CVE-2021-33910
Published on: 07/20/2021 12:00:00 AM UTC
Last Modified on: 06/14/2022 11:15:00 AM UTC
Certain versions of Debian Linux from Debian contain the following vulnerability:
basic/unit-name.c in systemd prior to 246.15, 247.8, 248.5, and 249.1 has a Memory Allocation with an Excessive Size Value (involving strdupa and alloca for a pathname controlled by a local attacker) that results in an operating system crash.
- CVE-2021-33910 has been assigned by
[email protected] to track the vulnerability - currently rated as MEDIUM severity.
CVSS3 Score: 5.5 - MEDIUM
| Attack Vector ⓘ |
Attack Complexity |
Privileges Required |
User Interaction |
|---|---|---|---|
| LOCAL | LOW | LOW | NONE |
| Scope | Confidentiality Impact |
Integrity Impact |
Availability Impact |
| UNCHANGED | NONE | NONE | HIGH |
CVSS2 Score: 4.9 - MEDIUM
| Access Vector ⓘ |
Access Complexity |
Authentication |
|---|---|---|
| LOCAL | LOW | NONE |
| Confidentiality Impact |
Integrity Impact |
Availability Impact |
| NONE | NONE | COMPLETE |
CVE References
| Description | Tags ⓘ | Link |
|---|---|---|
| CVE-2021-33910 Systemd Vulnerability in NetApp Products | NetApp Product Security | security.netapp.com text/html |
CONFIRM security.netapp.com/advisory/ntap-20211104-0008/ |
| Sequoia: A Deep Root In Linux's Filesystem Layer ≈ Packet Storm | packetstormsecurity.com text/html |
MISC packetstormsecurity.com/files/163621/Sequoia-A-Deep-Root-In-Linuxs-Filesystem-Layer.html |
| basic/unit-name: do not use strdupa() on a path · systemd/[email protected] · GitHub | github.com text/html |
MISC github.com/systemd/systemd-stable/commit/b00674347337b7531c92fdb65590ab253bb57538 |
| Debian -- Security Information -- DSA-4942-1 systemd | www.debian.org Depreciated Link text/html |
DEBIAN DSA-4942 |
| basic/unit-name: do not use strdupa() on a path · systemd/[email protected] · GitHub | github.com text/html |
MISC github.com/systemd/systemd-stable/commit/cfd14c65374027b34dbbc4f0551456c5dc2d1f61 |
| oss-security - Re: Pop!_OS Membership to linux-distros list | www.openwall.com text/html |
MLIST [oss-security] 20210907 Re: Pop!_OS Membership to linux-distros list |
| basic/unit-name: do not use strdupa() on a path by keszybz · Pull Request #20256 · systemd/systemd · GitHub | github.com text/html |
MISC github.com/systemd/systemd/pull/20256/commits/441e0115646d54f080e5c3bb0ba477c892861ab9 |
| Releases · systemd/systemd · GitHub | github.com text/html |
MISC github.com/systemd/systemd/releases |
| basic/unit-name: do not use strdupa() on a path · systemd/[email protected] · GitHub | github.com text/html |
MISC github.com/systemd/systemd-stable/commit/4a1c5f34bd3e1daed4490e9d97918e504d19733b |
| Merge pull request #20256 from keszybz/one-alloca-too-many · systemd/[email protected] · GitHub | github.com text/html |
MISC github.com/systemd/systemd/commit/b34a4f0e6729de292cb3b0c03c1d48f246ad896b |
| cert-portal.siemens.com application/pdf |
CONFIRM cert-portal.siemens.com/productcert/pdf/ssa-222547.pdf | |
| [SECURITY] Fedora 34 Update: systemd-248.5-1.fc34 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org text/html |
FEDORA FEDORA-2021-2a6ba64260 |
| oss-security - Re: Pop!_OS Membership to linux-distros list | www.openwall.com text/html |
MLIST [oss-security] 20210817 Re: Pop!_OS Membership to linux-distros list |
| No Description Provided | lists.fedoraproject.org Inactive LinkNot Archived |
FEDORA FEDORA-2021-166e461c8d |
| oss-security - Re: Pop!_OS Membership to linux-distros list | www.openwall.com text/html |
MLIST [oss-security] 20210804 Re: Pop!_OS Membership to linux-distros list |
| oss-security - CVE-2021-33910: Denial of service (stack exhaustion) in systemd (PID 1) | www.openwall.com text/html |
MISC www.openwall.com/lists/oss-security/2021/07/20/2 |
| systemd: Multiple vulnerabilities (GLSA 202107-48) — Gentoo security | security.gentoo.org text/html |
GENTOO GLSA-202107-48 |
| basic/unit-name: do not use strdupa() on a path · systemd/[email protected] · GitHub | github.com text/html |
MISC github.com/systemd/systemd-stable/commit/764b74113e36ac5219a4b82a05f311b5a92136ce |
Related QID Numbers
- 159309 Oracle Enterprise Linux Security Update for systemd (ELSA-2021-2717)
- 178709 Debian Security Update for systemd (DSA 4942-1)
- 178711 Debian Security Update for systemd (DLA 2715-1)
- 179870 Debian Security Update for systemd (CVE-2021-33910)
- 198434 Ubuntu Security Notification for systemd vulnerabilities (USN-5013-1)
- 239496 Red Hat Update for systemd (RHSA-2021:2724)
- 239499 Red Hat Update for systemd (RHSA-2021:2721)
- 239503 Red Hat Update for systemd (RHSA-2021:2717)
- 239520 Red Hat Update for OpenShift Container Platform 4.7.21 (RHSA-2021:2763)
- 281733 Fedora Security Update for systemd (FEDORA-2021-2a6ba64260)
- 281739 Fedora Security Update for systemd (FEDORA-2021-166e461c8d)
- 375711 Linux systemd Denial of Service Vulnerability
- 590976 Siemens SCALANCE LPE9403 Third-Party Multiple Vulnerabilities (ICSA-22-167-09) (SSA-222547)
- 670729 EulerOS Security Update for systemd (EulerOS-SA-2021-2487)
- 670821 EulerOS Security Update for systemd (EulerOS-SA-2021-2700)
- 670837 EulerOS Security Update for systemd (EulerOS-SA-2021-2725)
- 710021 Gentoo Linux systemd Multiple vulnerabilities (GLSA 202107-48)
- 750843 SUSE Enterprise Linux Security Update for systemd (SUSE-SU-2021:2405-1)
- 750845 OpenSUSE Security Update for the systemd (openSUSE-SU-2021:2404-1)
- 750846 OpenSUSE Security Update for the systemd (openSUSE-SU-2021:2410-1)
- 750865 SUSE Enterprise Linux Security Update for systemd (SUSE-SU-2021:2423-1)
- 750892 OpenSUSE Security Update for systemd (openSUSE-SU-2021:1082-1)
- 751002 OpenSUSE Security Update for systemd (openSUSE-SU-2021:2809-1)
- 751220 OpenSUSE Security Update for systemd (openSUSE-SU-2021:3348-1)
- 751244 OpenSUSE Security Update for systemd (openSUSE-SU-2021:1370-1)
- 751324 SUSE Enterprise Linux Security Update for systemd (SUSE-SU-2021:3611-1)
- 900239 CBL-Mariner Linux Security Update for systemd 239
- 903616 Common Base Linux Mariner (CBL-Mariner) Security Update for systemd (4642)
- 940289 AlmaLinux Security Update for systemd (ALSA-2021:2717)
- 960011 Rocky Linux Security Update for systemd (RLSA-2021:2717)
Known Affected Configurations (CPE V2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Debian | Debian Linux | 10.0 | All | All | All |
| Operating System | Fedoraproject | Fedora | 33 | All | All | All |
| Operating System | Fedoraproject | Fedora | 34 | All | All | All |
| Application | Freedesktop | Systemd | All | All | All | All |
| Application | Netapp | Hci Management Node | - | All | All | All |
| Application | Netapp | Solidfire | - | All | All | All |
| Application | Systemd Project | Systemd | All | All | All | All |
- cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*:
- cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*:
- cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*:
- cpe:2.3:a:freedesktop:systemd:*:*:*:*:*:*:*:*:
- cpe:2.3:a:netapp:hci_management_node:-:*:*:*:*:*:*:*:
- cpe:2.3:a:netapp:solidfire:-:*:*:*:*:*:*:*:
- cpe:2.3:a:systemd_project:systemd:*:*:*:*:*:*:*:*:
No vendor comments have been submitted for this CVE
Social Mentions
| Source | Title | Posted (UTC) |
|---|---|---|
 @shah_sheikh |
CVE-2021-33910: Denial of Service (Stack Exhaustion) in systemd (PID 1): The Qualys Research Team has discovered a… twitter.com/i/web/status/1… | 2021-07-20 12:59:37 |
| @netsecu |
blog.qualys.com/vulnerabilitie… CVE-2021-33910: Denial of Service (Stack Exhaustion) in systemd (PID 1) | Qualys Security Blog #cybersecurity | 2021-07-20 13:47:09 |
| @slpnix |
"RHSB-2021-006 Long path name in mountpoint flaws in the kernel and systemd (CVE-2021-33909, CVE-2021-33910)" access.redhat.com/security/vulne… | 2021-07-20 14:42:35 |
| @laurentbercot |
? And another one down, and another one down, another one bites the dust ? #systemd qualys.com/2021/07/20/cve… | 2021-07-20 14:51:29 |
| @qualys |
CVE-2021-33910: Denial of Service (Stack Exhaustion) in systemd (PID 1): Any unprivileged user can exploit this vul… twitter.com/i/web/status/1… | 2021-07-20 15:12:10 |
| @omokazuki |
SIOSセキュリティブログを更新しました。 QualysによるLinux Kernelの脆弱性(Important: CVE-2021-33909)とSystemdの脆弱性(CVE-2021-33910)に関するアドバイザリ… twitter.com/i/web/status/1… | 2021-07-20 17:02:00 |
| @Julian_Wampfler |
ah yes, another systemd vulnerability CVE-2021-33910: Denial of service (stack exhaustion) in systemd (PID 1) qualys.com/2021/07/20/cve… | 2021-07-20 17:27:09 |
| @pozdnychev |
Qualys Security Advisory: DoS (CVE-2021-33910) by stack exhaustion in systemd (PID 1), thanks to a user-controlled… twitter.com/i/web/status/1… | 2021-07-20 17:33:56 |
| @roarinpenguin |
CVE-2021-33910: don't wait... Saturday night with #systemd in the spot, don't believe just #patch! come on!… twitter.com/i/web/status/1… | 2021-07-20 17:35:06 |
| @w4yh |
緩和策の記述が心許ない // QualysによるLinux Kernelの脆弱性(Important: CVE-2021-33909)とSystemdの脆弱性(CVE-2021-33910)に関するアドバイザリ -… twitter.com/i/web/status/1… | 2021-07-20 17:53:41 |
| @w4yh |
RHSB-2021-006 Long path name in mountpoint flaws in the kernel and systemd (CVE-2021-33909, CVE-2021-33910) - Red H… twitter.com/i/web/status/1… | 2021-07-20 17:56:31 |
| @Knoblauchkeks |
CVE-2021-33910, is that the future everyone always says I should embrace? alloca() deserves to be forbidden anyway… twitter.com/i/web/status/1… | 2021-07-20 18:07:55 |
| @ubernauten |
Nach erster Sichtung sind wir für CVE-2021-33909 und CVE-2021-33910 nicht anfällig weil es bei uns kein FUSE gibt:… twitter.com/i/web/status/1… | 2021-07-20 18:42:09 |
| @null_usernames |
CVE-2021-33910 آسیب پذیری جدید لینوکسی که روی تمام توزیع های لینوکسی قابل اجراست. هر کاربر غیر root می تونه با است… twitter.com/i/web/status/1… | 2021-07-20 18:53:56 |
| @CVEreport |
CVE-2021-33910 : basic/unit-name.c in systemd 220 through 248 has a Memory Allocation with an Excessive Size Value… twitter.com/i/web/status/1… | 2021-07-20 19:04:30 |
| @sergeybratus |
So a parser bug in systemd will crash Linux blog.qualys.com/vulnerabilitie… . Classic insecurity pattern: put ad hoc parser… twitter.com/i/web/status/1… | 2021-07-20 19:12:47 |
| @LordKarma42 |
CVE-2021-33910: Denial of Service (Stack Exhaustion) in systemd (PID 1) | Qualys Security Blog blog.qualys.com/vulnerabilitie… | 2021-07-20 19:43:01 |
| @Webimprints |
#Cibersegruidad #infosec #seguridad #security CVE-2021-33910: una vulnerabilidad muy crítica de escalada de privile… twitter.com/i/web/status/1… | 2021-07-20 21:31:31 |
| @AcooEdi |
CVE-2021-33910: una vulnerabilidad muy crítica de escalada de privilegios en todas las distribuciones Linux… twitter.com/i/web/status/1… | 2021-07-20 21:33:03 |
| @matsuu_zatsu |
QualysによるLinux Kernelの脆弱性(Important: CVE-2021-33909)とSystemdの脆弱性(CVE-2021-33910)に関するアドバイザリ security.sios.com/vulnerability/… | 2021-07-20 22:15:35 |
| @PCTuning_OW |
CVE-2021-33910: "This attack causes systemd, the services it manages, and the entire system to crash and stop respo… twitter.com/i/web/status/1… | 2021-07-20 22:26:06 |
| @torsity_intel |
CVE-2021-33910: una vulnerabilidad muy crítica de escalada de privilegios en todas las distribuciones Linux noticiasseguridad.com/vulnerabilidad… | 2021-07-20 22:29:44 |
| @encthenet |
Write up on the systemd DoS: blog.qualys.com/vulnerabilitie… twitter.com/encthenet/stat… | 2021-07-21 01:24:49 |
| @LavandeiraSyst |
CVE-2021-33910: una vulnerabilidad muy crítica de escalada de privilegios en todas las distribuciones Linux noticiasseguridad.com/vulnerabilidad… | 2021-07-21 01:33:03 |
| @ohhara_shiojiri |
「「CVE-2021-33909」の調査を行う過程で「systemd」に関するサービス拒否の脆弱性「CVE-2021-33910」についても発見したとしてあわせて公表している。」 | 2021-07-21 02:46:43 |
| @ConceptoNET |
CVE-2021-33910: una vulnerabilidad muy crítica de escalada de privilegios en todas las distribuciones Linux noticiasseguridad.com/vulnerabilidad… | 2021-07-21 03:06:36 |
| @zakame |
blog.qualys.com/vulnerabilitie…... plurk.com/p/oh219e | 2021-07-21 03:49:40 |
| @rkx73 |
#CVE-2021-33910 Vulnerabilidad de escalada de #privilegios en todas las distribuciones #Linux noticiasseguridad.com/vulnerabilidad… | 2021-07-21 04:37:28 |
| @LordKarma42 |
CVE-2021-33910: Denial of Service (Stack Exhaustion) in systemd (PID 1) | Qualys Security Blog blog.qualys.com/vulnerabilitie… | 2021-07-21 05:52:42 |
| @TheHackersNews |
Separately, Qualys also disclosed a stack exhaustion denial-of-service #vulnerability in systemd (CVE-2021-33910) t… twitter.com/i/web/status/1… | 2021-07-21 06:53:47 |
| @trip_elix |
"Separately, Qualys also disclosed a stack exhaustion denial-of-service #vulnerability in systemd (CVE-2021-33910)… twitter.com/i/web/status/1… | 2021-07-21 06:57:37 |
| @Kevitivity |
blog.qualys.com/vulnerabilitie… | 2021-07-21 08:02:26 |
| @ipssignatures |
I know no IPS that has a protection/signature/rule for the vulnerability CVE-2021-33910. The vuln was published 0 d… twitter.com/i/web/status/1… | 2021-07-21 09:04:01 |
| @ipssignatures |
The vuln CVE-2021-33910 has a tweet created 0 days ago and retweeted 15 times. twitter.com/TheHackersNews… #Srmwnw7dtlmx2w | 2021-07-21 09:04:02 |
| @rshift |
Denial of service in systemd: blog.qualys.com/vulnerabilitie… | 2021-07-21 11:54:59 |
| @ASI_Auditores |
CVE-2021-33910: una vulnerabilidad muy crítica de escalada de privilegios en todas las distribuciones Linux buff.ly/3iu78Tt | 2021-07-21 12:00:26 |
| @caseybecking |
This does not look good :( blog.qualys.com/vulnerabilitie… | 2021-07-21 12:18:42 |
| @hunleyd |
CVE-2021-33910: Denial of Service (Stack Exhaustion) in systemd (PID 1) | Qualys Security Blog… twitter.com/i/web/status/1… | 2021-07-21 13:46:46 |
| @jedisct1 |
CVE-2021-33910: Denial of service (stack exhaustion) in systemd (PID 1) qualys.com/2021/07/20/cve… | 2021-07-21 15:33:35 |
| @leconnarddufond |
Following #CVE-2021-33910, @pid_eins shall really learn about... StackOverflow. #systemd #initfreedom Enjoy Debian… twitter.com/i/web/status/1… | 2021-07-21 16:24:10 |
| @watrcoolr |
Nasty Linux Systemd Security Bug Revealed blog.qualys.com/vulnerabilitie… | 2021-07-21 19:00:24 |
| @iHackeo |
CVE-2021-33910: una vulnerabilidad muy crítica de escalada de privilegios en todas las distribuciones Linux dlvr.it/S49QnN | 2021-07-21 19:22:36 |
| @FedoraCoreOS |
New security updates rolling out for CVE-2021-33909 and CVE-2021-33910: - 34.20210626.3.2 -> stable (tomorrow) - 3… twitter.com/i/web/status/1… | 2021-07-21 19:24:23 |
| @garcesvarela |
CVE-2021-33910: UNA VULNERABILIDAD MUY CRÍTICA DE ESCALADA DE PRIVILEGIOS EN TODAS LAS DISTRIBUCIONES LINUX lnkd.in/dpSXWTN | 2021-07-21 19:29:12 |
| @zoro_vega |
CVE-2021-33910: una vulnerabilidad muy crítica de escalada de privilegios en todas las distribuciones Linux noticiasseguridad.com/vulnerabilidad… | 2021-07-21 19:37:13 |
| @ipssignatures |
The vuln CVE-2021-33910 has a tweet created 0 days ago and retweeted 10 times. twitter.com/ciberconsejo/s… #pow1rtrtwwcve | 2021-07-21 21:06:00 |
| @ipssignatures |
The vuln CVE-2021-33910 has a tweet created 1 days ago and retweeted 11 times. twitter.com/0xdea/status/1… #pow1rtrtwwcve | 2021-07-22 07:06:01 |
| @tecnoideas20 |
BUFF!!!!! CVE-2021-33910: una vulnerabilidad muy crítica de escalada de privilegios en todas las distribuciones… twitter.com/i/web/status/1… | 2021-07-22 07:18:52 |
| @admonaut |
#Schwachstelle in #Systemd betrifft viele #Linux Distributionen CVE-2021-33910 administrator.de/knowledge/schw… | 2021-07-22 11:01:34 |
| @admonaut |
#Vulnerability in #Systemd affects many #Linux distributions CVE-2021-33910 administrator.pro/knowledge/vuln… | 2021-07-22 11:09:59 |
| @masedinet |
@nixcraft It'll not good, if you don't patch your distros now CVE-2021-33910 CVE-2021-33909 | 2021-07-22 11:48:25 |
| @UncannyStatic |
#Systemd, delivering you the best #CVEs in PID 1 since 2010. blog.qualys.com/vulnerabilitie… | 2021-07-22 12:15:43 |
| @judsonlester |
I love the opening to qualys.com/2021/07/20/cve… - there's a kind of charming childlike wonder of security researchers… twitter.com/i/web/status/1… | 2021-07-22 16:12:37 |
 /r/devopsish |
RHSB-2021-006 Long path name in mountpoint flaws in the kernel and systemd (CVE-2021-33909, CVE-2021-33910) - Red Hat Customer Portal | 2021-07-20 17:43:14 |
| /r/netcve |
CVE-2021-33910 | 2021-07-20 19:40:34 |
| /r/copypasta |
systemdシステムディ | 2021-08-28 09:35:03 |
| /r/BigOSsucks |
true | 2021-09-15 19:43:11 |
| /r/LinuxCirclejerk |
systemdシステムディ | 2022-07-30 17:32:39 |