Vulnerability Description
The mq_notify function in the GNU C Library (aka glibc) versions 2.32 and 2.33 has a use-after-free. It may use the notification thread attributes object (passed through its struct sigevent parameter) after it has been freed by the caller, leading to a denial of service (application crash) or possibly unspecified other impact.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Gnu | Glibc | 2.32 |
| Fedoraproject | Fedora | 33 |
| Netapp | Cloud Backup | - |
| Netapp | E-Series Santricity Os Controller | >= 11.0, <= 11.70.1 |
| Netapp | Solidfire Baseboard Management Controller Firmware | - |
| Netapp | H300S Firmware | - |
| Netapp | H300S | - |
| Netapp | H500S Firmware | - |
| Netapp | H500S | - |
| Netapp | H700S Firmware | - |
| Netapp | H700S | - |
| Netapp | H300E Firmware | - |
| Netapp | H300E | - |
| Netapp | H500E Firmware | - |
| Netapp | H500E | - |
| Netapp | H700E Firmware | - |
| Netapp | H700E | - |
| Netapp | H410S Firmware | - |
| Netapp | H410S | - |
| Debian | Debian Linux | 10.0 |
Related Weaknesses (CWE)
References
- https://lists.debian.org/debian-lts-announce/2022/10/msg00021.htmlMailing ListThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://security.gentoo.org/glsa/202107-07Third Party Advisory
- https://security.netapp.com/advisory/ntap-20210629-0005/Third Party Advisory
- https://sourceware.org/bugzilla/show_bug.cgi?id=27896ExploitIssue TrackingThird Party Advisory
- https://sourceware.org/bugzilla/show_bug.cgi?id=27896#c1Issue Tracking
- https://lists.debian.org/debian-lts-announce/2022/10/msg00021.htmlMailing ListThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://security.gentoo.org/glsa/202107-07Third Party Advisory
- https://security.netapp.com/advisory/ntap-20210629-0005/Third Party Advisory
- https://sourceware.org/bugzilla/show_bug.cgi?id=27896ExploitIssue TrackingThird Party Advisory
- https://sourceware.org/bugzilla/show_bug.cgi?id=27896#c1Issue Tracking
FAQ
What is CVE-2021-33574?
CVE-2021-33574 is a vulnerability with a CVSS score of 9.8 (CRITICAL). The mq_notify function in the GNU C Library (aka glibc) versions 2.32 and 2.33 has a use-after-free. It may use the notification thread attributes object (passed through its struct sigevent parameter)...
How severe is CVE-2021-33574?
CVE-2021-33574 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2021-33574?
Check the references section above for vendor advisories and patch information. Affected products include: Gnu Glibc, Fedoraproject Fedora, Netapp Cloud Backup, Netapp E-Series Santricity Os Controller, Netapp Solidfire Baseboard Management Controller Firmware.