{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-14T23:59:12.929","vulnerabilities":[{"cve":{"id":"CVE-2021-47636","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2025-02-26T06:37:05.377","lastModified":"2025-10-01T20:15:40.343","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nubifs: Fix read out-of-bounds in ubifs_wbuf_write_nolock()\n\nFunction ubifs_wbuf_write_nolock() may access buf out of bounds in\nfollowing process:\n\nubifs_wbuf_write_nolock():\n aligned_len = ALIGN(len, 8); \/\/ Assume len = 4089, aligned_len = 4096\n if (aligned_len <= wbuf->avail) ... \/\/ Not satisfy\n if (wbuf->used) {\n ubifs_leb_write() \/\/ Fill some data in avail wbuf\n len -= wbuf->avail; \/\/ len is still not 8-bytes aligned\n aligned_len -= wbuf->avail;\n }\n n = aligned_len >> c->max_write_shift;\n if (n) {\n n <<= c->max_write_shift;\n err = ubifs_leb_write(c, wbuf->lnum, buf + written,\n wbuf->offs, n);\n \/\/ n > len, read out of bounds less than 8(n-len) bytes\n }\n\n, which can be catched by KASAN:\n =========================================================\n BUG: KASAN: slab-out-of-bounds in ecc_sw_hamming_calculate+0x1dc\/0x7d0\n Read of size 4 at addr ffff888105594ff8 by task kworker\/u8:4\/128\n Workqueue: writeback wb_workfn (flush-ubifs_0_0)\n Call Trace:\n kasan_report.cold+0x81\/0x165\n nand_write_page_swecc+0xa9\/0x160\n ubifs_leb_write+0xf2\/0x1b0 [ubifs]\n ubifs_wbuf_write_nolock+0x421\/0x12c0 [ubifs]\n write_head+0xdc\/0x1c0 [ubifs]\n ubifs_jnl_write_inode+0x627\/0x960 [ubifs]\n wb_workfn+0x8af\/0xb80\n\nFunction ubifs_wbuf_write_nolock() accepts that parameter 'len' is not 8\nbytes aligned, the 'len' represents the true length of buf (which is\nallocated in 'ubifs_jnl_xxx', eg. ubifs_jnl_write_inode), so\nubifs_wbuf_write_nolock() must handle the length read from 'buf' carefully\nto write leb safely.\n\nFetch a reproducer in [Link]."},{"lang":"es","value":"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ubifs: Se corrige la lectura fuera de los límites en la función ubifs_wbuf_write_nolock() ubifs_wbuf_write_nolock() puede acceder a buf fuera de los límites en el siguiente proceso: ubifs_wbuf_write_nolock(): classified_len = ALIGN(len, 8); \/\/ Supongamos que len = 4089, classified_len = 4096 if (aligned_len <= wbuf->avail) ... \/\/ No satisface if (wbuf->used) { ubifs_leb_write() \/\/ Complete algunos datos en avail wbuf len -= wbuf->avail; \/\/ len aún no está alineado a 8 bytes classified_len -= wbuf->avail; } n = classified_len >> c->max_write_shift; if (n) { n <<= c->max_write_shift; err = ubifs_leb_write(c, wbuf->lnum, buf + escrito, wbuf->offs, n); \/\/ n > len, lectura fuera de los límites menor a 8(n-len) bytes }, lo cual puede ser detectado por KASAN: =========================================================== ERROR: KASAN: slab fuera de los límites en ecc_sw_hamming_calculate+0x1dc\/0x7d0 Lectura de tamaño 4 en la dirección ffff888105594ff8 por la tarea kworker\/u8:4\/128 Cola de trabajo: escritura diferida wb_workfn (flush-ubifs_0_0) Rastreo de llamadas: kasan_report.cold+0x81\/0x165 nand_write_page_swecc+0xa9\/0x160 ubifs_leb_write+0xf2\/0x1b0 [ubifs] ubifs_wbuf_write_nolock+0x421\/0x12c0 [ubifs] write_head+0xdc\/0x1c0 [ubifs] ubifs_jnl_write_inode+0x627\/0x960 [ubifs] wb_workfn+0x8af\/0xb80 La función ubifs_wbuf_write_nolock() acepta que el parámetro 'len' no esté alineado con 8 bytes, 'len' representa la longitud verdadera de buf (que está asignada en 'ubifs_jnl_xxx', p. ej. ubifs_jnl_write_inode), por lo que ubifs_wbuf_write_nolock() debe manejar la longitud leída de 'buf' con cuidado para escribir leb de forma segura. Obtenga un reproductor en [Enlace]."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1\/AV:L\/AC:L\/PR:L\/UI:N\/S:U\/C:H\/I:N\/A:H","baseScore":7.1,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.2},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1\/AV:L\/AC:L\/PR:L\/UI:N\/S:U\/C:H\/I:N\/A:H","baseScore":7.1,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.2}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-125"}]},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","description":[{"lang":"en","value":"CWE-125"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.27","versionEndExcluding":"4.19.238","matchCriteriaId":"EF5DCB1F-AE17-4717-80C7-5786A2F74C0C"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.20","versionEndExcluding":"5.4.189","matchCriteriaId":"8CB6E8F5-C2B1-46F3-A807-0F6104AC340F"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.5","versionEndExcluding":"5.10.110","matchCriteriaId":"91D3BFD0-D3F3-4018-957C-96CCBF357D79"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.11","versionEndExcluding":"5.15.33","matchCriteriaId":"27C42AE8-B387-43E2-938A-E1C8B40BE6D5"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.16","versionEndExcluding":"5.16.19","matchCriteriaId":"20C43679-0439-405A-B97F-685BEE50613B"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.17","versionEndExcluding":"5.17.2","matchCriteriaId":"210C679C-CF84-44A3-8939-E629C87E54BF"}]}]}],"references":[{"url":"https:\/\/git.kernel.org\/stable\/c\/07a209fadee7b53b46858538e1177597273862e4","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https:\/\/git.kernel.org\/stable\/c\/3b7fb89135a20587d57f8877c02e25003e9edbdf","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https:\/\/git.kernel.org\/stable\/c\/4f2262a334641e05f645364d5ade1f565c85f20b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https:\/\/git.kernel.org\/stable\/c\/5343575aa11c5d7044107d59d43f84aec01312b0","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https:\/\/git.kernel.org\/stable\/c\/a7054aaf1909cf40489c0ec1b728fdcf79c751a6","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https:\/\/git.kernel.org\/stable\/c\/b80ccbec0e4804436c382d7dd60e943c386ed83a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https:\/\/git.kernel.org\/stable\/c\/e09fa5318d51f522e1af4fbaf8f74999355980c8","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}}]}