Connect with us

Hi, what are you looking for?


Application Security

Linux Foundation Fixes ‘Dangerous’ Code Execution Kernel Bug

Researchers are calling attention to a newly discovered security defect in a kernel module that ships with all major Linux distributions, warning that remote attackers can exploit the bug to take complete control of a vulnerable system.

Researchers are calling attention to a newly discovered security defect in a kernel module that ships with all major Linux distributions, warning that remote attackers can exploit the bug to take complete control of a vulnerable system.

The vulnerability — CVE-2021-43267 — is described as a heap overflow in the TIPC (Transparent Inter-Process Communication) module that ships with the Linux kernel to allow nodes in a cluster to communicate with each other in a fault-tolerant way.

“The vulnerability can be exploited either locally or remotely within a network to gain kernel privileges, allowing an attacker to compromise the entire system,” according to a warning from SentinelOne’s Max Van Amerongen, the security researcher who found — and helped fix — the underlying vulnerability.

Van Amerongen said he discovered the bug almost by accident using Microsoft’s CodeQL, an open-source semantic code analysis engine that helps ferret out security defects at scale.

[ READ: Google Triples Bounty for Linux Kernel Exploitation ]

He said the flaw was introduced in the Linux kernel in September 2020 when a new user message type called MSG_CRYPTO was added to allow peers to send cryptographic keys. Looking at the code, Van Amerongen found a “clear-cut kernel heap buffer overflow” with remote exploit implications.

Although the vulnerable TIPC module comes with all major Linux distributions, it needs to be loaded in order to enable the protocol and trigger the vulnerability.

The Linux foundation shipped a patch on October 29 and confirmed the underlying vulnerability affects kernel versions between 5.10 and 5.15.

Advertisement. Scroll to continue reading.

SentinelOne said Thursday it had not seen evidence of in-the-wild abuse.

“This vulnerability can be exploited both locally and remotely. While local exploitation is easier due to greater control over the objects allocated in the kernel heap, remote exploitation can be achieved thanks to the structures that TIPC supports,” Van Amerongen notes. 

While TIPC itself isn’t loaded automatically by the system and has to be enabled by end users, Van Amerongen said the ability to configure it from an unprivileged local perspective and the possibility of remote exploitation “makes this a dangerous vulnerability” for those that use it in their networks

“As this vulnerability was discovered within a year of its introduction into the codebase, TIPC users should ensure that their Linux kernel version is not between 5.10-rc1 and 5.15,” he added. 

Related: GitHub Announces General Availability of Code Scanning Feature

Related: Google Triples Bounty for Linux Kernel Exploitation

Related: GitHub Discloses Details of Easy-to-Exploit Linux Vulnerability

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...