CVE-2021-20265 Overview
A flaw was found in the way memory resources were freed in the unix_stream_recvmsg function in the Linux kernel when a signal was pending. This vulnerability allows an unprivileged local user to crash the system by exhausting available memory, resulting in a denial of service condition. The highest threat from this vulnerability is to system availability.
Critical Impact
Local unprivileged users can cause system-wide denial of service by exploiting improper memory handling in Unix domain socket operations, leading to complete memory exhaustion and system crashes.
Affected Products
- Linux Linux Kernel
- Oracle Tekelec Platform Distribution
Discovery Timeline
- 2021-03-10 - CVE CVE-2021-20265 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-20265
Vulnerability Analysis
The vulnerability exists within the unix_stream_recvmsg function of the Linux kernel's Unix domain socket implementation. When a signal is pending during the receive operation, the function fails to properly release allocated memory resources. This improper memory management creates a condition where memory can be gradually exhausted through repeated operations.
The flaw is classified under CWE-400 (Uncontrolled Resource Consumption) and CWE-401 (Missing Release of Memory after Effective Lifetime). An attacker with local access and low privileges can exploit this vulnerability without any user interaction required. The impact is limited to availability, with no effect on confidentiality or integrity of the system.
Root Cause
The root cause of this vulnerability is a memory leak condition in the Unix domain socket stream receiving code path. When a signal interrupts the unix_stream_recvmsg function, the allocated memory buffers are not properly freed before the function returns. This missing cleanup step results in orphaned memory allocations that accumulate over time.
The kernel commit fa0dc04df259ba2df3ce1920e9690c7842f8fa4b addresses this issue by ensuring proper memory deallocation occurs regardless of whether a signal is pending during the receive operation.
Attack Vector
The attack vector requires local access to the target system. An unprivileged attacker can exploit this vulnerability by performing Unix domain socket operations in a manner that triggers the memory leak condition. The attack involves:
- Creating Unix domain stream sockets
- Initiating receive operations while signals are pending
- Repeating the process to gradually exhaust system memory
- Eventually causing the system to become unresponsive or crash due to out-of-memory conditions
The exploitation does not require any special privileges beyond basic user access, making it accessible to any authenticated local user on vulnerable systems.
Detection Methods for CVE-2021-20265
Indicators of Compromise
- Unusual memory consumption patterns on Linux systems without corresponding legitimate workload increases
- System logs indicating out-of-memory (OOM) killer activation without identifiable memory-intensive applications
- Repeated Unix domain socket operations from unprivileged user accounts
- System instability or crashes preceded by gradual memory depletion
Detection Strategies
- Monitor system memory usage trends and alert on abnormal consumption patterns that cannot be attributed to legitimate processes
- Implement kernel-level auditing to track Unix domain socket recvmsg operations, particularly from non-root users
- Deploy memory leak detection tools to identify processes that consistently fail to release allocated memory
- Review system logs for OOM killer events and correlate with user activity during those timeframes
Monitoring Recommendations
- Configure memory usage alerts to trigger when available system memory drops below defined thresholds
- Enable kernel auditing for socket system calls to maintain visibility into Unix domain socket activity
- Monitor for unusual patterns of signal delivery during socket operations
- Implement process-level memory accounting to identify which processes are consuming excessive memory
How to Mitigate CVE-2021-20265
Immediate Actions Required
- Apply the kernel patch referenced in commit fa0dc04df259ba2df3ce1920e9690c7842f8fa4b to affected Linux systems
- Update to patched kernel versions as provided by your Linux distribution vendor
- For Oracle Tekelec Platform Distribution users, apply patches referenced in the Oracle Security Alert October 2021
- Prioritize patching on multi-user systems where unprivileged local users have shell access
Patch Information
The vulnerability has been addressed in the upstream Linux kernel. The fix is available in the kernel git repository at commit fa0dc04df259ba2df3ce1920e9690c7842f8fa4b. System administrators should check with their distribution vendor for backported patches applicable to their specific kernel version.
Additional information is available in the Red Hat Bug Report #1908827 and the Oracle Security Alert October 2021 for affected Oracle products.
Workarounds
- Restrict local shell access to trusted users only until patches can be applied
- Implement memory resource limits (cgroups/ulimits) for non-privileged user sessions to contain potential exploitation impact
- Monitor system memory closely and configure automatic alerts for unusual consumption patterns
- Consider isolating critical workloads on dedicated systems with restricted user access
# Configuration example - Set memory limits for user sessions using cgroups
# Create a memory-limited cgroup for unprivileged users
sudo cgcreate -g memory:/limited_users
sudo cgset -r memory.limit_in_bytes=2G limited_users
# Apply ulimit restrictions in /etc/security/limits.conf
# Add the following lines to limit memory for users:
# @users hard as 2097152
# @users hard memlock 65536
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
