CVE-2021-33034
Public on 2021-05-14
Modified on 2021-07-15
Description
A use-after-free flaw was found in hci_send_acl in the bluetooth host controller interface (HCI) in Linux kernel, where a local attacker with an access rights could cause a denial of service problem on the system The issue results from the object hchan, freed in hci_disconn_loglink_complete_evt, yet still used in other places. The highest threat from this vulnerability is to data integrity, confidentiality and system availability.
Severity
Important
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 2 - Core | kernel | 2021-07-14 | ALAS2-2021-1685 | Fixed |
| Amazon Linux 2 - Kernel-5.10 Extra | kernel | 2022-01-20 | ALAS2KERNEL-5.10-2022-002 | Fixed |
| Amazon Linux 2 - Kernel-5.4 Extra | kernel | 2022-01-12 | ALAS2KERNEL-5.4-2022-004 | Fixed |
| Amazon Linux 2 - Livepatch Extra | kernel-livepatch-4.14.225-168.357 | 2021-06-22 | ALAS2LIVEPATCH-2021-050 | Fixed |
| Amazon Linux 2 - Livepatch Extra | kernel-livepatch-4.14.225-169.362 | 2021-06-22 | ALAS2LIVEPATCH-2021-051 | Fixed |
| Amazon Linux 2 - Livepatch Extra | kernel-livepatch-4.14.231-173.360 | 2021-06-22 | ALAS2LIVEPATCH-2021-052 | Fixed |
| Amazon Linux 2 - Livepatch Extra | kernel-livepatch-4.14.231-173.361 | 2021-06-22 | ALAS2LIVEPATCH-2021-053 | Fixed |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 7.8 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| NVD | CVSSv2 | 4.6 | AV:L/AC:L/Au:N/C:P/I:P/A:P |
| NVD | CVSSv3 | 7.8 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |