CVE-2021-36086 — LOW (3.3) — White Hats Nepal

Q: What is CVE-2021-36086?

CVE-2021-36086 is a vulnerability with a CVSS score of 3.3 (LOW). The CIL compiler in SELinux 3.2 has a use-after-free in cil_reset_classpermission (called from cil_reset_classperms_set and cil_reset_classperms_list).

Q: How severe is CVE-2021-36086?

CVE-2021-36086 has been rated LOW with a CVSS base score of 3.3/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2021-36086?

Check the references section above for vendor advisories and patch information. Affected products include: Debian Debian Linux, Netapp Active Iq Unified Manager, Netapp Bootstrap Os, Netapp Hci Compute Node, Netapp H610C Firmware.

Vulnerability Description

The CIL compiler in SELinux 3.2 has a use-after-free in cil_reset_classpermission (called from cil_reset_classperms_set and cil_reset_classperms_list).

CVSS Score

3.3

LOW

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

LOW

Affected Products

Vendor	Product	Versions
Debian	Debian Linux	11.0
Netapp	Active Iq Unified Manager	-
Netapp	Bootstrap Os	-
Netapp	Hci Compute Node	-
Netapp	H610C Firmware	-
Netapp	H610C	-
Netapp	H610S Firmware	-
Netapp	H610S	-
Netapp	H615C Firmware	-
Netapp	H615C	-
Selinux Project	Selinux	< 3.3
Fedoraproject	Fedora	35

Related Weaknesses (CWE)

CWE-416

References

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32177ExploitIssue TrackingPatch
https://github.com/SELinuxProject/selinux/commit/c49a8ea09501ad66e799ea41b8154b6PatchThird Party Advisory
https://github.com/google/oss-fuzz-vulns/blob/main/vulns/selinux/OSV-2021-536.yaThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproBroken Link
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32177ExploitIssue TrackingPatch
https://github.com/SELinuxProject/selinux/commit/c49a8ea09501ad66e799ea41b8154b6PatchThird Party Advisory
https://github.com/google/oss-fuzz-vulns/blob/main/vulns/selinux/OSV-2021-536.yaThird Party Advisory
https://lists.debian.org/debian-lts-announce/2024/10/msg00021.htmlMailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproBroken Link
https://security.netapp.com/advisory/ntap-20250207-0004/Third Party Advisory

FAQ

What is CVE-2021-36086?

CVE-2021-36086 is a vulnerability with a CVSS score of 3.3 (LOW). The CIL compiler in SELinux 3.2 has a use-after-free in cil_reset_classpermission (called from cil_reset_classperms_set and cil_reset_classperms_list).

How severe is CVE-2021-36086?

CVE-2021-36086 has been rated LOW with a CVSS base score of 3.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-36086?

Check the references section above for vendor advisories and patch information. Affected products include: Debian Debian Linux, Netapp Active Iq Unified Manager, Netapp Bootstrap Os, Netapp Hci Compute Node, Netapp H610C Firmware.