CVE-2021-27365

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 5.11.4 Linux kernel versions prior to 5.10.21 Linux kernel versions prior to 5.4.103 Linux kernel versions prior to 4.19.179 Linux kernel versions prior to 4.14.224 Linux kernel versions prior to 4.9.260 Linux kernel versions prior to 4.4.260

Description An issue was discovered in the Linux kernel where certain iSCSI data structures do not have appropriate length constraints or checks, and can exceed the PAGE SIZE value. An unprivileged user can send a Netlink message that is associated with iSCSI, and has a length up to the maximum length of a Netlink message. This can lead to a heap buffer overflow, allowing an attacker to execute code at the kernel level and gain root privileges. The vulnerability is related to errors in access control in the show transport handle function.

Recommendations For Linux kernel versions prior to 5.11.4, update to version 5.11.4 or later. For Linux kernel versions prior to 5.10.21, update to version 5.10.21 or later. For Linux kernel versions prior to 5.4.103, update to version 5.4.103 or later. For Linux kernel versions prior to 4.19.179, update to version 4.19.179 or later. For Linux kernel versions prior to 4.14.224, update to version 4.14.224 or later. For Linux kernel versions prior to 4.9.260, update to version 4.9.260 or later. For Linux kernel versions prior to 4.4.260, update to version 4.4.260 or later. As a temporary workaround, consider restricting access to the iSCSI subsystem until a patch is available.