Login Sign Up

CVE-2021-31872

9.8 CRITICAL
Buffer Overflow

📋 TL;DR

This vulnerability in klibc's cpio command allows integer overflows on 32-bit systems that can lead to buffer overflows. Attackers could potentially execute arbitrary code or cause denial of service. Systems using klibc versions before 2.0.9 on 32-bit architectures are affected.

💻 Affected Systems

Products:
  • klibc
  • systems using klibc utilities
  • initramfs tools
Versions: All versions before 2.0.9
Operating Systems: Linux distributions using klibc, 32-bit Linux systems
Default Config Vulnerable: ⚠️ Yes
Notes: Primarily affects 32-bit systems; 64-bit systems may be less vulnerable but should still patch

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Klibc by Klibc Project

View all CVEs affecting Klibc →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with root privileges leading to complete system compromise

🟠

Likely Case

Local privilege escalation or denial of service through cpio command manipulation

🟢

If Mitigated

Limited impact if proper input validation and sandboxing are in place

🌐 Internet-Facing: LOW (cpio is typically used locally, not exposed to network)
🏢 Internal Only: MEDIUM (requires local access or ability to trigger cpio operations)

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires ability to trigger cpio operations with malicious input; proof-of-concept details are publicly available

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.0.9 and later

Vendor Advisory: https://lists.zytor.com/archives/klibc/2021-April/004593.html

Restart Required: No

Instructions:

1. Update klibc package to version 2.0.9 or later
2. Update any dependent packages (like initramfs tools)
3. Rebuild initramfs if using klibc in initramfs
4. Verify the update with version check

🔧 Temporary Workarounds

Disable vulnerable cpio usage

linux

Remove or restrict cpio command usage in scripts and automated processes

chmod -x /usr/bin/cpio
mv /usr/bin/cpio /usr/bin/cpio.disabled

Use 64-bit systems

linux

Migrate to 64-bit systems where integer overflow risk is reduced

🧯 If You Can't Patch

  • Implement strict input validation for cpio operations
  • Run cpio commands with minimal privileges using sudo restrictions or containers

🔍 How to Verify

Check if Vulnerable:

Check klibc version: dpkg -l | grep klibc or rpm -qa | grep klibc

Check Version:

dpkg -l | grep klibc || rpm -qa | grep klibc || find /lib -name '*klibc*' -exec strings {} \; | grep -i version

Verify Fix Applied:

Verify version is 2.0.9 or higher: klibc-version or check package version

📡 Detection & Monitoring

Log Indicators:

  • Unusual cpio command usage
  • Process crashes related to cpio
  • Suspicious initramfs operations

Network Indicators:

  • N/A (local vulnerability)

SIEM Query:

process_name="cpio" AND (process_args CONTAINS "-I" OR process_args CONTAINS "-O")

📊 Metadata

CVE ID: CVE-2021-31872
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-190
Published: April 30, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-31872, you might also want to check these:

CVE-2025-64721 10.0

This vulnerability in Sandboxie allows sandboxed processes to exploit an integer overflow in the Sbi...

Same vulnerability type (CWE-190)
CVE-2025-52581 9.8

An integer overflow vulnerability in libbiosig's GDF file parsing allows arbitrary code execution wh...

Same vulnerability type (CWE-190)
CVE-2025-53518 9.8

An integer overflow vulnerability in libbiosig's ABF file parser allows arbitrary code execution whe...

Same vulnerability type (CWE-190)