CVE-2021-42341

Public Exploit

Description

checkpath in OpenRC before 0.44.7 uses the direct output of strlen() to allocate strings, which does not account for the '\0' byte at the end of the string. This results in memory corruption. CVE-2021-42341 was introduced in git commit 63db2d99e730547339d1bdd28e8437999c380cae, which was introduced as part of OpenRC 0.44.0 development.

7.5

CVSS

Severity: High

CVSS 3.1 •

CVSS 2.0 •

EPSS 1.55% Top 20%

Third-Party Advisory gentoo.org Third-Party Advisory github.com Third-Party Advisory github.com Third-Party Advisory github.com Third-Party Advisory github.com Third-Party Advisory github.com

Affected: n/a n/a

References

Link	Tags
https://github.com/OpenRC/openrc/commit/bb8334104baf4d5a4a442a8647fb9204738f2204	third party advisory patch
https://github.com/OpenRC/openrc/issues/459	exploit third party advisory patch
https://github.com/OpenRC/openrc/pull/462	third party advisory patch
https://bugs.gentoo.org/816900	exploit third party advisory patch
https://github.com/OpenRC/openrc/commit/63db2d99e730547339d1bdd28e8437999c380cae	third party advisory patch
https://github.com/OpenRC/openrc/issues/418	exploit third party advisory patch

Frequently Asked Questions

What is the severity of CVE-2021-42341?: CVE-2021-42341 has been scored as a high severity vulnerability.
How to fix CVE-2021-42341?: To fix CVE-2021-42341, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2021-42341 being actively exploited in the wild?: It is possible that CVE-2021-42341 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~2% probability that this vulnerability will be exploited by malicious actors in the next 30 days.

This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.