Techly NewsGet the app

Get the latest tech news

CVE-2021-4440: A Linux CNA Case Study


This blog serves as a case study into how the newly-formed Linux CNA (CVE Numbering Authority) has affected Linux kernel vulnerability management, through the mishandling of a vulnerability we reported this year in the upstream 5.10 LTS kernel.

It was fixed in the way I recommended in my report, however the choice of doing it in a single commit, reusing a cherry-pick of the USERGS_SYSRET64 macro removal from 2021, had an extensive impact on the information automatically generated for the CVE by the Linux CNA, as we'll discuss in much more detail later. If one were providing summary information of assigned CVEs by the new Linux CNA, or performing a mere cursory analysis, it would be easy to either overlook these numerous errors or simply ascribe them to one-off mistakes. Despite existing for a little over four months and in that time assigning over 2000 CVEs at a faster rate than any other CNA in existence, the harm it's single-handedly caused to the CVE ecosystem hasn't been fully appreciated yet by the public and is mostly relegated to security teams of downstream distributions, vulnerability management companies, and end-users who noticed recently their previously-informative distribution security advisories got replaced with auto-generated lists of hundreds of CVEs with minimal user-understandable/actionable information.

Get the Android app

Or read this on Hacker News

Read more on:

Photo of cve-2021

cve-2021

Photo of linux cna case study

linux cna case study

« Redbox Owner Chicken Soup for the Soul Files for Chapter 11
France’s Thales Says Authorities Searched Some of Its Offices »