Home > Vulnerability Database > CVE-2021-4037

Mend.io Vulnerability Database

CVE-2021-4037

Date: August 24, 2022

A vulnerability was found in the fs/inode.c:inode_init_owner() function logic of the LInux kernel that allows local users to create files for the XFS file-system with an unintended group ownership and with group execution and SGID permission bits set, in a scenario where a directory is SGID and belongs to a certain group and is writable by a user who is not a member of this group. This can lead to excessive permissions granted in case when they should not. This vulnerability is similar to the previous CVE-2018-13405 and adds the missed fix for the XFS.

Severity Score

7.8

Related Resources (11)

Url: https://people.canonical.com/~ubuntu-security/cve/CVE-2021-4037

Url: https://www.debian.org/security/2022/dsa-5257

Url: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0fa3ecd87848

Url: https://nvd.nist.gov/vuln/detail/CVE-2021-4037

Url: https://bugzilla.redhat.com/show_bug.cgi?id=2027239

Url: https://bugzilla.redhat.com/show_bug.cgi?id=2004810

Url: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=01ea173e103e

Url: https://access.redhat.com/security/cve/CVE-2021-4037

Url: https://security-tracker.debian.org/tracker/CVE-2021-4037

Url: https://lists.debian.org/debian-lts-announce/2022/11/msg00001.html

Url: https://www.mend.io/vulnerability-database/CVE-2021-4037

Severity Score

7.8

Weakness Type (CWE)

Improper Access Control

CWE-284

CVSS v3.1

Base Score:	7.8
Attack Vector (AV):	LOCAL
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2021-4037

Date: August 24, 2022

Severity Score

Related Resources (11)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?