Vulnerability Description
In librt in the GNU C Library (aka glibc) through 2.34, sysdeps/unix/sysv/linux/mq_notify.c mishandles certain NOTIFY_REMOVED data, leading to a NULL pointer dereference. NOTE: this vulnerability was introduced as a side effect of the CVE-2021-33574 fix.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Gnu | Glibc | <= 2.34 |
| Fedoraproject | Fedora | 35 |
| Oracle | Communications Cloud Native Core Binding Support Function | 22.1.3 |
| Oracle | Communications Cloud Native Core Network Function Cloud Native Environment | 22.1.0 |
| Oracle | Communications Cloud Native Core Network Repository Function | 22.1.2 |
| Oracle | Communications Cloud Native Core Security Edge Protection Proxy | 22.1.1 |
| Oracle | Communications Cloud Native Core Unified Data Repository | 22.2.0 |
| Oracle | Enterprise Operations Monitor | 4.3 |
Related Weaknesses (CWE)
References
- https://blog.tuxcare.com/cve/tuxcare-team-identifies-cve-2021-38604-a-new-vulnerExploitThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://security.gentoo.org/glsa/202208-24Third Party Advisory
- https://security.netapp.com/advisory/ntap-20210909-0005/Third Party Advisory
- https://sourceware.org/bugzilla/show_bug.cgi?id=28213Issue TrackingPatchThird Party Advisory
- https://sourceware.org/git/?p=glibc.git%3Ba=commit%3Bh=4cc79c217744743077bf7a0ec
- https://sourceware.org/git/?p=glibc.git%3Ba=commit%3Bh=b805aebd42364fe696e417808
- https://www.oracle.com/security-alerts/cpujul2022.htmlPatchThird Party Advisory
- https://blog.tuxcare.com/cve/tuxcare-team-identifies-cve-2021-38604-a-new-vulnerExploitThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://security.gentoo.org/glsa/202208-24Third Party Advisory
- https://security.netapp.com/advisory/ntap-20210909-0005/Third Party Advisory
- https://sourceware.org/bugzilla/show_bug.cgi?id=28213Issue TrackingPatchThird Party Advisory
- https://sourceware.org/git/?p=glibc.git%3Ba=commit%3Bh=4cc79c217744743077bf7a0ec
- https://sourceware.org/git/?p=glibc.git%3Ba=commit%3Bh=b805aebd42364fe696e417808
FAQ
What is CVE-2021-38604?
CVE-2021-38604 is a vulnerability with a CVSS score of 7.5 (HIGH). In librt in the GNU C Library (aka glibc) through 2.34, sysdeps/unix/sysv/linux/mq_notify.c mishandles certain NOTIFY_REMOVED data, leading to a NULL pointer dereference. NOTE: this vulnerability was ...
How severe is CVE-2021-38604?
CVE-2021-38604 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-38604?
Check the references section above for vendor advisories and patch information. Affected products include: Gnu Glibc, Fedoraproject Fedora, Oracle Communications Cloud Native Core Binding Support Function, Oracle Communications Cloud Native Core Network Function Cloud Native Environment, Oracle Communications Cloud Native Core Network Repository Function.