CVE-2021-3939

Name of the Vulnerable Software and Affected Versions Ubuntu versions prior to 0.6.55-0ubuntu12~20.04.5 Ubuntu versions prior to 0.6.55-0ubuntu13.3 Ubuntu versions prior to 0.6.55-0ubuntu14.1 Ubuntu 21.10 Ubuntu 21.04 Ubuntu 20.04 LTS

Description The issue is related to a double-free memory corruption error in the accountsservice component of the Ubuntu operating system. This error occurs due to the fallback locale variable being freed in the user change language authorized cb function, which is reachable via the SetLanguage dbus function. The exploitation of this issue can allow an attacker to locally elevate privileges to root.

Recommendations For Ubuntu versions prior to 0.6.55-0ubuntu1220.04.5, update to version 0.6.55-0ubuntu1220.04.5 or later. For Ubuntu versions prior to 0.6.55-0ubuntu13.3, update to version 0.6.55-0ubuntu13.3 or later. For Ubuntu versions prior to 0.6.55-0ubuntu14.1, update to version 0.6.55-0ubuntu14.1 or later. For Ubuntu 21.10, Ubuntu 21.04, and Ubuntu 20.04 LTS, update to the latest version that includes the fix for this issue. As a temporary workaround, consider restricting access to the SetLanguage dbus function until a patch is available.