Patches for CVE-2021-26708 are being delivered

A new week, a new vulnerability announced. This time, it affects kernels starting from version 5.5-rc1 (November 2019) up 5.10.13 (February 2021).

This vulnerability is an improperly handled race condition in the AF_VSOCK implementation, a kernel facility available to unprivileged users that is shipped as a kernel module in all major distributions.

It allows an unprivileged local user to write a malicious program that provides privilege escalation and full system access as a consequence.

It was introduced in the kernel as part of a patch that introduced multi-transport VSOCK support. This code would have locks in place that didn’t account for the possibility of a variable change on a different but related code path.

This specific kernel functionality (VSOCK) was not particularly affected by vulnerabilities over the years (only three kernel vulnerabilities mention VSOCK over the last 8 years), but it does raise the point that, wherever a security specialist digs deep enough, something ends up vulnerable.

This vulnerability was (responsibly) disclosed on the OSS-Security mailing list, and code patches fixing it have been merged as of version 5.10.13. The kernel being used on major distributions is receiving vendor-supplied patches.

If you prefer to patch it without waiting for a maintenance window or without rebooting your system, KernelCare is now receiving patches for this vulnerability that are applied without disruption. EL8 already has patches ready, the other supported distributions will receive them shortly as well.

A detailed article will be up in the blog soon.