CVE-2021-3490
📋 TL;DR
This CVE-2021-3490 is a Linux kernel vulnerability in eBPF's ALU32 bounds tracking for bitwise operations (AND, OR, XOR). It allows local attackers to trigger out-of-bounds reads/writes, potentially leading to arbitrary code execution and privilege escalation. Affected systems are those running vulnerable Linux kernel versions with eBPF enabled.
💻 Affected Systems
- Linux Kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
⚠️ Risk & Real-World Impact
Worst Case
Local attacker gains root privileges via kernel memory corruption, leading to complete system compromise.
Likely Case
Local privilege escalation from unprivileged user to root, enabling persistence and lateral movement.
If Mitigated
With proper kernel hardening and eBPF restrictions, impact limited to denial of service or reduced privilege escalation scope.
🎯 Exploit Status
Exploit requires local access and knowledge of eBPF programming. Public exploit code available in Packet Storm reference.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in kernel versions: v5.13-rc4, v5.12.4, v5.11.21, v5.10.37 and later
Vendor Advisory: https://ubuntu.com/security/notices/USN-4949-1
Restart Required: Yes
Instructions:
1. Update kernel package using distribution's package manager. 2. For Ubuntu: sudo apt update && sudo apt upgrade linux-image-$(uname -r). 3. Reboot system to load patched kernel.
🔧 Temporary Workarounds
Disable unprivileged eBPF
linuxPrevents non-root users from loading eBPF programs
sysctl -w kernel.unprivileged_bpf_disabled=1
echo 'kernel.unprivileged_bpf_disabled=1' >> /etc/sysctl.conf
Restrict eBPF with seccomp
linuxUse seccomp filters to block bpf() syscall
🧯 If You Can't Patch
- Implement strict user privilege separation and limit shell access
- Monitor for suspicious eBPF program loading and kernel module activity
🔍 How to Verify
Check if Vulnerable:
Check kernel version: uname -r. Vulnerable if version is between 5.7 and 5.12.3 (or specific vulnerable backported versions).Check Version:
uname -rVerify Fix Applied:
Verify kernel version is 5.12.4, 5.11.21, 5.10.37 or later after update and reboot.📡 Detection & Monitoring
Log Indicators:
- Failed bpf() syscalls from non-root users
- Kernel oops or panic logs related to eBPF
Network Indicators:
- None - local exploitation only
SIEM Query:
process.name=bpf OR syscall.name=bpf AND user.name!=root🔗 References
- http://packetstormsecurity.com/files/164015/Linux-eBPF-ALU32-32-bit-Invalid-Bounds-Tracking-Local-Privilege-Escalation.html
- https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/commit/?id=049c4e13714ecbca567b4d5f6d563f05d431c80e
- https://security.netapp.com/advisory/ntap-20210716-0004/
- https://ubuntu.com/security/notices/USN-4949-1
- https://ubuntu.com/security/notices/USN-4950-1
- https://www.openwall.com/lists/oss-security/2021/05/11/11
- https://www.zerodayinitiative.com/advisories/ZDI-21-606/
- http://packetstormsecurity.com/files/164015/Linux-eBPF-ALU32-32-bit-Invalid-Bounds-Tracking-Local-Privilege-Escalation.html
- https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/commit/?id=049c4e13714ecbca567b4d5f6d563f05d431c80e
- https://security.netapp.com/advisory/ntap-20210716-0004/
- https://ubuntu.com/security/notices/USN-4949-1
- https://ubuntu.com/security/notices/USN-4950-1
- https://www.openwall.com/lists/oss-security/2021/05/11/11
- https://www.zerodayinitiative.com/advisories/ZDI-21-606/
