Ubuntu Linux Canonical Ubuntu Linux Linux Operating System

Do you want an email whenever new security vulnerabilities are reported in Canonical Ubuntu Linux?

Recent Canonical Ubuntu Linux Security Advisories

Advisory Title Published
USN-5156-1 USN-5156-1: ICU vulnerability November 24, 2021
USN-5155-1 USN-5155-1: BlueZ vulnerabilities November 23, 2021
USN-5154-1 USN-5154-1: FreeRDP vulnerabilities November 23, 2021
USN-5153-1 USN-5153-1: LibreOffice vulnerabilities November 22, 2021
USN-5152-1 USN-5152-1: Thunderbird vulnerabilities November 18, 2021
USN-5151-1 USN-5151-1: Mailman vulnerabilities November 18, 2021
USN-5150-1 USN-5150-1: OpenEXR vulnerability November 17, 2021
USN-5149-1 USN-5149-1: AccountsService vulnerability November 16, 2021
USN-5148-1 USN-5148-1: hivex vulnerability November 16, 2021
USN-5147-1 USN-5147-1: Vim vulnerabilities November 15, 2021

@ubuntu Tweets

Want to learn how financial institutions can migrate their private cloud infrastructure to a more cost effective so… https://t.co/KKZtX5uWYA
Fri Nov 26 18:00:22 +0000 2021

��What makes #linux the perfect choice for embedded systems? Find out in our new blog post: https://t.co/KrDNK7y0yL… https://t.co/29WOJWeavK
Fri Nov 26 13:56:04 +0000 2021

#Whitepaper: How to choose a cost effective cloud architecture https://t.co/0Egjqqjals https://t.co/3IRuXHbWLQ
Fri Nov 26 12:52:39 +0000 2021

When it comes to cloud, there's no one-size fits all approach. Get an introduction to the different types of clouds… https://t.co/sMEzb3Chw2
Fri Nov 26 12:01:12 +0000 2021

Due to the use of #UbuntuCore and Snaps, @fingapp can update the 30,000 devices in consumer’s homes within a matter… https://t.co/tIZlsttmjF
Fri Nov 26 07:23:25 +0000 2021

By the Year

In 2021 there have been 322 vulnerabilities in Canonical Ubuntu Linux with an average score of 6.7 out of ten. Last year Ubuntu Linux had 213 security vulnerabilities published. That is, 109 more vulnerabilities have already been reported in 2021 as compared to last year. However, the average CVE base score of the vulnerabilities in 2021 is greater by 0.26.

Year Vulnerabilities Average Score
2021 322 6.66
2020 213 6.40
2019 377 7.12
2018 787 7.19

It may take a day or so for new Ubuntu Linux vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Canonical Ubuntu Linux Security Vulnerabilities

Ubuntu-specific modifications to accountsservice (in patch file debian/patches/0010-set-language.patch) caused the fallback_locale variable

CVE-2021-3939 7.8 - High - November 17, 2021

Ubuntu-specific modifications to accountsservice (in patch file debian/patches/0010-set-language.patch) caused the fallback_locale variable, pointing to static storage, to be freed, in the user_change_language_authorized_cb function. This is reachable via the SetLanguage dbus function. This is fixed in versions 0.6.55-0ubuntu12~20.04.5, 0.6.55-0ubuntu13.3, 0.6.55-0ubuntu14.1.

Release of Invalid Pointer or Reference

BlueZ is a Bluetooth protocol stack for Linux

CVE-2021-41229 6.5 - Medium - November 12, 2021

BlueZ is a Bluetooth protocol stack for Linux. In affected versions a vulnerability exists in sdp_cstate_alloc_buf which allocates memory which will always be hung in the singly linked list of cstates and will not be freed. This will cause a memory leak over time. The data can be a very large object, which can be caused by an attacker continuously sending sdp packets and this may cause the service of the target device to crash.

Resource Exhaustion

In GNU Mailman before 2.1.36, a crafted URL to the Cgi/options.py user options page

CVE-2021-43331 6.1 - Medium - November 12, 2021

In GNU Mailman before 2.1.36, a crafted URL to the Cgi/options.py user options page can execute arbitrary JavaScript for XSS.

XSS

In GNU Mailman before 2.1.36, the CSRF token for the Cgi/admindb.py admindb page contains an encrypted version of the list admin password

CVE-2021-43332 6.5 - Medium - November 12, 2021

In GNU Mailman before 2.1.36, the CSRF token for the Cgi/admindb.py admindb page contains an encrypted version of the list admin password. This could potentially be cracked by a moderator via an offline brute-force attack.

Improper Restriction of Excessive Authentication Attempts

vim is vulnerable to Heap-based Buffer Overflow

CVE-2021-3927 7.8 - High - November 05, 2021

vim is vulnerable to Heap-based Buffer Overflow

Heap-based Buffer Overflow

vim is vulnerable to Stack-based Buffer Overflow

CVE-2021-3928 7.8 - High - November 05, 2021

vim is vulnerable to Stack-based Buffer Overflow

Memory Corruption

An issue was discovered in gatt-database.c in BlueZ 5.61

CVE-2021-43400 9.1 - Critical - November 04, 2021

An issue was discovered in gatt-database.c in BlueZ 5.61. A use-after-free can occur when a client disconnects during D-Bus processing of a WriteValue call.

Dangling pointer

An issue was discovered in the Linux kernel before 5.14.15

CVE-2021-43389 5.5 - Medium - November 04, 2021

An issue was discovered in the Linux kernel before 5.14.15. There is an array-index-out-of-bounds flaw in the detach_capi_ctr function in drivers/isdn/capi/kcapi.c.

Out-of-bounds Read

An issue was discovered in the Linux kernel for powerpc before 5.14.15

CVE-2021-43056 5.5 - Medium - October 28, 2021

An issue was discovered in the Linux kernel for powerpc before 5.14.15. It allows a malicious KVM guest to crash the host, when the host is running on Power8, due to an arch/powerpc/kvm/book3s_hv_rmhandlers.S implementation bug in the handling of the SRR1 register values.

vim is vulnerable to Heap-based Buffer Overflow

CVE-2021-3903 7.8 - High - October 27, 2021

vim is vulnerable to Heap-based Buffer Overflow

Heap-based Buffer Overflow

The Request a Quote WordPress plugin before 2.3.5 does not sanitise, validate or escape some of its settings in the admin dashboard, leading to authenticated Stored Cross-Site Scripting issues even when the unfiltered_html capability is dis

CVE-2021-24489 4.8 - Medium - October 25, 2021

The Request a Quote WordPress plugin before 2.3.5 does not sanitise, validate or escape some of its settings in the admin dashboard, leading to authenticated Stored Cross-Site Scripting issues even when the unfiltered_html capability is disallowed.

XSS

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license

CVE-2021-41159 8.8 - High - October 21, 2021

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. All FreeRDP clients prior to version 2.4.1 using gateway connections (`/gt:rpc`) fail to validate input data. A malicious gateway might allow client memory to be written out of bounds. This issue has been resolved in version 2.4.1. If you are unable to update then use `/gt:http` rather than /gt:rdp connections if possible or use a direct connection without a gateway.

Memory Corruption

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license

CVE-2021-41160 8.8 - High - October 21, 2021

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. In affected versions a malicious server might trigger out of bound writes in a connected client. Connections using GDI or SurfaceCommands to send graphics updates to the client might send `0` width/height or out of bound rectangles to trigger out of bound writes. With `0` width or heigth the memory allocation will be `0` but the missing bounds checks allow writing to the pointer at this (not allocated) region. This issue has been patched in FreeRDP 2.4.1.

Memory Corruption

GNU Mailman before 2.1.35 may allow remote Privilege Escalation

CVE-2021-42097 8 - High - October 21, 2021

GNU Mailman before 2.1.35 may allow remote Privilege Escalation. A csrf_token value is not specific to a single user account. An attacker can obtain a value within the context of an unprivileged user account, and then use that value in a CSRF attack against an admin (e.g., for account takeover).

Session Riding

GNU Mailman before 2.1.35 may allow remote Privilege Escalation

CVE-2021-42096 4.3 - Medium - October 21, 2021

GNU Mailman before 2.1.35 may allow remote Privilege Escalation. A certain csrf_token value is derived from the admin password, and may be useful in conducting a brute-force attack against that password.

Improper Restriction of Excessive Authentication Attempts

vim is vulnerable to Heap-based Buffer Overflow

CVE-2021-3872 7.8 - High - October 19, 2021

vim is vulnerable to Heap-based Buffer Overflow

Heap-based Buffer Overflow

The gmp plugin in strongSwan before 5.9.4 has a remote integer overflow via a crafted certificate with an RSASSA-PSS signature

CVE-2021-41990 7.5 - High - October 18, 2021

The gmp plugin in strongSwan before 5.9.4 has a remote integer overflow via a crafted certificate with an RSASSA-PSS signature. For example, this can be triggered by an unrelated self-signed CA certificate sent by an initiator. Remote code execution cannot occur.

Integer Overflow or Wraparound

The in-memory certificate cache in strongSwan before 5.9.4 has a remote integer overflow upon receiving many requests with different certificates to fill the cache and later trigger the replacement of cache entries

CVE-2021-41991 7.5 - High - October 18, 2021

The in-memory certificate cache in strongSwan before 5.9.4 has a remote integer overflow upon receiving many requests with different certificates to fill the cache and later trigger the replacement of cache entries. The code attempts to select a less-often-used cache entry by means of a random number generator, but this is not done correctly. Remote code execution might be a slight possibility.

Integer Overflow or Wraparound

A null pointer de-reference was found in the way samba kerberos server handled missing sname in TGS-REQ (Ticket Granting Server - Request)

CVE-2021-3671 6.5 - Medium - October 12, 2021

A null pointer de-reference was found in the way samba kerberos server handled missing sname in TGS-REQ (Ticket Granting Server - Request). An authenticated user could use this flaw to crash the samba server.

NULL Pointer Dereference

An issue was discovered in aspeed_lpc_ctrl_mmap in drivers/soc/aspeed/aspeed-lpc-ctrl.c in the Linux kernel before 5.14.6

CVE-2021-42252 7.8 - High - October 11, 2021

An issue was discovered in aspeed_lpc_ctrl_mmap in drivers/soc/aspeed/aspeed-lpc-ctrl.c in the Linux kernel before 5.14.6. Local attackers able to access the Aspeed LPC control interface could overwrite memory in the kernel and potentially execute privileges, aka CID-b49a0e69a7b1. This occurs because a certain comparison uses values that are not memory sizes.

A flaw was found in postgresql

CVE-2021-32028 6.5 - Medium - October 11, 2021

A flaw was found in postgresql. Using an INSERT ... ON CONFLICT ... DO UPDATE command on a purpose-crafted table, an authenticated database user could read arbitrary bytes of server memory. The highest threat from this vulnerability is to data confidentiality.

Information Disclosure

A flaw was found in postgresql

CVE-2021-32029 6.5 - Medium - October 08, 2021

A flaw was found in postgresql. Using an UPDATE ... RETURNING command on a purpose-crafted table, an authenticated database user could read arbitrary bytes of server memory. The highest threat from this vulnerability is to data confidentiality.

Information Disclosure

The decode_data function in drivers/net/hamradio/6pack.c in the Linux kernel before 5.13.13 has a slab out-of-bounds write

CVE-2021-42008 7.8 - High - October 05, 2021

The decode_data function in drivers/net/hamradio/6pack.c in the Linux kernel before 5.13.13 has a slab out-of-bounds write. Input from a process that has the CAP_NET_ADMIN capability can lead to root access.

Memory Corruption

In PHP versions 7.3.x below 7.3.29, 7.4.x below 7.4.21 and 8.0.x below 8.0.8, when using URL validation functionality

CVE-2021-21705 5.3 - Medium - October 04, 2021

In PHP versions 7.3.x below 7.3.29, 7.4.x below 7.4.21 and 8.0.x below 8.0.8, when using URL validation functionality via filter_var() function with FILTER_VALIDATE_URL parameter, an URL with invalid password field can be accepted as valid. This can lead to the code incorrectly parsing the URL and potentially leading to other security implications - like contacting a wrong server or making a wrong access decision.

Improper Input Validation

In PHP versions 7.3.x below 7.3.29, 7.4.x below 7.4.21 and 8.0.x below 8.0.8, when using Firebird PDO driver extension, a malicious database server could cause crashes in various database functions, such as getAttribute(), execute(), fetch() and others by returning invalid response data

CVE-2021-21704 5.9 - Medium - October 04, 2021

In PHP versions 7.3.x below 7.3.29, 7.4.x below 7.4.21 and 8.0.x below 8.0.8, when using Firebird PDO driver extension, a malicious database server could cause crashes in various database functions, such as getAttribute(), execute(), fetch() and others by returning invalid response data that is not parsed correctly by the driver. This can result in crashes, denial of service or potentially memory corruption.

Buffer Overflow

prealloc_elems_and_freelist in kernel/bpf/stackmap.c in the Linux kernel through 5.14.9

CVE-2021-41864 7.8 - High - October 02, 2021

prealloc_elems_and_freelist in kernel/bpf/stackmap.c in the Linux kernel through 5.14.9 allows unprivileged users to trigger an eBPF multiplication integer overflow with a resultant out-of-bounds write.

Integer Overflow or Wraparound

A flaw was found in the KVM's AMD code for supporting SVM nested virtualization

CVE-2021-3653 8.8 - High - September 29, 2021

A flaw was found in the KVM's AMD code for supporting SVM nested virtualization. The flaw occurs when processing the VMCB (virtual machine control block) provided by the L1 guest to spawn/handle a nested guest (L2). Due to improper validation of the "int_ctl" field, this issue could allow a malicious L1 to enable AVIC support (Advanced Virtual Interrupt Controller) for the L2 guest. As a result, the L2 guest would be allowed to read/write physical pages of the host, resulting in a crash of the entire system, leak of sensitive data or potential guest-to-host escape. This flaw affects Linux kernel versions prior to 5.14-rc7.

AuthZ

A user can tell curl >= 7.20.0 and <= 7.78.0 to require a successful upgrade to TLS when speaking to an IMAP

CVE-2021-22946 7.5 - High - September 29, 2021

A user can tell curl >= 7.20.0 and <= 7.78.0 to require a successful upgrade to TLS when speaking to an IMAP, POP3 or FTP server (`--ssl-reqd` on the command line or`CURLOPT_USE_SSL` set to `CURLUSESSL_CONTROL` or `CURLUSESSL_ALL` withlibcurl). This requirement could be bypassed if the server would return a properly crafted but perfectly legitimate response.This flaw would then make curl silently continue its operations **withoutTLS** contrary to the instructions and expectations, exposing possibly sensitive data in clear text over the network.

Cleartext Transmission of Sensitive Information

When curl >= 7.20.0 and <= 7.78.0 connects to an IMAP or POP3 server to retrieve data using STARTTLS to upgrade to TLS security, the server can respond and send back multiple responses at once

CVE-2021-22947 5.9 - Medium - September 29, 2021

When curl >= 7.20.0 and <= 7.78.0 connects to an IMAP or POP3 server to retrieve data using STARTTLS to upgrade to TLS security, the server can respond and send back multiple responses at once that curl caches. curl would then upgrade to TLS but not flush the in-queue of cached responses but instead continue using and trustingthe responses it got *before* the TLS handshake as if they were authenticated.Using this flaw, it allows a Man-In-The-Middle attacker to first inject the fake responses, then pass-through the TLS traffic from the legitimate server and trick curl into sending data back to the user thinking the attacker's injected data comes from the TLS-protected server.

Insufficient Verification of Data Authenticity

When sending data to an MQTT server, libcurl <= 7.73.0 and 7.78.0 could in some circumstances erroneously keep a pointer to an already freed memory area and both use

CVE-2021-22945 9.1 - Critical - September 23, 2021

When sending data to an MQTT server, libcurl <= 7.73.0 and 7.78.0 could in some circumstances erroneously keep a pointer to an already freed memory area and both use that again in a subsequent call to send data and also free it *again*.

Double-free

loop_rw_iter in fs/io_uring.c in the Linux kernel 5.10 through 5.14.6

CVE-2021-41073 7.8 - High - September 19, 2021

loop_rw_iter in fs/io_uring.c in the Linux kernel 5.10 through 5.14.6 allows local users to gain privileges by using IORING_OP_PROVIDE_BUFFERS to trigger a free of a kernel buffer, as demonstrated by using /proc/<pid>/maps for exploitation.

Improper Privilege Management

Malformed requests may cause the server to dereference a NULL pointer

CVE-2021-34798 7.5 - High - September 16, 2021

Malformed requests may cause the server to dereference a NULL pointer. This issue affects Apache HTTP Server 2.4.48 and earlier.

NULL Pointer Dereference

A carefully crafted request uri-path can cause mod_proxy_uwsgi to read above the allocated memory and crash (DoS)

CVE-2021-36160 7.5 - High - September 16, 2021

A carefully crafted request uri-path can cause mod_proxy_uwsgi to read above the allocated memory and crash (DoS). This issue affects Apache HTTP Server versions 2.4.30 to 2.4.48 (inclusive).

Out-of-bounds Read

ap_escape_quotes() may write beyond the end of a buffer when given malicious input

CVE-2021-39275 9.8 - Critical - September 16, 2021

ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules pass untrusted data to these functions, but third-party / external modules may. This issue affects Apache HTTP Server 2.4.48 and earlier.

Classic Buffer Overflow

A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user

CVE-2021-40438 9 - Critical - September 16, 2021

A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier.

XSPA

vim is vulnerable to Use After Free

CVE-2021-3796 7.3 - High - September 15, 2021

vim is vulnerable to Use After Free

Dangling pointer

vim is vulnerable to Heap-based Buffer Overflow

CVE-2021-3778 7.8 - High - September 15, 2021

vim is vulnerable to Heap-based Buffer Overflow

Heap-based Buffer Overflow

squashfs_opendir in unsquash-2.c in Squashfs-Tools 4.5 allows Directory Traversal, a different vulnerability than CVE-2021-40153

CVE-2021-41072 8.1 - High - September 14, 2021

squashfs_opendir in unsquash-2.c in Squashfs-Tools 4.5 allows Directory Traversal, a different vulnerability than CVE-2021-40153. A squashfs filesystem that has been crafted to include a symbolic link and then contents under the same filename in a filesystem can cause unsquashfs to first create the symbolic link pointing outside the expected directory, and then the subsequent write operation will cause the unsquashfs process to write through the symbolic link elsewhere in the filesystem.

insecure temporary file

vim is vulnerable to Heap-based Buffer Overflow

CVE-2021-3770 7.8 - High - September 06, 2021

vim is vulnerable to Heap-based Buffer Overflow

Memory Corruption

A race condition was discovered in ext4_write_inline_data_end in fs/ext4/inline.c in the ext4 subsystem in the Linux kernel through 5.13.13.

CVE-2021-40490 7 - High - September 03, 2021

A race condition was discovered in ext4_write_inline_data_end in fs/ext4/inline.c in the ext4 subsystem in the Linux kernel through 5.13.13.

Race Condition

squashfs_opendir in unsquash-1.c in Squashfs-Tools 4.5 stores the filename in the directory entry; this is then used by unsquashfs to create the new file during the unsquash

CVE-2021-40153 8.1 - High - August 27, 2021

squashfs_opendir in unsquash-1.c in Squashfs-Tools 4.5 stores the filename in the directory entry; this is then used by unsquashfs to create the new file during the unsquash. The filename is not validated for traversal outside of the destination directory, and thus allows writing to locations outside of the destination.

Directory traversal

** DISPUTED ** gdImageGd2Ptr in gd_gd2.c in the GD Graphics Library (aka LibGD) through 2.3.2 has a double free

CVE-2021-40145 7.5 - High - August 26, 2021

** DISPUTED ** gdImageGd2Ptr in gd_gd2.c in the GD Graphics Library (aka LibGD) through 2.3.2 has a double free. NOTE: the vendor's position is "The GD2 image format is a proprietary image format of libgd. It has to be regarded as being obsolete, and should only be used for development and testing purposes."

Double-free

In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt()

CVE-2021-3711 9.8 - Critical - August 24, 2021

In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the "out" parameter can be NULL and, on exit, the "outlen" parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the "out" parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).

Classic Buffer Overflow

ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure

CVE-2021-3712 7.4 - High - August 24, 2021

ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own "d2i" functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the "data" and "length" fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the "data" field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack). It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y).

Out-of-bounds Read

LedgerSMB does not check the origin of HTML fragments merged into the browser's DOM

CVE-2021-3693 9.6 - Critical - August 23, 2021

LedgerSMB does not check the origin of HTML fragments merged into the browser's DOM. By sending a specially crafted URL to an authenticated user, this flaw can be abused for remote code execution and information disclosure.

XSS

LedgerSMB does not sufficiently HTML-encode error messages sent to the browser

CVE-2021-3694 9.6 - Critical - August 23, 2021

LedgerSMB does not sufficiently HTML-encode error messages sent to the browser. By sending a specially crafted URL to an authenticated user, this flaw can be abused for remote code execution and information disclosure.

XSS

LedgerSMB does not sufficiently guard against being wrapped by other sites, making it vulnerable to 'clickjacking'

CVE-2021-3731 4.7 - Medium - August 23, 2021

LedgerSMB does not sufficiently guard against being wrapped by other sites, making it vulnerable to 'clickjacking'. This allows an attacker to trick a targetted user to execute unintended actions.

Clickjacking

Uninitialized memory in a

CVE-2021-29980 8.8 - High - August 17, 2021

Uninitialized memory in a canvas object could have caused an incorrect free() leading to memory corruption and a potentially exploitable crash. This vulnerability affects Thunderbird < 78.13, Thunderbird < 91, Firefox ESR < 78.13, and Firefox < 91.

Missing Initialization of Resource

Instruction reordering resulted in a sequence of instructions

CVE-2021-29984 8.8 - High - August 17, 2021

Instruction reordering resulted in a sequence of instructions that would cause an object to be incorrectly considered during garbage collection. This led to memory corruption and a potentially exploitable crash. This vulnerability affects Thunderbird < 78.13, Thunderbird < 91, Firefox ESR < 78.13, and Firefox < 91.

A use-after-free vulnerability in media channels could have led to memory corruption and a potentially exploitable crash

CVE-2021-29985 8.8 - High - August 17, 2021

A use-after-free vulnerability in media channels could have led to memory corruption and a potentially exploitable crash. This vulnerability affects Thunderbird < 78.13, Thunderbird < 91, Firefox ESR < 78.13, and Firefox < 91.

Dangling pointer

A suspected race condition when calling getaddrinfo led to memory corruption and a potentially exploitable crash

CVE-2021-29986 8.1 - High - August 17, 2021

A suspected race condition when calling getaddrinfo led to memory corruption and a potentially exploitable crash. *Note: This issue only affected Linux operating systems. Other operating systems are unaffected.* This vulnerability affects Thunderbird < 78.13, Thunderbird < 91, Firefox ESR < 78.13, and Firefox < 91.

Race Condition

Firefox incorrectly treated an inline list-item element as a block element

CVE-2021-29988 8.8 - High - August 17, 2021

Firefox incorrectly treated an inline list-item element as a block element, resulting in an out of bounds read or memory corruption, and a potentially exploitable crash. This vulnerability affects Thunderbird < 78.13, Thunderbird < 91, Firefox ESR < 78.13, and Firefox < 91.

Interpretation Conflict

Mozilla developers reported memory safety bugs present in Firefox 90 and Firefox ESR 78.12

CVE-2021-29989 8.8 - High - August 17, 2021

Mozilla developers reported memory safety bugs present in Firefox 90 and Firefox ESR 78.12. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Thunderbird < 78.13, Firefox ESR < 78.13, and Firefox < 91.

Buffer Overflow

A crafted method sent through HTTP/2 will bypass validation and be forwarded by mod_proxy

CVE-2021-33193 7.5 - High - August 16, 2021

A crafted method sent through HTTP/2 will bypass validation and be forwarded by mod_proxy, which can lead to request splitting or cache poisoning. This issue affects Apache HTTP Server 2.4.17 to 2.4.48.

A use-after-free in function hci_sock_bound_ioctl() of the Linux kernel HCI subsystem was found in the way user calls ioct HCIUNBLOCKADDR or other way triggers race condition of the call hci_unregister_dev() together with one of the calls hci_sock_blacklist_add()

CVE-2021-3573 6.4 - Medium - August 13, 2021

A use-after-free in function hci_sock_bound_ioctl() of the Linux kernel HCI subsystem was found in the way user calls ioct HCIUNBLOCKADDR or other way triggers race condition of the call hci_unregister_dev() together with one of the calls hci_sock_blacklist_add(), hci_sock_blacklist_del(), hci_get_conn_info(), hci_get_auth_info(). A privileged local user could use this flaw to crash the system or escalate their privileges on the system. This flaw affects the Linux kernel versions prior to 5.13-rc5.

Race Condition

Qt 5.0.0 through 6.1.2 has an out-of-bounds write in QOutlineMapper::convertPath (called

CVE-2021-38593 7.5 - High - August 12, 2021

Qt 5.0.0 through 6.1.2 has an out-of-bounds write in QOutlineMapper::convertPath (called from QRasterPaintEngine::fill and QPaintEngineEx::stroke).

Memory Corruption

Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files

CVE-2021-34335 5.5 - Medium - August 09, 2021

Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. A floating point exception (FPE) due to an integer divide by zero was found in Exiv2 versions v0.27.4 and earlier. The FPE is triggered when Exiv2 is used to print the metadata of a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when printing the interpreted (translated) data, which is a less frequently used Exiv2 operation that requires an extra command line option (`-p t` or `-P t`). The bug is fixed in version v0.27.5.

Divide By Zero

Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files

CVE-2021-37615 5.5 - Medium - August 09, 2021

Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. A null pointer dereference was found in Exiv2 versions v0.27.4 and earlier. The null pointer dereference is triggered when Exiv2 is used to print the metadata of a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when printing the interpreted (translated) data, which is a less frequently used Exiv2 operation that requires an extra command line option (`-p t` or `-P t`). The bug is fixed in version v0.27.5.

NULL Pointer Dereference

Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files

CVE-2021-37620 5.5 - Medium - August 09, 2021

Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. An out-of-bounds read was found in Exiv2 versions v0.27.4 and earlier. The out-of-bounds read is triggered when Exiv2 is used to read the metadata of a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service, if they can trick the victim into running Exiv2 on a crafted image file. The bug is fixed in version v0.27.5.

Out-of-bounds Read

Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files

CVE-2021-37622 5.5 - Medium - August 09, 2021

Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. An infinite loop was found in Exiv2 versions v0.27.4 and earlier. The infinite loop is triggered when Exiv2 is used to modify the metadata of a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when deleting the IPTC data, which is a less frequently used Exiv2 operation that requires an extra command line option (`-d I rm`). The bug is fixed in version v0.27.5.

Infinite Loop

Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files

CVE-2021-37616 5.5 - Medium - August 09, 2021

Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. A null pointer dereference was found in Exiv2 versions v0.27.4 and earlier. The null pointer dereference is triggered when Exiv2 is used to print the metadata of a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when printing the interpreted (translated) data, which is a less frequently used Exiv2 operation that requires an extra command line option (`-p t` or `-P t`). The bug is fixed in version v0.27.5.

NULL Pointer Dereference

Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files

CVE-2021-37618 5.5 - Medium - August 09, 2021

Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. An out-of-bounds read was found in Exiv2 versions v0.27.4 and earlier. The out-of-bounds read is triggered when Exiv2 is used to print the metadata of a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when printing the image ICC profile, which is a less frequently used Exiv2 operation that requires an extra command line option (`-p C`). The bug is fixed in version v0.27.5.

Out-of-bounds Read

Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files

CVE-2021-37619 5.5 - Medium - August 09, 2021

Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. An out-of-bounds read was found in Exiv2 versions v0.27.4 and earlier. The out-of-bounds read is triggered when Exiv2 is used to write metadata into a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service by crashing Exiv2, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when writing the metadata, which is a less frequently used Exiv2 operation than reading the metadata. For example, to trigger the bug in the Exiv2 command-line application, you need to add an extra command-line argument such as insert. The bug is fixed in version v0.27.5.

Out-of-bounds Read

Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files

CVE-2021-37621 5.5 - Medium - August 09, 2021

Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. An infinite loop was found in Exiv2 versions v0.27.4 and earlier. The infinite loop is triggered when Exiv2 is used to print the metadata of a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when printing the image ICC profile, which is a less frequently used Exiv2 operation that requires an extra command line option (`-p C`). The bug is fixed in version v0.27.5.

Infinite Loop

Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files

CVE-2021-32815 5.5 - Medium - August 09, 2021

Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. The assertion failure is triggered when Exiv2 is used to modify the metadata of a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when modifying the metadata, which is a less frequently used Exiv2 operation than reading the metadata. For example, to trigger the bug in the Exiv2 command-line application, you need to add an extra command-line argument such as `fi`. ### Patches The bug is fixed in version v0.27.5. ### References Regression test and bug fix: #1739 ### For more information Please see our [security policy](https://github.com/Exiv2/exiv2/security/policy) for information about Exiv2 security.

assertion failure

Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files

CVE-2021-34334 5.5 - Medium - August 09, 2021

Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. An infinite loop is triggered when Exiv2 is used to read the metadata of a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service, if they can trick the victim into running Exiv2 on a crafted image file. The bug is fixed in version v0.27.5.

Infinite Loop

Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files

CVE-2021-37623 5.5 - Medium - August 09, 2021

Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. An infinite loop was found in Exiv2 versions v0.27.4 and earlier. The infinite loop is triggered when Exiv2 is used to modify the metadata of a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when deleting the IPTC data, which is a less frequently used Exiv2 operation that requires an extra command line option (`-d I rm`). The bug is fixed in version v0.27.5.

Infinite Loop

net/nfc/llcp_sock.c in the Linux kernel before 5.12.10

CVE-2021-38208 5.5 - Medium - August 08, 2021

net/nfc/llcp_sock.c in the Linux kernel before 5.12.10 allows local unprivileged users to cause a denial of service (NULL pointer dereference and BUG) by making a getsockname call after a certain type of failure of a bind call.

NULL Pointer Dereference

arch/x86/kvm/mmu/paging_tmpl.h in the Linux kernel before 5.12.11 incorrectly computes the access permissions of a shadow page

CVE-2021-38198 5.5 - Medium - August 08, 2021

arch/x86/kvm/mmu/paging_tmpl.h in the Linux kernel before 5.12.11 incorrectly computes the access permissions of a shadow page, leading to a missing guest protection page fault.

arch/powerpc/perf/core-book3s.c in the Linux kernel before 5.12.13, on systems with perf_event_paranoid=-1 and no specific PMU driver support registered

CVE-2021-38200 5.5 - Medium - August 08, 2021

arch/powerpc/perf/core-book3s.c in the Linux kernel before 5.12.13, on systems with perf_event_paranoid=-1 and no specific PMU driver support registered, allows local users to cause a denial of service (perf_instruction_pointer NULL pointer dereference and OOPS) via a "perf record" command.

NULL Pointer Dereference

The mac80211 subsystem in the Linux kernel before 5.12.13, when a device supporting only 5 GHz is used

CVE-2021-38206 5.5 - Medium - August 08, 2021

The mac80211 subsystem in the Linux kernel before 5.12.13, when a device supporting only 5 GHz is used, allows attackers to cause a denial of service (NULL pointer dereference in the radiotap parser) by injecting a frame with 802.11a rates.

NULL Pointer Dereference

drivers/net/ethernet/xilinx/ll_temac_main.c in the Linux kernel before 5.12.13

CVE-2021-38207 7.5 - High - August 08, 2021

drivers/net/ethernet/xilinx/ll_temac_main.c in the Linux kernel before 5.12.13 allows remote attackers to cause a denial of service (buffer overflow and lockup) by sending heavy network traffic for about ten minutes.

Classic Buffer Overflow

fs/nfs/nfs4client.c in the Linux kernel before 5.13.4 has incorrect connection-setup ordering, which

CVE-2021-38199 6.5 - Medium - August 08, 2021

fs/nfs/nfs4client.c in the Linux kernel before 5.13.4 has incorrect connection-setup ordering, which allows operators of remote NFSv4 servers to cause a denial of service (hanging of mounts) by arranging for those servers to be unreachable during trunking detection.

net/sunrpc/xdr.c in the Linux kernel before 5.13.4

CVE-2021-38201 7.5 - High - August 08, 2021

net/sunrpc/xdr.c in the Linux kernel before 5.13.4 allows remote attackers to cause a denial of service (xdr_set_page_base slab-out-of-bounds access) by performing many NFS 4.2 READ_PLUS operations.

Buffer Overflow

drivers/usb/host/max3421-hcd.c in the Linux kernel before 5.13.6

CVE-2021-38204 6.8 - Medium - August 08, 2021

drivers/usb/host/max3421-hcd.c in the Linux kernel before 5.13.6 allows physically proximate attackers to cause a denial of service (use-after-free and panic) by removing a MAX-3421 USB device in certain situations.

Dangling pointer

drivers/net/ethernet/xilinx/xilinx_emaclite.c in the Linux kernel before 5.13.3 makes it easier for attackers to defeat an ASLR protection mechanism

CVE-2021-38205 3.3 - Low - August 08, 2021

drivers/net/ethernet/xilinx/xilinx_emaclite.c in the Linux kernel before 5.13.3 makes it easier for attackers to defeat an ASLR protection mechanism because it prints a kernel pointer (i.e., the real IOMEM pointer).

Access of Uninitialized Pointer

fs/nfsd/trace.h in the Linux kernel before 5.13.4 might

CVE-2021-38202 7.5 - High - August 08, 2021

fs/nfsd/trace.h in the Linux kernel before 5.13.4 might allow remote attackers to cause a denial of service (out-of-bounds read in strlen) by sending NFS traffic when the trace event framework is being used for nfsd.

Out-of-bounds Read

btrfs in the Linux kernel before 5.13.4 allows attackers to cause a denial of service (deadlock) via processes

CVE-2021-38203 5.5 - Medium - August 08, 2021

btrfs in the Linux kernel before 5.13.4 allows attackers to cause a denial of service (deadlock) via processes that trigger allocation of new system chunks during times when there is a shortage of free space in the system space_info.

Allocation of Resources Without Limits or Throttling

In kernel/bpf/hashtab.c in the Linux kernel through 5.13.8

CVE-2021-38166 7.8 - High - August 07, 2021

In kernel/bpf/hashtab.c in the Linux kernel through 5.13.8, there is an integer overflow and out-of-bounds write when many elements are placed in a single bucket. NOTE: exploitation might be impractical without the CAP_SYS_ADMIN capability.

Memory Corruption

** DISPUTED ** In drivers/char/virtio_console.c in the Linux kernel before 5.13.4, data corruption or loss can be triggered by an untrusted device

CVE-2021-38160 7.8 - High - August 07, 2021

** DISPUTED ** In drivers/char/virtio_console.c in the Linux kernel before 5.13.4, data corruption or loss can be triggered by an untrusted device that supplies a buf->len value exceeding the buffer size. NOTE: the vendor indicates that the cited data corruption is not a vulnerability in any existing use case; the length validation was added solely for robustness in the face of anomalous host OS behavior.

Classic Buffer Overflow

curl supports the `-t` command line option, known as `CURLOPT_TELNETOPTIONS`in libcurl

CVE-2021-22925 5.3 - Medium - August 05, 2021

curl supports the `-t` command line option, known as `CURLOPT_TELNETOPTIONS`in libcurl. This rarely used option is used to send variable=content pairs toTELNET servers.Due to flaw in the option parser for sending `NEW_ENV` variables, libcurlcould be made to pass on uninitialized data from a stack based buffer to theserver. Therefore potentially revealing sensitive internal information to theserver using a clear-text network protocol.This could happen because curl did not call and use sscanf() correctly whenparsing the string provided by the application.

Use of Uninitialized Resource

libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse, if one of them matches the setup.Due to errors in the logic, the config matching function did not take 'issuercert' into account and it compared the involved paths *case insensitively*

CVE-2021-22924 3.7 - Low - August 05, 2021

libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse, if one of them matches the setup.Due to errors in the logic, the config matching function did not take 'issuercert' into account and it compared the involved paths *case insensitively*,which could lead to libcurl reusing wrong connections.File paths are, or can be, case sensitive on many systems but not all, and caneven vary depending on used file systems.The comparison also didn't include the 'issuer cert' which a transfer can setto qualify how to verify the server certificate.

Use of Incorrectly-Resolved Name or Reference

A vulnerability was found in the Linux kernel in versions prior to v5.14-rc1

CVE-2021-3655 3.3 - Low - August 05, 2021

A vulnerability was found in the Linux kernel in versions prior to v5.14-rc1. Missing size validations on inbound SCTP packets may allow the kernel to read uninitialized memory.

Missing Initialization of Resource

A flaw was found in the way nettle's RSA decryption functions handled specially crafted ciphertext

CVE-2021-3580 7.5 - High - August 05, 2021

A flaw was found in the way nettle's RSA decryption functions handled specially crafted ciphertext. An attacker could use this flaw to provide a manipulated ciphertext leading to application crash and denial of service.

Improper Input Validation

If Thunderbird was configured to use STARTTLS for an IMAP connection

CVE-2021-29969 5.9 - Medium - August 05, 2021

If Thunderbird was configured to use STARTTLS for an IMAP connection, and an attacker injected IMAP server responses prior to the completion of the STARTTLS handshake, then Thunderbird didn't ignore the injected data. This could have resulted in Thunderbird showing incorrect information, for example the attacker could have tricked Thunderbird to show folders that didn't exist on the IMAP server. This vulnerability affects Thunderbird < 78.12.

Files or Directories Accessible to External Parties

A malicious webpage could have triggered a use-after-free, memory corruption, and a potentially exploitable crash

CVE-2021-29970 8.8 - High - August 05, 2021

A malicious webpage could have triggered a use-after-free, memory corruption, and a potentially exploitable crash. *This bug could only be triggered when accessibility was enabled.*. This vulnerability affects Thunderbird < 78.12, Firefox ESR < 78.12, and Firefox < 90.

Dangling pointer

Mozilla developers reported memory safety bugs present in code shared between Firefox and Thunderbird

CVE-2021-29976 8.8 - High - August 05, 2021

Mozilla developers reported memory safety bugs present in code shared between Firefox and Thunderbird. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Thunderbird < 78.12, Firefox ESR < 78.12, and Firefox < 90.

Memory Corruption

A lack of CPU resource in the Linux kernel tracing module functionality in versions prior to 5.14-rc3 was found in the way user uses trace ring buffer in a specific way

CVE-2021-3679 5.5 - Medium - August 05, 2021

A lack of CPU resource in the Linux kernel tracing module functionality in versions prior to 5.14-rc3 was found in the way user uses trace ring buffer in a specific way. Only privileged local users (with CAP_SYS_ADMIN capability) could use this flaw to starve the resources causing denial of service.

Resource Exhaustion

In the Linux kernel through 5.13.7, an unprivileged BPF program can obtain sensitive information from kernel memory via a Speculative Store Bypass side-channel attack

CVE-2021-34556 5.5 - Medium - August 02, 2021

In the Linux kernel through 5.13.7, an unprivileged BPF program can obtain sensitive information from kernel memory via a Speculative Store Bypass side-channel attack because the protection mechanism neglects the possibility of uninitialized memory locations on the BPF stack.

Side Channel Attack

In the Linux kernel through 5.13.7, an unprivileged BPF program can obtain sensitive information from kernel memory via a Speculative Store Bypass side-channel attack because a certain preempting store operation does not necessarily occur before a store operation

CVE-2021-35477 5.5 - Medium - August 02, 2021

In the Linux kernel through 5.13.7, an unprivileged BPF program can obtain sensitive information from kernel memory via a Speculative Store Bypass side-channel attack because a certain preempting store operation does not necessarily occur before a store operation that has an attacker-controlled value.

Side Channel Attack

An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1

CVE-2021-32066 7.4 - High - August 01, 2021

An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. Net::IMAP does not raise an exception when StartTLS fails with an an unknown response, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a "StartTLS stripping attack."

Inadequate Encryption Strength

In RDoc 3.11 through 6.x before 6.3.1, as distributed with Ruby through 3.0.1, it is possible to execute arbitrary code

CVE-2021-31799 7 - High - July 30, 2021

In RDoc 3.11 through 6.x before 6.3.1, as distributed with Ruby through 3.0.1, it is possible to execute arbitrary code via | and tags in a filename.

Command Injection

arch/powerpc/kvm/book3s_rtas.c in the Linux kernel through 5.13.5 on the powerpc platform

CVE-2021-37576 7.8 - High - July 26, 2021

arch/powerpc/kvm/book3s_rtas.c in the Linux kernel through 5.13.5 on the powerpc platform allows KVM guest OS users to cause host OS memory corruption via rtas_args.nargs, aka CID-f62f3c20647e.

Memory Corruption

arch/x86/kvm/svm/nested.c in the Linux kernel before 5.11.12 has a use-after-free in

CVE-2021-29657 7.4 - High - July 22, 2021

arch/x86/kvm/svm/nested.c in the Linux kernel before 5.11.12 has a use-after-free in which an AMD KVM guest can bypass access control on host OS MSRs when there are nested guests, aka CID-a58d9166a756. This occurs because of a TOCTOU race condition associated with a VMCB12 double fetch in nested_svm_vmrun.

Dangling pointer

NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in firmware where the driver contains an assert() or similar statement

CVE-2021-1093 5.5 - Medium - July 22, 2021

NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in firmware where the driver contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary, and may lead to denial of service or system crash.

Improper Resource Shutdown or Release

NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape where an out of bounds array access may lead to denial of service or information disclosure.

CVE-2021-1094 6.1 - Medium - July 22, 2021

NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape where an out of bounds array access may lead to denial of service or information disclosure.

Buffer Overflow

NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handlers for all control calls with embedded parameters where dereferencing an untrusted pointer may lead to denial of service.

CVE-2021-1095 5.5 - Medium - July 22, 2021

NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handlers for all control calls with embedded parameters where dereferencing an untrusted pointer may lead to denial of service.

NULL Pointer Dereference

hso_free_net_device in drivers/net/usb/hso.c in the Linux kernel through 5.13.4 calls unregister_netdev without checking for the NETREG_REGISTERED state

CVE-2021-37159 6.4 - Medium - July 21, 2021

hso_free_net_device in drivers/net/usb/hso.c in the Linux kernel through 5.13.4 calls unregister_netdev without checking for the NETREG_REGISTERED state, leading to a use-after-free and a double free.

Double-free

Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB)

CVE-2021-2372 4.4 - Medium - July 21, 2021

Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.7.34 and prior and 8.0.25 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).

Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB)

CVE-2021-2389 5.9 - Medium - July 21, 2021

Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.7.34 and prior and 8.0.25 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 5.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Canonical Ubuntu Linux or by Canonical? Click the Watch button to subscribe.

Canonical
Vendor

Canonical Ubuntu Linux
Linux Operating System

subscribe