{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-02T16:18:32.008","vulnerabilities":[{"cve":{"id":"CVE-2021-47607","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2024-06-19T15:15:55.263","lastModified":"2024-11-21T06:36:39.430","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix kernel address leakage in atomic cmpxchg's r0 aux reg\n\nThe implementation of BPF_CMPXCHG on a high level has the following parameters:\n\n  .-[old-val]                                          .-[new-val]\n  BPF_R0 = cmpxchg{32,64}(DST_REG + insn->off, BPF_R0, SRC_REG)\n                          `-[mem-loc]          `-[old-val]\n\nGiven a BPF insn can only have two registers (dst, src), the R0 is fixed and\nused as an auxilliary register for input (old value) as well as output (returning\nold value from memory location). While the verifier performs a number of safety\nchecks, it misses to reject unprivileged programs where R0 contains a pointer as\nold value.\n\nThrough brute-forcing it takes about ~16sec on my machine to leak a kernel pointer\nwith BPF_CMPXCHG. The PoC is basically probing for kernel addresses by storing the\nguessed address into the map slot as a scalar, and using the map value pointer as\nR0 while SRC_REG has a canary value to detect a matching address.\n\nFix it by checking R0 for pointers, and reject if that's the case for unprivileged\nprograms."},{"lang":"es","value":"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: bpf: corrige la fuga de dirección del kernel en el registro auxiliar r0 de atomic cmpxchg. La implementación de BPF_CMPXCHG en un nivel alto tiene los siguientes parámetros: .-[old-val] .-[new-val ] BPF_R0 = cmpxchg{32,64}(DST_REG + insn->off, BPF_R0, SRC_REG) `-[mem-loc] `-[old-val] Dado un BPF insn solo puede tener dos registros (dst, src), el R0 es fijo y se utiliza como registro auxiliar para la entrada (valor anterior), así como para la salida (devolver el valor anterior desde la ubicación de la memoria). Si bien el verificador realiza una serie de comprobaciones de seguridad, no rechaza los programas sin privilegios donde R0 contiene un puntero como valor antiguo. A través de la fuerza bruta, en mi máquina se necesitan aproximadamente 16 segundos para filtrar un puntero del kernel con BPF_CMPXCHG. Básicamente, PoC busca direcciones del kernel almacenando la dirección adivinada en la ranura del mapa como un escalar y usando el puntero del valor del mapa como R0, mientras que SRC_REG tiene un valor canario para detectar una dirección coincidente. Solucionelo comprobando R0 en busca de punteros y rechácelo si ese es el caso de los programas sin privilegios."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.12","versionEndExcluding":"5.15.11","matchCriteriaId":"9E292CA0-C53B-4C70-B5CE-94AC1BC7673F"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:5.16:rc1:*:*:*:*:*:*","matchCriteriaId":"357AA433-37E8-4323-BFB2-3038D6E4B414"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:5.16:rc2:*:*:*:*:*:*","matchCriteriaId":"A73429BA-C2D9-4D0C-A75F-06A1CA8B3983"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:5.16:rc3:*:*:*:*:*:*","matchCriteriaId":"F621B5E3-E99D-49E7-90B9-EC3B77C95383"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:5.16:rc4:*:*:*:*:*:*","matchCriteriaId":"F7BFDCAA-1650-49AA-8462-407DD593F94F"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:5.16:rc5:*:*:*:*:*:*","matchCriteriaId":"6EC9882F-866D-4ACB-8FBC-213D8D8436C8"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/a82fe085f344ef20b452cd5f481010ff96b5c4cd","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/f87a6c160ecc8c7b417d25f508d3f076fe346136","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/a82fe085f344ef20b452cd5f481010ff96b5c4cd","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/f87a6c160ecc8c7b417d25f508d3f076fe346136","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]}]}}]}