CVE-2021-33034

Public on 2021-05-14

Modified on 2021-07-15

Description

A use-after-free flaw was found in hci_send_acl in the bluetooth host controller interface (HCI) in Linux kernel, where a local attacker with an access rights could cause a denial of service problem on the system The issue results from the object hchan, freed in hci_disconn_loglink_complete_evt, yet still used in other places. The highest threat from this vulnerability is to data integrity, confidentiality and system availability.

Severity

Important

See what this means

CVSS v3 Base Score

7.8

See breakdown

Affected Packages

Platform	Package	Release Date	Advisory
Amazon Linux 2 - Core	kernel	2021-07-14 20:35	ALAS2-2021-1685
Amazon Linux 2 - Kernel-5.10 Extra	kernel	2022-01-20 23:37	ALAS2KERNEL-5.10-2022-002
Amazon Linux 2 - Kernel-5.4 Extra	kernel	2022-01-12 19:26	ALAS2KERNEL-5.4-2022-004
Amazon Linux 2 - Livepatch Extra	kernel-livepatch-4.14.225-168.357	2021-06-22 18:38	ALAS2LIVEPATCH-2021-050
Amazon Linux 2 - Livepatch Extra	kernel-livepatch-4.14.225-169.362	2021-06-22 18:38	ALAS2LIVEPATCH-2021-051
Amazon Linux 2 - Livepatch Extra	kernel-livepatch-4.14.231-173.360	2021-06-22 18:38	ALAS2LIVEPATCH-2021-052
Amazon Linux 2 - Livepatch Extra	kernel-livepatch-4.14.231-173.361	2021-06-22 18:38	ALAS2LIVEPATCH-2021-053

CVSS Scores

	Score Type	Score	Vector
Amazon Linux	CVSSv3	7.8	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
NVD	CVSSv2	4.6	AV:L/AC:L/Au:N/C:P/I:P/A:P
NVD	CVSSv3	7.8	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Red Hat: CVE-2021-33034 Mitre: CVE-2021-33034 FAQs regarding Amazon Linux ALAS/CVE Severity