New CVE entries this week

Masami Ichikawa

Hi !

Here is this week's CVE report.

* CVE short summary

** New CVEs

CVE-2021-3640: there is no fixed information as of 2021/07/29.

CVE-2021-37576: mainline and stable kernels are fixed. This CVE only
affects powerpc architecture.

** Updated CVEs

CVE-2021-31829: I fixed wrong security information.

CVE-2021-22543: added stable/4.19 fixed commit.

** Traking CVEs

CVE-2021-29256: not fiexd in mainline yet

CVE-2021-31615: not fiexd in mainline yet

CVE-2021-21781: v4.4 is not fixed as of 2021/07/29

CVE-2021-3655: v4.4 is not fixed as of 2021/07/29

CVE-2021-37159: mainline is not fixed as of 2021/07/29

* CVE detail

New CVEs

- CVE-2021-3640: Linux kernel: UAF in sco_send_frame function

Not fixed in mainline.

From email(

2021-07-08: Bug reported to and
2021-07-09: CVE-2021-3640 is assigned
2021-07-22: 14 days of the embargo is over

One sad thing is that the bluez team is currently focused on fixing up the
CVE-2021-3573, which I failed to properly patched, and the patch for this
new is not yet fully discussed.
I hope the patch will be settled down and merged to the mainline in the
near future.

CVE-2021-37576: KVM guest to host memory corruption

This vulnerability only affects PowerPC architecture.

No CIP memeber uses PPC architecture.

Fixed status
mainline: [f62f3c20647ebd5fb6ecb8f0b477b9281c44c10a]
stable/4.19: [0493b10c06021796ba80cbe53c961defd5aca6e5]
stable/4.4: [1e90a673f6ee09c668fe01aa1b94924f972c9811]
stable/5.10: [c1fbdf0f3c26004a2803282fdc1c35086908a99e]

Updated CVEs

CVE-2021-22543: KVM through Improper handling of VM_IO|VM_PFNMAP vmas
in KVM can bypass RO checks and can lead to pages being freed while
still accessible by the VMM and guest

Added stable/4.19 fixed commit.

v4.4 kernel gets pfn following way in hva_to_pfn(). It not uses
kvm_get_pfn(). hva_to_pfn_remapped() doesn't exist in v4.4 kernel.

else if ((vma->vm_flags & VM_PFNMAP)) {
pfn = ((addr - vma->vm_start) >> PAGE_SHIFT) +

If v4.4 has same vulnerability, it'll need to write a patch by own.

CVE-2021-31829: Linux kernel protection of stack pointer against
speculative pointer arithmetic can be bypassed to leak content of
kernel memory

Fixed status
mainline: [f8be156be163a052a067306417cd0ff679068c97]
stable/4.19: [117777467bc015f0dc5fc079eeba0fa80c965149]
stable/5.10: [dd8ed6c9bc2224c1ace5292d01089d3feb7ebbc3]

There was wrong informaition so I updated it.
stable/5.10 is fixed but cip/5.10 is not fixed yet.

Currenty traking CVEs

CVE-2021-29256: The Arm Mali GPU kernel driver allows an unprivileged
user to achieve access to freed memory

Not fiexd in mainline yet

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

Not fiexd in mainline yet

CVE-2021-21781: Arm SIGPAGE information disclosure vulnerability

v4.4 is not fixed as of 2021/07/29

Fixed status
mainline: [9c698bff66ab4914bb3d71da7dc6112519bde23e]
stable/4.19: [80ef523d2cb719c3de66787e922a96b5099d2fbb]
stable/5.10: [7913ec05fc02ccd7df83280451504b0a3e543097]

CVE-2021-3655: missing size validations on inbound SCTP packets

According to cip-kernel-sec's scripts v4.4 is not fixed as of 2021/07/29

One of a patch 50619dbf8db77e98d821d615af4f634d08e22698 is included.

Fixed status
mainline: [0c5dc070ff3d6246d22ddd931f23a6266249e3db,
stable/4.19: [c7a03ebace4f9cd40d9cd9dd5fb2af558025583c,
stable/4.9: [c7da1d1ed43a6c2bece0d287e2415adf2868697e]
stable/5.10: [d4dbef7046e24669278eba4455e9e8053ead6ba0,

CVE-2021-37159: hso_free_net_device in drivers/net/usb/hso.c in the
Linux kernel through 5.13.4 calls unregister_netdev without checking
for the NETREG_REGISTERED state, leading to a use-after-free and a
double free.

The mainline is not fixed as of 2021/07/29


Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@...

Join to automatically receive all group messages.