak kernel data.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Complex
Reliability
Racy
Target: Linux Kernel (BPF verifier, versions before 5.12)
Auth required
Prerequisites: root/sudo access to disable Spectre mitigations · multi-core CPU for thread pinning
devstral-2 · analyzed Feb 27, 2026 Full analysis →

References (14)

Core 14
Core References
Mailing List, Third Party Advisory mailing-list
https://lists.debian.org/debian-lts-announce/2021/06/msg00019.html
Vendor Advisory
https://www.kernel.org
Mailing List, Patch, Third Party Advisory
https://www.openwall.com/lists/oss-security/2021/04/18/4

Scores

CVSS v3 5.5
EPSS 0.0021
EPSS Percentile 44.0%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Details

CWE
CWE-125
Status published
Products (5)
debian/debian_linux 9.0
fedoraproject/fedora 32
fedoraproject/fedora 33
fedoraproject/fedora 34
linux/linux_kernel < 5.11.16
Published Apr 20, 2021
Tracked Since Feb 18, 2026