CVE-2021-47068

HIGH

Linux Kernel 4.4.267-4.4.268 - Use-After-Free in NFC LLCP Socket Bind/Connect

Title source: llm
STIX 2.1

Description

In the Linux kernel, the following vulnerability has been resolved: net/nfc: fix use-after-free llcp_sock_bind/connect Commits 8a4cd82d ("nfc: fix refcount leak in llcp_sock_connect()") and c33b1cc62 ("nfc: fix refcount leak in llcp_sock_bind()") fixed a refcount leak bug in bind/connect but introduced a use-after-free if the same local is assigned to 2 different sockets. This can be triggered by the following simple program: int sock1 = socket( AF_NFC, SOCK_STREAM, NFC_SOCKPROTO_LLCP ); int sock2 = socket( AF_NFC, SOCK_STREAM, NFC_SOCKPROTO_LLCP ); memset( &addr, 0, sizeof(struct sockaddr_nfc_llcp) ); addr.sa_family = AF_NFC; addr.nfc_protocol = NFC_PROTO_NFC_DEP; bind( sock1, (struct sockaddr*) &addr, sizeof(struct sockaddr_nfc_llcp) ) bind( sock2, (struct sockaddr*) &addr, sizeof(struct sockaddr_nfc_llcp) ) close(sock1); close(sock2); Fix this by assigning NULL to llcp_sock->local after calling nfc_llcp_local_put. This addresses CVE-2021-23134.

Scores

CVSS v3 7.8
EPSS 0.0023
EPSS Percentile 14.1%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-416
Status published
Products (28)
Linux/Linux < 5.12
Linux/Linux 18013007b596771bf5f5e7feee9586fb0386ad14 - ccddad6dd28530e716448e594c9ca7c76ccd0570
Linux/Linux 4.14.231 - 4.14.233
Linux/Linux 4.14.233 - 4.14.*
Linux/Linux 4.19.187 - 4.19.191
Linux/Linux 4.19.191 - 4.19.*
Linux/Linux 4.4.267 - 4.4.269
Linux/Linux 4.4.269 - 4.4.*
Linux/Linux 4.9.267 - 4.9.269
Linux/Linux 4.9.269 - 4.9.*
... and 18 more
Published Feb 29, 2024
Tracked Since Feb 18, 2026