CVE-2021-36084

Published: Jul 1, 2021Modified: Nov 3, 2025

3.3

Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

Exploitability: 1.8 / Impact: 1.4

Source: NVD

Description

The CIL compiler in SELinux 3.2 has a use-after-free in __cil_verify_classperms (called from __cil_verify_classpermission and __cil_pre_verify_helper).

Affected (2)

Products: Selinux Project: Selinux · Fedoraproject: Fedora

1 product

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Selinux Project Selinux	Version 3.2

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Fedoraproject Fedora	Version 35

Related CWEs

CWE-416

Use After Free

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

References (10)

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=31065

Source: cve@mitre.org

ExploitIssue TrackingPatchThird Party Advisory

https://github.com/SELinuxProject/selinux/commit/f34d3d30c8325e4847a6b696fe7a3936a8a361f3

Source: cve@mitre.org

PatchThird Party Advisory

https://github.com/google/oss-fuzz-vulns/blob/main/vulns/selinux/OSV-2021-417.yaml

Source: cve@mitre.org

Third Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U7ZYR3PIJ75N6U2IONJWCKZ5L2NKJTGR/

Source: cve@mitre.org

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=31065