CVE-2021-37322 – CVE-2021-37322 is a use-after-free vulnerabilit... (How to Fix)

Q: What is the severity of CVE-2021-37322?

CVE-2021-37322 has a CVSS score of 7.8 (HIGH). CVE-2021-37322 is a use-after-free vulnerability in GCC's c++filt utility (version 2.26) that can lead to arbitrary code execution or denial of service. This affects systems where c++filt processes untrusted input, potentially allowing attackers to crash the utility or execute malicious code. The vulnerability resides in the cplus-dem.c component used for C++ name demangling.

📋 TL;DR

CVE-2021-37322 is a use-after-free vulnerability in GCC's c++filt utility (version 2.26) that can lead to arbitrary code execution or denial of service. This affects systems where c++filt processes untrusted input, potentially allowing attackers to crash the utility or execute malicious code. The vulnerability resides in the cplus-dem.c component used for C++ name demangling.

💻 Affected Systems

Products:

GNU Compiler Collection (GCC)

Versions: GCC version 2.26 specifically; other versions may be affected if they include the vulnerable component.

Operating Systems: Linux, Unix-like systems, Windows (if GCC is installed)

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability is in the c++filt utility, which is part of GCC's binutils. Systems using c++filt to process untrusted C++ mangled names are at risk.

📦 What is this software?

Binutils by Gnu

View all CVEs affecting Binutils →

Gcc by Gnu

View all CVEs affecting Gcc →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with the privileges of the c++filt process, potentially leading to full system compromise if c++filt runs with elevated privileges.

🟠

Likely Case

Denial of service through application crashes when processing malicious input, disrupting demangling operations.

🟢

If Mitigated

Limited impact if c++filt only processes trusted input or runs with minimal privileges in isolated environments.

🌐 Internet-Facing: LOW - c++filt is typically not exposed to external networks and requires local access or specific integration to be exploitable remotely.

🏢 Internal Only: MEDIUM - Internal users or processes could exploit this if they can supply malicious input to c++filt, potentially leading to privilege escalation or system disruption.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires the ability to supply malicious input to c++filt, which may involve local access or integration into vulnerable workflows. Proof-of-concept code is available in the bug reports.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: GCC versions after 2.26, specifically patched in binutils updates; check for binutils >= 2.36 or apply vendor patches.

Vendor Advisory: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99188

Restart Required: No

Instructions:

1. Update GCC/binutils to a patched version from your distribution's repository. 2. For source builds, apply the patch from the GCC bug report and recompile. 3. Verify the update by checking the c++filt version.

🔧 Temporary Workarounds

Restrict c++filt usage

linux

Limit c++filt to trusted users and inputs only, reducing exposure to malicious data.

chmod 750 /usr/bin/c++filt
setfacl -m u:trusted_user:rx /usr/bin/c++filt

Use alternative demangling tools

all

Replace c++filt with other demangling utilities if available, to avoid the vulnerable component.

🧯 If You Can't Patch

Isolate c++filt in a sandboxed environment with minimal privileges to limit potential damage from exploitation.
Monitor and audit c++filt usage for unusual activity or crashes that might indicate exploitation attempts.

🔍 How to Verify

Check if Vulnerable:

Run 'c++filt --version' and check if it reports version 2.26 or a vulnerable binutils version. Alternatively, test with a known malicious input from the bug report to see if it crashes.

Check Version:

c++filt --version | grep -i binutils

Verify Fix Applied:

After patching, run 'c++filt --version' to confirm an updated version. Test with the same malicious input to ensure no crash occurs.

📡 Detection & Monitoring

Log Indicators:

Unexpected crashes or segmentation faults in c++filt processes
High CPU or memory usage spikes associated with c++filt

Network Indicators:

Unusual network connections originating from c++filt processes, though this is less likely as it's a local tool

SIEM Query:

process_name:"c++filt" AND (event_type:"crash" OR exit_code:139)

📊 Metadata

CVE ID: CVE-2021-37322

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-416

Published: November 18, 2021

Last Updated: November 21, 2024

🔗 References

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99188 Exploit,Issue Tracking,Vendor Advisory
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99188 Exploit,Issue Tracking,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-37322, you might also want to check these: