ClickCease Patches for CVE-2021-26708 are being delivered - TuxCare

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

Patches for CVE-2021-26708 are being delivered

February 10, 2021 - TuxCare expert team

patches for CVE-2021-26708 are being delivered

 

A new week, a new vulnerability announced. This time, it affects kernels starting from version 5.5-rc1 (November 2019) up 5.10.13 (February 2021).

This vulnerability is an improperly handled race condition in the AF_VSOCK implementation, a kernel facility available to unprivileged users that is shipped as a kernel module in all major distributions.

It allows an unprivileged local user to write a malicious program that provides privilege escalation and full system access as a consequence.

It was introduced in the kernel as part of a patch that introduced multi-transport VSOCK support. This code would have locks in place that didn’t account for the possibility of a variable change on a different but related code path.

This specific kernel functionality (VSOCK) was not particularly affected by vulnerabilities over the years (only three kernel vulnerabilities mention VSOCK over the last 8 years), but it does raise the point that, wherever a security specialist digs deep enough, something ends up vulnerable.

This vulnerability was (responsibly) disclosed on the OSS-Security mailing list, and code patches fixing it have been merged as of version 5.10.13. The kernel being used on major distributions is receiving vendor-supplied patches.

If you prefer to patch it without waiting for a maintenance window or without rebooting your system, KernelCare is now receiving patches for this vulnerability that are applied without disruption. EL8 already has patches ready, the other supported distributions will receive them shortly as well.

A detailed article will be up in the blog soon.

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Learn About Live Patching with TuxCare

Related Articles

Strategies for Managing End-of-Life Operating...

End-of-life software is just a fact of our fast-paced technology...

January 30, 2023

Think You Can’t Afford Consistent...

Look, everyone knows that it’s a tough act. Thousands of...

January 17, 2023

Common Government Cybersecurity Standards –...

The public sector, including state and federal agencies, are at...

January 16, 2023

Which Linux Distro is Best...

If your organization deploys IoT solutions, you know that development...

December 1, 2022

The Bugs Behind the Vulnerabilities...

We continue to look at the code issues that cause...

November 14, 2022

Cybersecurity insurance and fine print:...

Catastrophic risks such as natural disasters and indeed cyberattacks require...

June 29, 2022