CVE-2021-40490

Q: What is the severity of CVE-2021-40490?

CVE-2021-40490 has a CVSS score of 7.0 (HIGH). A race condition vulnerability in the ext4 filesystem's inline data handling in Linux kernel versions up to 5.13.13 allows local attackers to corrupt filesystem metadata or cause denial of service. This affects systems using ext4 with inline data enabled, primarily Linux servers and workstations. Attackers need local access to exploit this vulnerability.

7.0 HIGH

Denial of Service

📋 TL;DR

A race condition vulnerability in the ext4 filesystem's inline data handling in Linux kernel versions up to 5.13.13 allows local attackers to corrupt filesystem metadata or cause denial of service. This affects systems using ext4 with inline data enabled, primarily Linux servers and workstations. Attackers need local access to exploit this vulnerability.

💻 Affected Systems

Products:

Linux kernel

Versions: Linux kernel versions through 5.13.13

Operating Systems: Linux distributions using affected kernel versions

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when ext4 filesystem with inline data feature is used. Many distributions disable inline data by default.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Filesystem corruption leading to data loss, system crashes, or potential privilege escalation if combined with other vulnerabilities.

🟠

Likely Case

System instability, kernel panics, or denial of service through filesystem corruption.

🟢

If Mitigated

Minimal impact with proper access controls limiting local user privileges.

🌐 Internet-Facing: LOW - Requires local access to exploit, not directly reachable from network.

🏢 Internal Only: MEDIUM - Local users or compromised accounts could exploit this to disrupt system stability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: HIGH

Race conditions are difficult to exploit reliably and require precise timing. No public exploits have been documented.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Linux kernel 5.13.14 and later

Vendor Advisory: https://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git/commit/?id=9e445093e523f3277081314c864f708fd4bd34aa

Restart Required: Yes

Instructions:

1. Update Linux kernel to version 5.13.14 or later. 2. For distributions: Use package manager (apt, yum, dnf) to update kernel package. 3. Reboot system to load new kernel.

🔧 Temporary Workarounds

Disable ext4 inline data feature

linux

Mount ext4 filesystems without inline data support to prevent exploitation

mount -o remount,noinline_data /mount/point

🧯 If You Can't Patch

Restrict local user access and implement least privilege principles
Monitor system logs for filesystem corruption or kernel panic events

🔍 How to Verify

Check if Vulnerable:

Check kernel version: uname -r. If version is 5.13.13 or earlier and ext4 with inline data is used, system is vulnerable.

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version is 5.13.14 or later: uname -r

📡 Detection & Monitoring

Log Indicators:

Kernel panic messages
ext4 filesystem error messages in dmesg or /var/log/kern.log
Unexpected system reboots

Network Indicators:

None - local exploit only

SIEM Query:

source="kernel" AND ("panic" OR "ext4 error" OR "filesystem corruption")

📊 Metadata

CVE ID: CVE-2021-40490

CVSS v3 Score: 7.0 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-362

Published: September 3, 2021

Last Updated: November 21, 2024

🔗 References

https://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git/commit/?id=9e445093e523f3277081314c864f708fd4bd34aa Patch,Vendor Advisory
https://lists.debian.org/debian-lts-announce/2021/10/msg00010.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/12/msg00012.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M6VS2DLGT7TK7URKAS2KWJL3S533SGVA/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XJGX3DMJT6MRBW2XEF3TWVHYWZW3DG3N/
https://security.netapp.com/advisory/ntap-20211004-0001/ Third Party Advisory
https://www.debian.org/security/2021/dsa-4978 Mailing List,Third Party Advisory
https://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git/commit/?id=9e445093e523f3277081314c864f708fd4bd34aa Patch,Vendor Advisory
https://lists.debian.org/debian-lts-announce/2021/10/msg00010.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/12/msg00012.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M6VS2DLGT7TK7URKAS2KWJL3S533SGVA/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XJGX3DMJT6MRBW2XEF3TWVHYWZW3DG3N/
https://security.netapp.com/advisory/ntap-20211004-0001/ Third Party Advisory
https://www.debian.org/security/2021/dsa-4978 Mailing List,Third Party Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Aff A250 Firmware by Netapp

Debian Linux by Debian

Debian Linux by Debian

Fas 500f Firmware by Netapp

Fedora by Fedoraproject

Fedora by Fedoraproject

H300e Firmware by Netapp

H300s Firmware by Netapp

H410c Firmware by Netapp

H410s Firmware by Netapp

H500e Firmware by Netapp

H500s Firmware by Netapp

H610c Firmware by Netapp

H610s Firmware by Netapp

H615c Firmware by Netapp

H700e Firmware by Netapp

H700s Firmware by Netapp