Bug 2036682 (CVE-2021-4202) - CVE-2021-4202 kernel: Race condition in nci_request() leads to use after free while the device is getting removed
Summary: CVE-2021-4202 kernel: Race condition in nci_request() leads to use after free...
Status: NEW
Alias: CVE-2021-4202
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Nobody
QA Contact:
Depends On: 2038123
Blocks: 2036683 2038882
TreeView+ depends on / blocked
Reported: 2022-01-03 15:05 UTC by Pedro Sampaio
Modified: 2023-09-19 14:13 UTC (History)
43 users (show)

Fixed In Version: kernel 5.16 rc2
Doc Type: If docs needed, set a value
Doc Text:
A use-after-free flaw was found in nci_request in net/nfc/nci/core.c in NFC Controller Interface (NCI) in the Linux kernel. This flaw could allow a local attacker with user privileges to cause a data race problem while the device is getting removed, leading to a privilege escalation problem.
Clone Of:
Last Closed:

Attachments (Terms of Use)

Description Pedro Sampaio 2022-01-03 15:05:54 UTC
A flaw was found in the Linux kernel. Similar to the CVE-2021-35373, the nci_request() function in NFC NCI code also suffers from a data race. This race will allow __nci_request() to be awaken while the device is getting removed and cause UAF. The attacker can spray the released object to gain powerful primitive.

Upstream commit:


Comment 2 Rohit Keshri 2022-01-07 10:50:04 UTC
There was no shipped kernel version that was seen affected by this problem. These files are not built in our source code.

Comment 9 juneau 2022-01-07 12:51:58 UTC
Managed Services not affected.

Note You need to log in before you can comment on or make changes to this bug.