Login Sign Up

CVE-2021-35039

7.8 HIGH

📋 TL;DR

This vulnerability in the Linux kernel allows loading of unsigned kernel modules even when module signature enforcement is requested via the module.sig_enforce=1 command-line argument. Systems running Linux kernel versions before 5.12.14 without CONFIG_MODULE_SIG enabled are affected, potentially allowing attackers to load malicious kernel modules.

💻 Affected Systems

Products:
  • Linux kernel
Versions: All versions before 5.12.14
Operating Systems: Linux distributions using affected kernel versions
Default Config Vulnerable: ✅ No
Notes: Only vulnerable when CONFIG_MODULE_SIG is not enabled in kernel configuration and module.sig_enforce=1 is used.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could load malicious kernel modules to gain root privileges, establish persistence, bypass security controls, or cause system instability/crashes.

🟠

Likely Case

Privileged attackers could load malicious kernel modules to escalate privileges or bypass security mechanisms.

🟢

If Mitigated

With proper controls, impact is limited to systems where attackers already have sufficient privileges to load modules.

🌐 Internet-Facing: LOW - Requires local access or existing compromise to exploit.
🏢 Internal Only: MEDIUM - Internal attackers with sufficient privileges could exploit this for privilege escalation.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires ability to load kernel modules (typically root or CAP_SYS_MODULE capability).

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.12.14 and later

Vendor Advisory: https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.12.14

Restart Required: Yes

Instructions:

1. Update kernel to version 5.12.14 or later. 2. Rebuild kernel if using custom kernel. 3. Reboot system to load patched kernel.

🔧 Temporary Workarounds

Enable CONFIG_MODULE_SIG

linux

Build kernel with CONFIG_MODULE_SIG enabled to enforce module signature verification

Ensure CONFIG_MODULE_SIG=y in kernel configuration before building

Disable module loading

linux

Prevent loading of kernel modules entirely

echo 1 > /proc/sys/kernel/modules_disabled

🧯 If You Can't Patch

  • Ensure CONFIG_MODULE_SIG is enabled in kernel configuration
  • Restrict module loading to trusted users only via capabilities or SELinux/AppArmor policies

🔍 How to Verify

Check if Vulnerable:

Check kernel version and if CONFIG_MODULE_SIG is enabled: uname -r and grep CONFIG_MODULE_SIG /boot/config-$(uname -r)

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version is 5.12.14 or later: uname -r

📡 Detection & Monitoring

Log Indicators:

  • Kernel module loading attempts in system logs
  • Failed module signature verification messages

Network Indicators:

  • None - local exploitation only

SIEM Query:

source="kernel" AND "module" AND ("loading" OR "signature")

📊 Metadata

CVE ID: CVE-2021-35039
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-347
Published: July 7, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-35039, you might also want to check these:

CVE-2022-24884 10.0

This vulnerability in ecdsautils allows attackers to forge ECDSA signatures by providing zero-value ...

Same vulnerability type (CWE-347)
CVE-2023-25574 10.0

CVE-2023-25574 is a critical authentication bypass vulnerability in jupyterhub-ltiauthenticator's LT...

Same vulnerability type (CWE-347)
CVE-2024-45409 10.0

CVE-2024-45409 is a critical authentication bypass vulnerability in the Ruby SAML library where SAML...

Same vulnerability type (CWE-347)