Summaryinfo

A vulnerability was found in Linux Kernel up to 5.15.1 and classified as critical. Affected by this issue is some unknown functionality of the component vmk80xx. The manipulation leads to buffer overflow. This vulnerability is handled as CVE-2021-47474. There is no exploit available. It is recommended to upgrade the affected component. Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Detailsinfo

A vulnerability has been found in Linux Kernel up to 5.15.1 and classified as critical. Affected by this vulnerability is an unknown part of the component vmk80xx. The manipulation with an unknown input leads to a buffer overflow vulnerability. The CWE definition for the vulnerability is CWE-120. The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow. As an impact it is known to affect confidentiality, integrity, and availability. The summary by CVE is:

In the Linux kernel, the following vulnerability has been resolved: comedi: vmk80xx: fix bulk-buffer overflow The driver is using endpoint-sized buffers but must not assume that the tx and rx buffers are of equal size or a malicious device could overflow the slab-allocated receive buffer when doing bulk transfers.

It is possible to read the advisory at git.kernel.org. This vulnerability is known as CVE-2021-47474 since 05/22/2024. The exploitation appears to be easy. The technical details are unknown and an exploit is not publicly available. The pricing for an exploit might be around USD $0-$5k at the moment (estimation calculated on 05/22/2024).

Upgrading to version 4.4.292, 4.9.290, 4.14.255, 4.19.217, 5.4.159, 5.10.79, 5.14.18 or 5.15.2 eliminates this vulnerability. Applying the patch e0e6a63fd97a/7cfb35db6077/0866dcaa828c/063f576c43d5/1ae4715121a5/b7fd7f3387f0/7b0e35618932/47b4636ebdbe/78cdfd62bd54 is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Productinfo

Type

• Operating System

Vendor

• Linux

Name

• Kernel

Version

• 4.4.291
• 4.9.289
• 4.14.254
• 4.19.216
• 5.4.158
• 5.10.0
• 5.10.1
• 5.10.2
• 5.10.3
• 5.10.4
• 5.10.5
• 5.10.6
• 5.10.7
• 5.10.8
• 5.10.9
• 5.10.10
• 5.10.11
• 5.10.12
• 5.10.13
• 5.10.14
• 5.10.15
• 5.10.16
• 5.10.17
• 5.10.18
• 5.10.19
• 5.10.20
• 5.10.21
• 5.10.22
• 5.10.23
• 5.10.24
• 5.10.25
• 5.10.26
• 5.10.27
• 5.10.28
• 5.10.29
• 5.10.30
• 5.10.31
• 5.10.32
• 5.10.33
• 5.10.34
• 5.10.35
• 5.10.36
• 5.10.37
• 5.10.38
• 5.10.39
• 5.10.40
• 5.10.41
• 5.10.42
• 5.10.43
• 5.10.44
• 5.10.45
• 5.10.46
• 5.10.47
• 5.10.48
• 5.10.49
• 5.10.50
• 5.10.51
• 5.10.52
• 5.10.53
• 5.10.54
• 5.10.55
• 5.10.56
• 5.10.57
• 5.10.58
• 5.10.59
• 5.10.60
• 5.10.61
• 5.10.62
• 5.10.63
• 5.10.64
• 5.10.65
• 5.10.66
• 5.10.67
• 5.10.68
• 5.10.69
• 5.10.70
• 5.10.71
• 5.10.72
• 5.10.73
• 5.10.74
• 5.10.75
• 5.10.76
• 5.10.77
• 5.10.78
• 5.14.0
• 5.14.1
• 5.14.2
• 5.14.3
• 5.14.4
• 5.14.5
• 5.14.6
• 5.14.7
• 5.14.8
• 5.14.9
• 5.14.10
• 5.14.11
• 5.14.12
• 5.14.13
• 5.14.14
• 5.14.15
• 5.14.16
• 5.14.17
• 5.15.0
• 5.15.1

License

• open-source

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion