CVE-2021-36085 Overview
CVE-2021-36085 is a use-after-free vulnerability in the CIL (Common Intermediate Language) compiler component of SELinux 3.2. The vulnerability exists in the __cil_verify_classperms function, which is called from __verify_map_perm_classperms and hashtab_map. This memory corruption issue can lead to a denial of service condition when processing maliciously crafted CIL policy files.
Critical Impact
A local attacker with low privileges can trigger a use-after-free condition in the SELinux CIL compiler, potentially causing application crashes and denial of service during policy compilation.
Affected Products
- SELinux Project SELinux 3.2
- Fedora Project Fedora 35
- Systems utilizing libsepol CIL compiler functionality
Discovery Timeline
- 2021-07-01 - CVE CVE-2021-36085 published to NVD
- 2025-11-03 - Last updated in NVD database
Technical Details for CVE-2021-36085
Vulnerability Analysis
This vulnerability is classified as CWE-416 (Use After Free), a memory corruption flaw where a program continues to reference memory after it has been freed. In the context of the SELinux CIL compiler, the issue occurs during the verification of class permissions within the policy compilation process.
The vulnerable code path involves the __cil_verify_classperms function, which is invoked through the hash table mapping operations (hashtab_map) and permission verification routines (__verify_map_perm_classperms). When processing certain CIL policy configurations, the compiler improperly accesses memory that has already been deallocated, leading to undefined behavior.
The vulnerability requires local access to the system and the ability to provide input to the CIL compiler. While the impact is limited to availability (denial of service), the use-after-free class of vulnerabilities can sometimes be leveraged for more severe attacks in specific circumstances.
Root Cause
The root cause lies in improper memory management within the CIL policy reset functionality. Specifically, when resetting map permissions, the classperm list was being reset rather than properly destroyed. The cil_reset_classperms_list function was called on perm->classperms, which left dangling references to freed memory. The fix replaces this with cil_list_destroy(&perm->classperms, CIL_FALSE), which properly destroys the list and prevents the use-after-free condition.
Attack Vector
The attack vector for CVE-2021-36085 requires local access with low privileges. An attacker must be able to provide malformed or specially crafted CIL policy input to the SELinux compiler. This could occur in scenarios where:
- Users have access to compile SELinux policies on shared systems
- Automated policy compilation processes accept user-controlled input
- Development or testing environments process untrusted CIL files
The vulnerability was discovered through automated fuzzing via Google's OSS-Fuzz project, indicating that triggering the flaw requires specific malformed input patterns.
// Security patch from libsepol/cil/src/cil_reset_ast.c
// Source: GitHub SELinux Commit 2d35fcc
static void cil_reset_perm(struct cil_perm *perm)
{
- cil_reset_classperms_list(perm->classperms);
+ cil_list_destroy(&perm->classperms, CIL_FALSE);
}
static inline void cil_reset_classperms(struct cil_classperms *cp)
Source: GitHub SELinux Commit 2d35fcc
Detection Methods for CVE-2021-36085
Indicators of Compromise
- Unexpected crashes or segmentation faults in the secilc CIL compiler process
- Core dumps referencing __cil_verify_classperms, __verify_map_perm_classperms, or hashtab_map functions
- Abnormal termination of SELinux policy compilation jobs
- Memory access violation errors in libsepol library operations
Detection Strategies
- Monitor for abnormal process terminations involving SELinux compilation tools (secilc, semodule)
- Implement application crash monitoring for libsepol-dependent processes
- Review system logs for segmentation fault entries associated with policy management utilities
- Deploy runtime memory safety tools (AddressSanitizer, Valgrind) in development environments to detect use-after-free conditions
Monitoring Recommendations
- Enable core dump collection and analysis for SELinux-related processes
- Implement centralized logging for policy compilation activities
- Set up alerts for repeated crashes in policy compilation workflows
- Monitor for unusual patterns of CIL policy file submissions in multi-user environments
How to Mitigate CVE-2021-36085
Immediate Actions Required
- Upgrade SELinux/libsepol to a version containing commit 2d35fcc7e9e976a2346b1de20e54f8663e8a6cba or later
- Apply vendor-provided security patches for your Linux distribution
- Restrict access to CIL policy compilation functionality to trusted administrators only
- Review and validate any externally sourced CIL policy files before compilation
Patch Information
The vulnerability was addressed in the SELinux project through commit 2d35fcc. The fix modifies the cil_reset_perm function in libsepol/cil/src/cil_reset_ast.c to properly destroy the classperms list rather than simply resetting it, preventing the use-after-free condition.
Distribution-specific patches are available:
Workarounds
- Limit CIL compiler access to trusted users and processes only
- Implement input validation and sandboxing for policy compilation in automated workflows
- Use SELinux module compilation in isolated environments when processing untrusted input
- Consider disabling CIL-based policy compilation if not required for operations
# Check current SELinux/libsepol version
rpm -qa | grep libsepol
dpkg -l | grep libsepol
# Update to patched version (RHEL/Fedora)
sudo dnf update libsepol
# Update to patched version (Debian/Ubuntu)
sudo apt update && sudo apt upgrade libsepol1
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
