Login Sign Up

CVE-2021-3612

7.8 HIGH

📋 TL;DR

A local privilege escalation vulnerability in Linux kernel versions before 5.9-rc1 allows attackers with local access to crash systems or gain root privileges through improper bounds checking in joystick device ioctl handling. This affects any Linux system with vulnerable kernel versions and joystick device support. The vulnerability requires local access but can lead to complete system compromise.

💻 Affected Systems

Products:
  • Linux Kernel
Versions: All versions before 5.9-rc1
Operating Systems: Linux distributions using vulnerable kernel versions
Default Config Vulnerable: ⚠️ Yes
Notes: Requires joystick device subsystem to be present (common in desktop/server kernels). Embedded systems without joystick support may not be vulnerable.

📦 What is this software?

Cloud Backup by Netapp

View all CVEs affecting Cloud Backup →

Communications Cloud Native Core Binding Support Function by Oracle

View all CVEs affecting Communications Cloud Native Core Binding Support Function →

Communications Cloud Native Core Network Exposure Function by Oracle

View all CVEs affecting Communications Cloud Native Core Network Exposure Function →

Communications Cloud Native Core Policy by Oracle

View all CVEs affecting Communications Cloud Native Core Policy →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Enterprise Linux by Redhat

View all CVEs affecting Enterprise Linux →

Enterprise Linux by Redhat

View all CVEs affecting Enterprise Linux →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

H300e Firmware by Netapp

View all CVEs affecting H300e Firmware →

H300s Firmware by Netapp

View all CVEs affecting H300s Firmware →

H410c Firmware by Netapp

View all CVEs affecting H410c Firmware →

H410s Firmware by Netapp

View all CVEs affecting H410s Firmware →

H500e Firmware by Netapp

View all CVEs affecting H500e Firmware →

H500s Firmware by Netapp

View all CVEs affecting H500s Firmware →

H700e Firmware by Netapp

View all CVEs affecting H700e Firmware →

H700s Firmware by Netapp

View all CVEs affecting H700s Firmware →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Solidfire Baseboard Management Controller Firmware by Netapp

View all CVEs affecting Solidfire Baseboard Management Controller Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local attacker gains root privileges, leading to complete system compromise, data theft, persistence establishment, and lateral movement within the network.

🟠

Likely Case

Local user crashes the kernel causing system instability or denial of service, potentially leading to data loss and service disruption.

🟢

If Mitigated

With proper access controls and patching, impact is limited to denial of service from crashes, with no privilege escalation possible.

🌐 Internet-Facing: LOW - Requires local access to system, cannot be exploited remotely over network.
🏢 Internal Only: HIGH - Any local user or compromised account can exploit this to gain root privileges on affected systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploit requires local user access. Proof-of-concept code has been published in security advisories and mailing lists.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Linux kernel 5.9-rc1 and later

Vendor Advisory: https://bugzilla.redhat.com/show_bug.cgi?id=1974079

Restart Required: Yes

Instructions:

1. Update Linux kernel to version 5.9-rc1 or later. 2. For distributions: Use package manager (apt/yum/dnf) to update kernel packages. 3. Reboot system to load new kernel.

🔧 Temporary Workarounds

Disable joystick module

linux

Prevent loading of joystick device driver to eliminate attack surface

echo 'blacklist joydev' >> /etc/modprobe.d/blacklist-joystick.conf
rmmod joydev

Restrict ioctl access

linux

Use SELinux/AppArmor to restrict joystick device access

# Configure SELinux/AppArmor policies to deny joystick device access

🧯 If You Can't Patch

  • Implement strict access controls to limit local user accounts and monitor for suspicious activity
  • Use mandatory access control systems (SELinux/AppArmor) to restrict device access and contain potential exploits

🔍 How to Verify

Check if Vulnerable:

Check kernel version: uname -r. If version is earlier than 5.9-rc1, system is vulnerable.

Check Version:

uname -r

Verify Fix Applied:

After patching, verify kernel version is 5.9-rc1 or later with uname -r and check that system remains stable during joystick device operations.

📡 Detection & Monitoring

Log Indicators:

  • Kernel panic logs
  • System crash dumps
  • Unusual joystick device access in audit logs

Network Indicators:

  • None - local exploit only

SIEM Query:

source="kernel" AND ("panic" OR "oops") AND "joydev" OR source="audit" AND "ioctl" AND "JSIOCSBTNMAP"

📊 Metadata

CVE ID: CVE-2021-3612
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-20
Published: July 9, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-3612, you might also want to check these:

CVE-2022-47190 10.0

CVE-2022-47190 allows remote attackers to upload malicious firmware containing a webshell to Generex...

Same vulnerability type (CWE-20)
CVE-2024-3400 10.0

CVE-2024-3400 is a critical command injection vulnerability in Palo Alto Networks PAN-OS GlobalProte...

Same vulnerability type (CWE-20)
CVE-2023-42802 10.0

This critical vulnerability in GLPI allows attackers to upload malicious PHP files to unauthorized d...

Same vulnerability type (CWE-20)