CVE-2021-46988

MEDIUM

Linux Kernel 4.11-4.14.233 - Use-After-Free in userfaultfd Error Path

Title source: llm
STIX 2.1

Description

In the Linux kernel, the following vulnerability has been resolved: userfaultfd: release page in error path to avoid BUG_ON Consider the following sequence of events: 1. Userspace issues a UFFD ioctl, which ends up calling into shmem_mfill_atomic_pte(). We successfully account the blocks, we shmem_alloc_page(), but then the copy_from_user() fails. We return -ENOENT. We don't release the page we allocated. 2. Our caller detects this error code, tries the copy_from_user() after dropping the mmap_lock, and retries, calling back into shmem_mfill_atomic_pte(). 3. Meanwhile, let's say another process filled up the tmpfs being used. 4. So shmem_mfill_atomic_pte() fails to account blocks this time, and immediately returns - without releasing the page. This triggers a BUG_ON in our caller, which asserts that the page should always be consumed, unless -ENOENT is returned. To fix this, detect if we have such a "dangling" page when accounting fails, and if so, release it before returning.

Scores

CVSS v3 5.5
EPSS 0.0024
EPSS Percentile 15.0%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-416
Status published
Products (18)
Linux/Linux < 4.11
Linux/Linux 4.11
Linux/Linux 4.14.233 - 4.14.*
Linux/Linux 4.19.191 - 4.19.*
Linux/Linux 5.10.38 - 5.10.*
Linux/Linux 5.11.22 - 5.11.*
Linux/Linux 5.12.5 - 5.12.*
Linux/Linux 5.13
Linux/Linux 5.4.120 - 5.4.*
Linux/Linux cb658a453b9327ce96ce5222c24d162b5b65b564 - 07c9b834c97d0fa3402fb7f3f3b32df370a6ff1f
... and 8 more
Published Feb 28, 2024
Tracked Since Feb 18, 2026