CVE-2021-3782

An internal reference count is held on the buffer pool, incremented every time a new buffer is created from the pool. The reference count is maintained as an int; on LP64 systems this can cause the reference count to overflow if the client creates a large number of wl_shm buffer objects, or if it can coerce the server to create a large number of external references to the buffer storage. With the reference count overflowing, a use-after-free can be constructed on the wl_shm_pool tracking structure, where values may be incremented or decremented; it may also be possible to construct a limited oracle to leak 4 bytes of server-side memory to the attacking client at a time.

CVSS v3 6.6 MEDIUM

6.6^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.8 / Impact : 4.7

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://gitlab.freedesktop.org/wayland/wayland/-/issues/224	Exploit Issue Tracking Patch Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:wayland:wayland:*:*:*:*:*:*:*:*

History

26 Jun 2023, 17:47

Type	Values Removed	Values Added
CWE	~~NVD-CWE-Other~~	CWE-190

01 Jun 2023, 17:57

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~9.8~~	v2 : unknown v3 : 6.6

Information

Published : 2022-09-23 16:15

Updated : 2024-02-28 19:29

NVD link : CVE-2021-3782

Mitre link : CVE-2021-3782

CVE.ORG link : CVE-2021-3782

JSON object : View

Products Affected

wayland

wayland

CWE

CWE-190

Integer Overflow or Wraparound

{"id": "CVE-2021-3782", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.6, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 4.7, "exploitabilityScore": 1.8}]}, "published": "2022-09-23T16:15:10.143", "references": [{"url": "https://gitlab.freedesktop.org/wayland/wayland/-/issues/224", "tags": ["Exploit", "Issue Tracking", "Patch", "Third Party Advisory"], "source": "secalert@redhat.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-190"}]}, {"type": "Secondary", "source": "secalert@redhat.com", "description": [{"lang": "en", "value": "CWE-190"}]}], "descriptions": [{"lang": "en", "value": "An internal reference count is held on the buffer pool, incremented every time a new buffer is created from the pool. The reference count is maintained as an int; on LP64 systems this can cause the reference count to overflow if the client creates a large number of wl_shm buffer objects, or if it can coerce the server to create a large number of external references to the buffer storage. With the reference count overflowing, a use-after-free can be constructed on the wl_shm_pool tracking structure, where values may be incremented or decremented; it may also be possible to construct a limited oracle to leak 4 bytes of server-side memory to the attacking client at a time."}, {"lang": "es", "value": "Se mantiene un recuento interno de referencias en el pool de buffers, que es incrementado cada vez que es creado un nuevo buffer desde el pool. El recuento de referencias es mantenido como un int; en sistemas LP64 esto puede causar que el recuento de referencias sea desbordado si el cliente crea un gran n\u00famero de objetos de b\u00fafer wl_shm, o si puede coaccionar al servidor para que cree un gran n\u00famero de referencias externas al almacenamiento de b\u00faferes. Con el recuento de referencias desbordado, puede construirse un uso de memoria previamente liberada en la estructura de seguimiento de wl_shm_pool, donde los valores pueden ser incrementados o disminuidos; tambi\u00e9n puede ser posible construir un or\u00e1culo limitado para filtrar 4 bytes de memoria del lado del servidor al cliente atacante a la vez."}], "lastModified": "2023-11-07T03:38:15.833", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:wayland:wayland:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DC4B9E35-B657-4E88-B131-E135C0E7F762", "versionEndExcluding": "1.20.91"}], "operator": "OR"}]}], "sourceIdentifier": "secalert@redhat.com"}