CVE-2021-47605

vduse: fix memory corruption in vduse_dev_ioctl()

Description

In the Linux kernel, the following vulnerability has been resolved: vduse: fix memory corruption in vduse_dev_ioctl() The "config.offset" comes from the user. There needs to a check to prevent it being out of bounds. The "config.offset" and "dev->config_size" variables are both type u32. So if the offset if out of bounds then the "dev->config_size - config.offset" subtraction results in a very high u32 value. The out of bounds offset can result in memory corruption.

Category

7.8
CVSS
Severity: High
CVSS 3.1 •
EPSS 0.06%
Affected: Linux Linux
Affected: Linux Linux
Published at:
Updated at:

References

Link Tags
https://git.kernel.org/stable/c/e6c67560b4341914bec32ec536e931c22062af65 patch
https://git.kernel.org/stable/c/ff9f9c6e74848170fcb45c8403c80d661484c8c9 patch

Frequently Asked Questions

What is the severity of CVE-2021-47605?
CVE-2021-47605 has been scored as a high severity vulnerability.
How to fix CVE-2021-47605?
To fix CVE-2021-47605, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2021-47605 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2021-47605 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2021-47605?
CVE-2021-47605 affects Linux Linux, Linux Linux.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.